Skip to content

Add vu1nz-scan sample action package #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add vu1nz-scan sample action package #436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f53ffb3
Initial plan
Copilot May 25, 2026
f709dc2
Add vu1nz-scan action package: sh1pt.action.json, workflows/, and reg…
Copilot May 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions packages/actions/vu1nz-scan/sh1pt.action.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"name": "vu1nz-scan",
"publisher": "profullstack",
"type": "github-action",
"version": "0.1.0",
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Version mismatch between the two manifests for the same package

sh1pt.action.json declares "version": "0.1.0" while sh1pt.actionpack.yaml in the same directory declares version: 1.0.0. The registry entry in actions.json also uses 0.1.0. Having two different canonical versions for the same package in the same directory will confuse any tooling that inspects both files to determine the installed version.

Suggested change
"version": "0.1.0",
"version": "1.0.0",

"title": "vu1nz Security Scan",
"description": "Adds a GitHub Actions workflow for running vu1nz security scans.",
"trustLevel": "verified",
"files": [
{
"path": ".github/workflows/vu1nz-scan.yml",
"template": "workflows/vu1nz-scan.yml"
}
],
"permissions": {
"contents": "read",
"security-events": "write"
},
"secrets": [],
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 secrets array is empty, but the real implementation requires ENV_FILE

The existing sh1pt.actionpack.yaml for this same package declares ENV_FILE (containing ANTHROPIC_API_KEY) as a required secret. The new JSON manifest leaves "secrets": [], so any consumer resolving dependencies from this manifest won't know to provision that secret before installing the workflow template. When the stub is replaced with the real scan step, installs done against this manifest will silently miss the required credential.

Suggested change
"secrets": [],
"secrets": [
{
"name": "ENV_FILE",
"description": "Env-file formatted secret containing ANTHROPIC_API_KEY.",
"required": true
}
],

"thirdPartyActions": [
{
"uses": "actions/checkout@v4",
"pinned": false,
"trusted": true
}
Comment on lines +21 to +25
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 security pinned: false explicitly opts out of action pinning

Supply-chain security best practice is to pin third-party actions to a full commit SHA. Explicitly setting "pinned": false signals to any tooling that processes this manifest that pinning is not required, making it easier for a compromised tag (v4) to affect consumers.

Suggested change
{
"uses": "actions/checkout@v4",
"pinned": false,
"trusted": true
}
{
"uses": "actions/checkout@v4",
"pinned": true,
"trusted": true
}

],
"requiresConfirmation": true,
"recommendedInstallMode": "pr"
}
23 changes: 23 additions & 0 deletions packages/actions/vu1nz-scan/workflows/vu1nz-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: vu1nz Scan

on:
push:
branches:
- main
- master
pull_request:
Comment on lines +3 to +8
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Push trigger on main/master is inconsistent with existing behavior

The existing workflow.yml (used by sh1pt.actionpack.yaml) only fires on pull_request, which makes sense for a PR-focused security scanner. Adding push triggers on main and master means this workflow will also fire on every merge commit, producing scans with no open PR context. That will generate unnecessary CI runs (and SARIF uploads) on every merge, which diverges from the established pattern and from how the vu1nz tool is designed to be used.


permissions:
contents: read
security-events: write

jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run vu1nz scan
run: |
echo "TODO: run vu1nz scan"
11 changes: 11 additions & 0 deletions packages/registry/actions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
[
{
"name": "vu1nz-scan",
"publisher": "profullstack",
"version": "0.1.0",
"description": "Adds vu1nz security scanning to GitHub Actions.",
"trustLevel": "verified",
"category": "security",
"path": "packages/actions/vu1nz-scan/sh1pt.action.json"
}
]
Loading