feat: PR security checks — suspicious paths, committer identity, auto-merge override#1109
Conversation
Code Review by Qodo
Context used 1. security-checks not merged
|
|
Report bugs in Issues Welcome! 🎉This pull request will be automatically processed with the following features: 🔄 Automatic Actions
📋 Available CommandsPR Status Management
Review & Approval
Testing & Validation
Container Operations
Cherry-pick Operations
Label Management
✅ Merge RequirementsThis PR will be automatically approved when the following conditions are met:
📊 Review ProcessApprovers and ReviewersApprovers:
Reviewers:
Available Labels
AI Features
💡 Tips
For more information, please refer to the project documentation or contact the maintainers. |
|
Code review by qodo was updated up to the latest commit a537bcb |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
Code review by qodo was updated up to the latest commit c079464 |
|
Code review by qodo was updated up to the latest commit a6f91fd |
|
Code review by qodo was updated up to the latest commit 4ad9062 |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
Code review by qodo was updated up to the latest commit b6cafbe |
|
Code review by qodo was updated up to the latest commit b4d7199 |
…otation Check c.user.login against auto_verified_and_merged_users (all configured API user logins) instead of just the current api_user. In multi-token setups, a different token may have posted the original comment. This makes dedup stable across token rotation while still preventing user spoofing.
|
Code review by qodo was updated up to the latest commit 80dddd8 |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
Code review by qodo was updated up to the latest commit b276a46 |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
…ide when no checks enabled
|
Code review by qodo was updated up to the latest commit 4ac55ae |
|
New container for ghcr.io/myk-org/github-webhook-server:latest published |
PR Summary by Qodo
Add PR security checks for suspicious paths, committer identity, and auto-merge override
✨ Enhancement🧪 Tests⚙️ Configuration changes📝 Documentation🕐 40+ MinutesWalkthroughs
User Description
Summary
Three configurable security checks to detect and block malicious PR attack vectors:
Suspicious Path Detection
security-suspicious-pathscheck run.claude/,.vscode/,.cursor/,.devcontainer/,.pi/,.github/workflows/,.github/actions/)Committer Identity Check
security-committer-identitycheck runAuto-Merge Override
Security Design
config.yaml(not overridable by in-repo.github-webhook-server.yaml)Closes #1106
AI Description
Diagram
graph TD cfg["server config.yaml"] --> wh(["GitHubWebhook"]) --> prh(["PullRequestHandler"]) --> ofh(["OwnersFileHandler"]) prh --> rh(["RunnerHandler"]) --> crh(["CheckRunHandler"]) --> gh{{"GitHub API"}} prh -. "comment / enable automerge" .-> gh subgraph Legend direction LR _file["Config/File"] ~~~ _svc(["Handler/Service"]) ~~~ _ext{{"External"}} endHigh-Level Assessment
The following are alternative approaches to this PR:
1. Use CODEOWNERS + branch protection for sensitive paths
2. Required GitHub Actions workflow with path filters
3. Org policy: require verified commits / signature enforcement
Recommendation: The PR’s approach (server-side, non-overridable security policy + explicit check-runs + auto-merge override) is a good fit for defending against repo-config supply-chain attacks. Consider adding CODEOWNERS/branch protections as defense-in-depth, but keep these webhook checks as the centrally enforced gate.
File Changes
Enhancement (4)
Tests (2)
Other (2)