Add security review bot and supply chain analysis#78
Merged
Conversation
Adds automated security review for external PRs using Claude 4.5 Sonnet, with msgvault-specific prompt covering OAuth tokens, email data, Go security patterns, and dependency supply chain risks. Includes govulncheck in CI, Dependabot for gomod and github-actions, and CODEOWNERS for security-critical files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…eck pin - Treat JSON parse failures as hard errors: post explicit "analysis failed" comment and exit non-zero instead of silently posting "no issues found" - Fix pr.get_commits().reversed[0] (not subscriptable in PyGithub) to use list(pr.get_commits())[-1] - Pin govulncheck to v1.1.4 for deterministic CI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Avoids loading all PR commits and eliminates IndexError risk on empty list. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Avoids redundant API calls per issue when posting multiple review comments. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go 1.25.7 (released 2026-02-04) fixes: - GO-2026-4341: memory exhaustion in net/url query parsing - GO-2026-4340: TLS handshake messages at incorrect encryption level - GO-2026-4337: unexpected TLS session resumption mapstructure v2.3.0 fixes: - GO-2025-3787: sensitive info leaked in logs on malformed data govulncheck now passes clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
govulncheckto CI for call-graph-aware vulnerability scanning on every PRgo.mod,go.sum,.github/, andSECURITY.mdSECURITY.mdwith vulnerability reporting policy and threat modelNew files (7)
.github/workflows/security-review.ymlpull_request_targetworkflow with base-branch-only checkout, SHA-pinned actions, pinned pip deps.github/scripts/security_review.py.github/trusted-contributors.json.github/CODEOWNERSgo.mod/go.sum.github/dependabot.yml.github/SECURITY_BOT.mdSECURITY.mdModified files (1)
.github/workflows/ci.ymlgovulncheck -tags fts5 ./...after lint step (macOS only)Post-merge steps
ANTHROPIC_API_KEYto GitHub repository secretsTest plan
python -m py_compile)make lintpassesmake testpasses🤖 Generated with Claude Code