v1.5.6 — Security Gating & CI/CD Auto-Aware Workflows
v1.5.6 — Security Gating & CI/CD Auto-Aware Workflows
Overview
This release transforms GESF's generated CI/CD workflows from silently-failing scripts into real security gates that block PR merges on failures. Every workflow is now fully auto-aware — no hardcoded branch names, package managers, Node versions, or country codes.
Consumer projects running npx ges init now get 5 production-ready GitHub Actions workflows that work out of the box regardless of their stack (npm/pnpm/yarn, main/master/trunk, Node 18/20/22, Docker/no-Docker, K8s/no-K8s).
What's New
1. Security Gating (NEW)
GESF now generates enforceable security gates, not just advisory scans. Every gate exits non-zero on violations, enabling GitHub Required Status Checks for branch protection.
| Workflow | Scanner | Gate Behavior |
|---|---|---|
compliance.yml |
GESF 9 built-in scanners (ges audit --ci) |
Exits 1 on critical findings |
security.yml |
Semgrep SAST | Exits 1 on blocking code findings |
dependency-scan.yml |
Trivy + npm/pnpm/yarn audit | Trivy exits 1 on CRITICAL/HIGH |
secret-scan.yml |
Gitleaks (full git history) | Exits 1 on any secret |
sbom-scan.yml |
Syft + Grype + Trivy | Grype exits 1 on HIGH+ vulns |
To enable enforcement:
Settings → Branches → Branch protection rules
→ Require status checks → add job names
2. Auto-Aware Branch Detection
Before: Workflows triggered only on branches: [main, develop] — silently skipped for repos using master, trunk, or custom names.
After: All workflows trigger on push: and pull_request: without branch filters. Badge/commit steps use github.event.repository.default_branch — works with any default branch name.
3. Auto-Aware Package Manager Detection
Before: Hardcoded npm ci — failed on pnpm and yarn projects.
After: dependency-scan.yml auto-detects the package manager via lockfile presence:
pnpm-lock.yaml→pnpm install --frozen-lockfile+pnpm auditpackage-lock.json→npm ci+npm audityarn.lock→yarn install --frozen-lockfile+yarn audit
4. Auto-Aware Infrastructure Scanning
sbom-scan.yml now has 3 conditional jobs that auto-detect the project's infrastructure:
| Job | Runs When | Scans |
|---|---|---|
sbom |
Always | Source dependencies (Syft + Grype) |
container-scan |
Dockerfile or docker-compose.yml present |
Docker image OS-level CVEs (Trivy) |
iac-scan |
k8s/, terraform/, *.tf, etc. present |
Infrastructure misconfigurations (Trivy) |
A plain Node.js project gets only filesystem SBOM. A Docker project gets container scanning. A Kubernetes project gets IaC scanning — automatically.
5. Semgrep False Positive Resolution
Fixed 7 blocking findings from GitHub's Semgrep security scan:
- ReDoS (6 findings): Replaced all
new RegExp()with dynamic arguments — manual glob matcher in.gesignoreprocessing, string-based dependency detection in MCP server - JWT test fixture (1 finding): Split test token across string concatenation so static analysis can't match it, while runtime detection still works
Added .semgrepignore and e2e-local/ (gitignored) with a 16-check local E2E test suite using realistic fixtures.
Bug Fixes
ges initmissing in CI —.ges/is gitignored, soges audit --cifailed with "GESF not initialized." Addedges init --forcestep before audit incompliance.yml.- Broken GitHub Actions — Removed
Socket-security/socket-security-action(wrong repo name, required unconfigured API token) andgoogle/osv-scanner-action@v2(version doesn't exist, redundant with Trivy) fromsupply-chain.yml. - pnpm version conflict —
pnpm/action-setup@v4withversion: 9conflicted withpackageManager: "pnpm@11.4.0"inpackage.json(ERR_PNPM_BAD_PM_VERSION). Removed version pin — now auto-detects frompackage.json. npm cion pnpm repo — GESF uses pnpm but workflow rannpm ci(nopackage-lock.json). Fixed with auto-detecting package manager steps.- Version drift — GESF version was hardcoded as
"1.5.5"in cicd-generator. Now importsGESF_VERSIONfrom@greenarmor/ges-coredynamically. - Country hardcoded — Generated workflows always used
--country "US-CA". Now flows fromconfig.countryset duringges init. - Trivy
continue-on-error: true— Dependency scanner was advisory-only. Trivy now usesexit-code: '1'(hard gate). Package manager audit remains advisory (inconsistent exit codes across pnpm versions).
Changes to Generated Workflows (for consumers)
Removed
ges scan --cifrom generated CI workflows — was unreliable (external tools not installed on runner). External tools now use their native GitHub Actions for reliability + SARIF output.
Architecture
Before (5 workflows, GESF was a bystander):
compliance.yml → ges audit (no ges init, broken)
security.yml → Semgrep + ges scan (broken)
dependency-scan.yml → Trivy + npm ci (wrong PM)
secret-scan.yml → Gitleaks
sbom-scan.yml → Syft + Grype (filesystem only)
After (5 workflows, zero redundancy, all auto-aware):
compliance.yml → ges init + ges audit --ci (GESF supreme, 9 scanners)
security.yml → Semgrep SAST (native GitHub Action)
dependency-scan.yml → Trivy gate + auto PM audit (pnpm/npm/yarn)
secret-scan.yml → Gitleaks (full git history)
sbom-scan.yml → Syft + Grype + Trivy (auto: filesystem + container + IaC)
Test Coverage
- 522 tests passing (up from 483)
- 44 cicd-generator tests (up from 27) — includes 5 new regression tests:
- No broken GitHub Actions referenced
- pnpm setup has no version pin
npm ciis guarded bypackage-lock.jsoncheck- Country flows from config (not hardcoded)
- GESF version is dynamic
Upgrade Guide
For GESF repo
- Pull
master— workflows in.github/workflows/are updated - No migration needed — existing workflows are overwritten on next
ges init
For consumer projects
- Update:
npm install -g @greenarmor/ges@1.5.6 - Re-run:
ges init --force - Review generated
.github/workflows/— all 5 are updated - (Optional) Enable branch protection: Settings → Branches → Require status checks
Stats
- 38 files changed, +801 / -781 lines
- 16 packages build clean
- 522 tests passing
- 0 broken GitHub Actions references
- 0 hardcoded branches, package managers, Node versions, or country codes