add socket tier 1 reachability analysis#142
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b3d82cf4ac
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ |
There was a problem hiding this comment.
For scheduled/manual runs this command can mark the job green before Socket has actually generated or evaluated the scan report: the Socket CLI docs/scan create --help state that socket scan create returns after creating the scan, while --report is what waits for and reads the generated report. As written, server-side vulnerability/policy failures or report-generation failures can happen after this step exits 0, so the workflow status no longer matches the documented GREEN/RED meaning; add --report if the job is intended to verify the completed scan.
Useful? React with 👍 / 👎.
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ | ||
| --org=stellar \ |
There was a problem hiding this comment.
This fresh Actions runner has no checked-in socket.json, and the Socket CLI docs say scans default to socket-default-repository / socket-default-branch unless --repo and --branch are supplied. In this workflow, scheduled scans for js-xdr will therefore be filed under the default placeholder repo/branch (and can collide with other repos using the same org token) instead of updating the intended Socket repository/alerts page; pass the repository and branch/default-branch explicitly.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR adds a scheduled GitHub Actions workflow to run Socket’s “full application reachability” scan against the js-xdr repository so dependency vulnerabilities can be evaluated with reachability context.
Changes:
- Adds a new scheduled + manual “Socket reachability scan” workflow.
- Installs the Socket CLI and runs
socket scan create --reach, emitting a GitHub Actions warning when Tier 2 reachability fallbacks are detected. - Pins
actions/checkoutandactions/setup-nodeto specific SHAs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "20.20.2" |
| - name: Enable Corepack (yarn/pnpm per repo packageManager) | ||
| run: corepack enable |
| @@ -0,0 +1,90 @@ | |||
| # Socket reachability scan for js-xdr. | |||
| # For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability | |||
| # Multi-ecosystem: Node (pnpm-lock.yaml) + Ruby (Gemfile). | |||
| # THIS REPO STARTS YELLOW — a KNOWN upstream Coana bug, NOT your code or this | ||
| # scan setup: | ||
| # Coana's gem analyzer can't locate installed gems ("No load paths found"); | ||
| # the 3 gem CVEs fall back to Tier 2. (The npm portion gets full Tier 1.) | ||
| # Reported to Socket; may be fixed upstream over time. Do NOT let this baseline | ||
| # yellow train the team to ignore yellow — a *new* yellow (a different Tier 2 | ||
| # fallback that appears later) is a real signal worth investigating. After the | ||
| # initial rollout, the team may resolve the baseline yellow at its discretion | ||
| # (once Coana ships a fix, or by adjusting the scan) so GREEN becomes the | ||
| # normal state and any future yellow stands out. |
| - name: Install Socket CLI | ||
| run: npm install -g socket | ||
|
|
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis