Conversation
There was a problem hiding this comment.
Pull request overview
Updates the ShieldCI security scanning workflow to support additional triggers and richer metadata, while adding generated scan artifacts under tests/ for reference.
Changes:
- Expand GitHub Actions triggers (push + manual) and add event-aware metadata output.
- Adjust workflow steps for config/repo copying, duration output, and PR-only commenting.
- Add ShieldCI scan output artifacts (
shield_results.json,scan_output.log) and atests/reposubproject pointer.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
tests/shield_results.json |
Adds a ShieldCI results JSON artifact including a markdown report payload |
tests/scan_output.log |
Adds a captured ShieldCI orchestrator run log |
tests/repo |
Adds a subproject commit pointer under tests |
.github/workflows/shieldci.yml |
Extends workflow triggers, metadata gathering, result pushing, and PR commenting logic |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| SHIELDCI_API_URL: http://localhost:3000 | ||
| SHIELDCI_API_KEY: fc09420a3737855a3094ff7831a6219565cee6777a0fbeec |
There was a problem hiding this comment.
The workflow hardcodes an API key (and an API URL) directly in the repository. This exposes credentials to anyone with repo access and to any workflow log/runner that can read the YAML. Move these values back to GitHub Secrets (e.g., secrets.SHIELDCI_API_URL / secrets.SHIELDCI_API_KEY) and avoid committing real keys to source control.
| SHIELDCI_API_URL: http://localhost:3000 | |
| SHIELDCI_API_KEY: fc09420a3737855a3094ff7831a6219565cee6777a0fbeec | |
| SHIELDCI_API_URL: ${{ secrets.SHIELDCI_API_URL }} | |
| SHIELDCI_API_KEY: ${{ secrets.SHIELDCI_API_KEY }} |
| SHIELDCI_TRIGGERED_BY: ${{ steps.meta.outputs.trigger }} | ||
| SHIELDCI_RESULTS_FILE: ${{ runner.temp }}/../../../Desktop/ShieldCI/tests/shield_results.json | ||
| run: | | ||
| export SHIELDCI_RESULTS_FILE="$HOME/Desktop/ShieldCI/tests/shield_results.json" |
There was a problem hiding this comment.
SHIELDCI_RESULTS_FILE is set to two different values: one via the job env: (with a brittle runner.temp + ../../../ traversal), then overridden in the step with export. This can lead to confusing behavior depending on which value push_results.py reads and makes the path resolution fragile. Use a single, consistent absolute path for SHIELDCI_RESULTS_FILE (preferably set once in env) and remove the conflicting override.
| export SHIELDCI_RESULTS_FILE="$HOME/Desktop/ShieldCI/tests/shield_results.json" |
| "status": "Clean", | ||
| "vulnerabilities": [], |
There was a problem hiding this comment.
This fixture is internally inconsistent: it marks the scan status as Clean and vulnerabilities as an empty list, while report_markdown describes multiple critical vulnerabilities. If downstream logic/tests rely on status/vulnerabilities to match the report, this will produce incorrect behavior. Align the JSON fields with the report content (e.g., non-clean status and populated vulnerabilities) or adjust the report_markdown to match a clean scan.
| "status": "Clean", | |
| "vulnerabilities": [], | |
| "status": "Vulnerable", | |
| "vulnerabilities": [ | |
| { | |
| "id": "SQL_INJECTION_LOGIN", | |
| "title": "SQL Injection in /login route", | |
| "severity": "critical", | |
| "description": "The GET /login route builds SQL queries via string concatenation using unsanitized user input, allowing SQL injection." | |
| }, | |
| { | |
| "id": "INSECURE_PASSWORD_STORAGE", | |
| "title": "Insecure password storage", | |
| "severity": "high", | |
| "description": "Passwords are stored in plaintext instead of being hashed with a secure algorithm such as bcrypt." | |
| }, | |
| { | |
| "id": "IDOR_LOGIN", | |
| "title": "Insecure Direct Object Reference in /login", | |
| "severity": "high", | |
| "description": "The /login route does not properly validate or sanitize the username parameter, potentially exposing sensitive user data." | |
| } | |
| ], |
No description provided.