Open
Conversation
Two ecosystems were missing from the api dependabot config carried over from PR #228: * `docker`: 5 *.Dockerfile files at the repo root build the production images we publish (caddy, cloud-helpers.aws, github-actions, github-actions-staging, kubectl). Their `FROM` base images need the same weekly bump as gomod / github-actions. The docs example Dockerfiles under docs/docs/examples/ are user-facing samples — Dependabot only inspects the configured `directory: /`, so they're implicitly out of scope. * `pip`: docs/requirements.txt drives the public mkdocs site (mkdocs, mkdocs-material, plugins). Public site, so CVEs in the build chain still matter. Both groups follow the same shape as the existing gomod/github-actions entries: weekly Monday cadence, minor+patch grouped, `dependencies` + ecosystem-specific labels. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Semgrep Scan ResultsRepository:
Scanned at 2026-05-08 20:18 UTC |
Security Scan ResultsRepository:
Scanned at 2026-05-08 20:18 UTC |
…i,client} Drops the legacy github.com/docker/docker v28.5.2+incompatible import path, which has no upstream fix for: - CVE-2026-34040 (HIGH, GHSA-x744-4wpc-v9h2): AuthZ plugin bypass on oversized request bodies - CVE-2026-33997 (MEDIUM, GHSA-pxq6-2prw-chj9): off-by-one in plugin privilege validation Both advisories list the fix only under the split moby modules: github.com/moby/moby/api >=v1.54.2 and github.com/moby/moby/client >=v0.4.1. Code changes in pkg/clouds/pulumi/docker: - imports moved to github.com/moby/moby/{client,api/types/registry} - image.PullOptions{Platform: string} -> client.ImagePullOptions with []ocispec.Platform parsed via containerd/platforms.Parse - explicit NegotiateAPIVersion call replaced by client.WithAPIVersionNegotiation() opt (lazy negotiation on first call) Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Resolves 26 Semgrep gha-unpinned-third-party-action findings across branch-preview.yaml, branch.yaml, build-staging.yml, push.yaml, and simple-forge.yml. Mutable major-version tags (e.g. @v6) are re-pointable by the action's owner; pinning to a 40-char commit SHA removes that supply-chain hijack vector (cf. tj-actions/changed-files incident, CVE-2025-30066). Pinned: - reecetech/version-increment 71036b21 (2023.10.2) - fregante/setup-git-user 024bc0b8 (v2.0.2) - useblacksmith/setup-go 647ac649 (v6.0.1) - docker/setup-buildx-action 8d2750c6 (v3.12.0) Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Resolves 19 Semgrep go-fmt-errorf-percent-v-for-error findings (rule shipped in actions PR 7) across: - pkg/assistant/chat/commands_project.go (6) - pkg/assistant/core/commands.go (5) - pkg/assistant/mcp/server.go (5) - pkg/clouds/pulumi/gcp/bucket_uploader.go (3) %v formats the error's text but drops the wrap chain — errors.Is and errors.As cannot then unwrap to the underlying sentinel, so callers lose the ability to programmatically distinguish error kinds. Untouched: 3 fmt.Errorf calls in server.go that format recover() panic values (any) or a non-error response struct field — %w is invalid for non-error operands and the rule correctly skips them. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two ecosystems were missing from `api/.github/dependabot.yml` carried over from PR #228. This PR adds them in the same shape as the existing `gomod` / `github-actions` entries.
Both groups follow the existing pattern: weekly Monday cadence, minor+patch grouped, `dependencies` + ecosystem-specific labels, `prefix: deps` commit messages.
Why
PR #228 introduced security scanning. Dependabot is the actionable counterpart — Trivy/Grype on a CI run tells you "vuln exists"; Dependabot opens an actual PR with the bump. Three of the four ecosystems present in this repo were already covered; this PR closes the remaining two.
Test plan
Out of scope