Skip to content

feat(ci): add Muninn security scanning and harden workflows#71

Merged
squid-protocol merged 11 commits into
squid-protocol:mainfrom
sg0nzalez:feat/add-muninn
Jun 23, 2026
Merged

feat(ci): add Muninn security scanning and harden workflows#71
squid-protocol merged 11 commits into
squid-protocol:mainfrom
sg0nzalez:feat/add-muninn

Conversation

@sg0nzalez

@sg0nzalez sg0nzalez commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Add Muninn security scanning on pull requests and pushes to main, with SARIF upload to the GitHub Security tab and PR summary comments.
  • Add muninn.yml (all eight scanners, fail-on: info) and targeted suppressions for intentional test fixtures and mock credentials.
  • Harden existing CI workflows to satisfy Muninn findings:
    • Pin third-party actions to commit SHAs
    • Set explicit workflow permissions and persist-credentials: false on checkout
    • Fix template injection in action.yml by passing inputs through env vars
    • Add Dependabot cooldowns and a zizmor.yml ignore for a publish.yml cache-poisoning false positive
  • Ignore local Muninn report artifacts (muninn.json, muninn.sarif) in .gitignore

Test plan

  • Muninn workflow runs green on this PR
  • SARIF appears in the Security tab
  • PR comment summary is posted when findings exist
  • Existing workflows (smoke-test, codeql, gitgalaxy) still pass
  • GitGalaxy composite action behavior unchanged (smoke tests / manual action run)

@sg0nzalez @cursoragent
feat(ci): add Muninn security scanning and harden workflows
e357101 
Add Muninn on pull requests and main pushes with SARIF upload and PR
comments. Pin third-party actions, fix composite action template injection,
set explicit permissions, and resolve Muninn findings across CI workflows.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sg0nzalez sg0nzalez marked this pull request as ready for review June 20, 2026 20:01
@github-advanced-security

github-advanced-security AI commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@squid-protocol

squid-protocol commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Thanks for putting this together! The workflows are looking incredibly solid and the security upgrades are much appreciated.

It looks like the initial CI run tripped up on a minor syntax issue in the setup-python steps. The actions/setup-python action doesn't accept false for the cache parameter; omitting the parameter entirely is the default way to disable caching.

Could you remove the cache: false line from the setup-python blocks across the workflow files (specifically in smoke-test.yml, deploy-docs.yml, publish.yml, and action.yml)?

Change this:

  - name: Set up Python ${{ matrix.python-version }}
    uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
    with:
      python-version: ${{ matrix.python-version }}
      cache: false

To this:

  - name: Set up Python ${{ matrix.python-version }}
    uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
    with:
      python-version: ${{ matrix.python-version }}

Once that is pushed, the automated tests should re-trigger and we can get this merged!

@sg0nzalez @cursoragent
fix(ci): remove invalid cache: false from setup-python steps
ec9abdf 
actions/setup-python does not accept false for cache; omit the parameter
to disable caching by default.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sg0nzalez

sg0nzalez commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for putting this together! The workflows are looking incredibly solid and the security upgrades are much appreciated.

It looks like the initial CI run tripped up on a minor syntax issue in the setup-python steps. The actions/setup-python action doesn't accept false for the cache parameter; omitting the parameter entirely is the default way to disable caching.

Could you remove the cache: false line from the setup-python blocks across the workflow files (specifically in smoke-test.yml, deploy-docs.yml, publish.yml, and action.yml)?

Change this:

  - name: Set up Python ${{ matrix.python-version }}
    uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
    with:
      python-version: ${{ matrix.python-version }}
      cache: false

To this:

  - name: Set up Python ${{ matrix.python-version }}
    uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
    with:
      python-version: ${{ matrix.python-version }}

Once that is pushed, the automated tests should re-trigger and we can get this merged!

Thanks for the review and for pointing that out! I've removed the cache: false entries from the workflow files and pushed the fix. The automated checks should be running again now.

Really appreciate the feedback and the kind words about the workflows and security improvements.

sg0nzalez and others added 9 commits June 23, 2026 15:19
@sg0nzalez @cursoragent
fix(ci): clear remaining Muninn findings on fork PR scans
fd60665 
Add workflow-level permissions for Checkov, suppress test fixtures and
publish.yml cache-poisoning false positives.

Co-authored-by: Cursor <cursoragent@cursor.com>
@squid-protocol
fix: add inline gitleaks suppressions for intentional test fixtures
8bd02c3
@squid-protocol
fix: suppress Poutine untrusted-checkout rule for intentional workflo…
a74f334 
…w architecture
@sg0nzalez @cursoragent
fix(security): resolve Muninn semgrep finding in spatial mapper
5ebf5a9 
Replace MD5 with SHA-256 for deterministic layout jitter and tighten
Muninn suppressions for zizmor rule IDs and scan output artifacts.

Co-authored-by: Cursor <cursoragent@cursor.com>
@squid-protocol
Merge branch 'feat/add-muninn' of github.com:sg0nzalez/gitgalaxy into…
7aa76fc 
… pr-71-muninn
@squid-protocol
fix: add final inline gitleaks suppression for mock license keys
7c79a38
@squid-protocol
fix: suppress final mock license key in env string
bbcd881
@sg0nzalez @cursoragent
fix: bind Flask dev server to localhost in production
c2f808f 
Semgrep flagged app.run(host="0.0.0.0") in site/app.py; default to
127.0.0.1 unless FLASK_HOST is set or FLASK_ENV is development.
Also revert the unnecessary MD5→SHA-256 change in spatial_mapper.py
from 5ebf5a9, which was not a Muninn finding.

Co-authored-by: Cursor <cursoragent@cursor.com>
@squid-protocol
fix(core): seal O(N^2) ReDoS vulnerabilities in C/C++ regex definitions
fa15736
@squid-protocol squid-protocol merged commit 6c30a7b into squid-protocol:main Jun 23, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sg0nzalez @github-advanced-security @squid-protocol