Add security review bot and supply chain analysis#78
Merged
Conversation
Adds automated security review for external PRs using Claude 4.5 Sonnet, with msgvault-specific prompt covering OAuth tokens, email data, Go security patterns, and dependency supply chain risks. Includes govulncheck in CI, Dependabot for gomod and github-actions, and CODEOWNERS for security-critical files. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Co-Authored-By: Claude Opus 4.6 <[email protected]>
…eck pin - Treat JSON parse failures as hard errors: post explicit "analysis failed" comment and exit non-zero instead of silently posting "no issues found" - Fix pr.get_commits().reversed[0] (not subscriptable in PyGithub) to use list(pr.get_commits())[-1] - Pin govulncheck to v1.1.4 for deterministic CI Co-Authored-By: Claude Opus 4.6 <[email protected]>
Avoids loading all PR commits and eliminates IndexError risk on empty list. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Avoids redundant API calls per issue when posting multiple review comments. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Go 1.25.7 (released 2026-02-04) fixes: - GO-2026-4341: memory exhaustion in net/url query parsing - GO-2026-4340: TLS handshake messages at incorrect encryption level - GO-2026-4337: unexpected TLS session resumption mapstructure v2.3.0 fixes: - GO-2025-3787: sensitive info leaked in logs on malformed data govulncheck now passes clean. Co-Authored-By: Claude Opus 4.6 <[email protected]>
wesm
added a commit
to robelkin/msgvault
that referenced
this pull request
Feb 7, 2026
## Summary - Add Claude-powered security review bot that automatically reviews PRs from external contributors, with msgvault-specific prompt covering OAuth tokens, email data, Go security patterns, and dependency supply chain risks - Add `govulncheck` to CI for call-graph-aware vulnerability scanning on every PR - Add Dependabot configuration for automated Go module and GitHub Actions dependency updates - Add CODEOWNERS requiring maintainer approval for `go.mod`, `go.sum`, `.github/`, and `SECURITY.md` - Add `SECURITY.md` with vulnerability reporting policy and threat model ## New files (7) | File | Purpose | |------|---------| | `.github/workflows/security-review.yml` | `pull_request_target` workflow with base-branch-only checkout, SHA-pinned actions, pinned pip deps | | `.github/scripts/security_review.py` | Claude review script with file classification, prompt injection defense, strict JSON validation | | `.github/trusted-contributors.json` | Trusted contributor bypass list | | `.github/CODEOWNERS` | Owner approval for security-critical files including `go.mod`/`go.sum` | | `.github/dependabot.yml` | Weekly updates for gomod + github-actions ecosystems | | `.github/SECURITY_BOT.md` | Bot setup and operational documentation | | `SECURITY.md` | Vulnerability reporting + threat model | ## Modified files (1) | File | Change | |------|--------| | `.github/workflows/ci.yml` | Add `govulncheck -tags fts5 ./...` after lint step (macOS only) | ## Post-merge steps 1. Add `ANTHROPIC_API_KEY` to GitHub repository secrets 2. Test with a PR from a non-trusted account 3. Verify Dependabot creates initial dependency PRs ## Test plan - [x] Python script compiles (`python -m py_compile`) - [x] YAML and JSON files parse correctly - [x] `make lint` passes - [x] `make test` passes - [x] Verify govulncheck runs in CI on this PR - [ ] After merge: test security review with external PR 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
govulncheckto CI for call-graph-aware vulnerability scanning on every PRgo.mod,go.sum,.github/, andSECURITY.mdSECURITY.mdwith vulnerability reporting policy and threat modelNew files (7)
.github/workflows/security-review.ymlpull_request_targetworkflow with base-branch-only checkout, SHA-pinned actions, pinned pip deps.github/scripts/security_review.py.github/trusted-contributors.json.github/CODEOWNERSgo.mod/go.sum.github/dependabot.yml.github/SECURITY_BOT.mdSECURITY.mdModified files (1)
.github/workflows/ci.ymlgovulncheck -tags fts5 ./...after lint step (macOS only)Post-merge steps
ANTHROPIC_API_KEYto GitHub repository secretsTest plan
python -m py_compile)make lintpassesmake testpasses🤖 Generated with Claude Code