From d76cc2f6d49ebeba5e439dec4c3769e2b6673ebe Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:30:38 +0900 Subject: [PATCH 1/8] feat: add examples, smoke test, Makefile, dependabot - examples/ with reference Rego policies (RBAC, ABAC, k8s admission) - scripts/smoke.sh drives a full MCP handshake over stdio and asserts the policy returns allow=true; exits non-zero on protocol failure - Makefile targets: build, test, vet, lint, smoke, fmt, tidy, clean - Dependabot for gomod + github-actions (weekly, grouped) - README trimmed; adds layout rationale (flat is intentional) --- .github/dependabot.yml | 21 ++++++++ Makefile | 29 +++++++++++ README.md | 95 ++++++++++++++++++++++--------------- examples/README.md | 30 ++++++++++++ examples/abac.rego | 19 ++++++++ examples/k8s_admission.rego | 15 ++++++ examples/rbac.rego | 26 ++++++++++ scripts/smoke.sh | 38 +++++++++++++++ 8 files changed, 236 insertions(+), 37 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 Makefile create mode 100644 examples/README.md create mode 100644 examples/abac.rego create mode 100644 examples/k8s_admission.rego create mode 100644 examples/rbac.rego create mode 100755 scripts/smoke.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..0f76c65 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + groups: + go-deps: + patterns: ["*"] + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + groups: + actions: + patterns: ["*"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..6872d99 --- /dev/null +++ b/Makefile @@ -0,0 +1,29 @@ +BIN := mcp-opa +PKG := ./... + +.PHONY: build test vet lint smoke clean fmt tidy + +build: + go build -trimpath -ldflags "-s -w" -o $(BIN) . + +test: + go test -race -count=1 -v $(PKG) + +vet: + go vet $(PKG) + +lint: + golangci-lint run $(PKG) + +smoke: build + ./scripts/smoke.sh ./$(BIN) + +fmt: + gofmt -s -w . + +tidy: + go mod tidy + +clean: + rm -f $(BIN) + rm -rf dist/ diff --git a/README.md b/README.md index 40e9d98..0b35f47 100644 --- a/README.md +++ b/README.md @@ -2,25 +2,11 @@ [![ci](https://github.com/0-draft/mcp-opa/actions/workflows/ci.yml/badge.svg)](https://github.com/0-draft/mcp-opa/actions/workflows/ci.yml) [![Go Reference](https://pkg.go.dev/badge/github.com/0-draft/mcp-opa.svg)](https://pkg.go.dev/github.com/0-draft/mcp-opa) +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE) -A [Model Context Protocol](https://modelcontextprotocol.io) server that lets an LLM agent run [Open Policy Agent](https://www.openpolicyagent.org/) Rego evaluations as a tool. +[MCP](https://modelcontextprotocol.io) server that exposes [OPA](https://www.openpolicyagent.org/) Rego evaluation as a tool an LLM agent can call. -Useful for "let Claude reason about a policy" workflows: paste a Rego module + an input doc into a chat and ask the model to walk through what happens. The model writes the query; `mcp-opa` runs OPA and returns the decision set. - -## Tool - -### `evaluate_policy` - -Evaluate a Rego module against an input document and optional `data` namespace. - -| Parameter | Required | Description | -| ------------ | -------- | ---------------------------------------------------------------------------------------- | -| `rego` | yes | Rego source code. Must include a `package` declaration. | -| `query` | yes | Query to evaluate, e.g. `data.example.allow` or `data.example.violations[_]`. | -| `input_json` | no | JSON-encoded input document (becomes the `input` variable inside Rego). | -| `data_json` | no | JSON-encoded base document seeding the `data` namespace via OPA's in-memory store. | - -The tool returns the OPA `ResultSet` as JSON. +Paste a Rego module and an input doc into a Claude / Cursor session. The model picks the query, `mcp-opa` runs `opa.Eval`, returns the decision set. ## Install @@ -28,43 +14,78 @@ The tool returns the OPA `ResultSet` as JSON. go install github.com/0-draft/mcp-opa@latest ``` -Or grab a signed binary from the [releases page](https://github.com/0-draft/mcp-opa/releases). +Pre-built signed binaries are on the [releases page](https://github.com/0-draft/mcp-opa/releases). -## Use with Claude Code +## Quickstart ```bash -claude mcp add opa -- mcp-opa +# Build and run the smoke test (no MCP client needed). +make smoke +# → ✓ smoke: allow=true ``` -Then in a Claude Code session: +`make smoke` builds the binary, feeds it a synthetic MCP `initialize` → +`tools/list` → `tools/call` sequence over stdio, and asserts the policy +returned `allow=true`. It exits non-zero on protocol failure. -> Evaluate this RBAC policy against the request — does Alice get to delete the document? -> -> ```rego -> package rbac -> default allow := false -> allow if input.user == "alice" and input.action == "read" -> ``` +## Wire it to Claude Code -Claude calls `evaluate_policy` with the right query, returns the decision. +```bash +claude mcp add opa -- mcp-opa +``` -## Use with Cursor / other MCP clients +Then in a session: paste a Rego policy, an input doc, and ask the model what +the decision should be. The model calls `evaluate_policy`, gets the answer +from OPA (not from its training data). -Add to your client's MCP server config: +## Wire it to Cursor / other clients -```json +```jsonc { "mcpServers": { - "opa": { - "command": "mcp-opa" - } + "opa": { "command": "mcp-opa" } } } ``` -## Verifying a release +## Tool: `evaluate_policy` + +| Param | Required | Description | +| ------------ | -------- | -------------------------------------------------------------------------- | +| `rego` | yes | Rego source with a `package` declaration. | +| `query` | yes | Rego query, e.g. `data.example.allow`. | +| `input_json` | no | JSON-encoded `input` document. | +| `data_json` | no | JSON-encoded base document for the `data` namespace. | + +Returns the OPA `ResultSet` as JSON. + +## Examples + +[`examples/`](./examples/) has reference policies: + +- [`rbac.rego`](./examples/rbac.rego) — role → permission mapping +- [`abac.rego`](./examples/abac.rego) — clearance level comparison +- [`k8s_admission.rego`](./examples/k8s_admission.rego) — admission control: required labels + +## Layout + +Flat on purpose. A single-binary MCP server with one tool does not need +`cmd/`, `internal/`, or `pkg/`. When a second tool joins, the natural split is +a sibling file (`evaluate.go`, `lint.go`, ...) — still no subpackages. + +```text +. +├── main.go # server bootstrap + tool registration +├── main_test.go +├── examples/ # reference Rego policies +├── scripts/smoke.sh +├── .goreleaser.yml +└── .github/ +``` + +## Verify a release -Each release ships a `cosign`-signed checksum file (keyless, Sigstore via GitHub OIDC) and a CycloneDX SBOM. To verify before installing: +Releases ship a `cosign`-signed checksum file (Sigstore keyless via GitHub OIDC) and a CycloneDX SBOM per archive. ```bash TAG=v0.1.0 diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..a33554b --- /dev/null +++ b/examples/README.md @@ -0,0 +1,30 @@ +# Examples + +Reference Rego policies you can paste into `evaluate_policy` to see how `mcp-opa` behaves. + +| File | Pattern | +| ------------------------------------------ | --------------------------------------------- | +| [`rbac.rego`](./rbac.rego) | Role-based: roles → permissions | +| [`abac.rego`](./abac.rego) | Attribute-based: subject + resource matching | +| [`k8s_admission.rego`](./k8s_admission.rego) | Kubernetes admission control (require labels) | + +## Running an example end-to-end + +```bash +# 1. Start mcp-opa from any MCP client config (Claude Code shown): +claude mcp add opa -- mcp-opa + +# 2. In a session, ask: +# "Evaluate examples/rbac.rego for alice trying to delete document doc-1. +# What's the query?" +# +# Claude will read the rego, pick `data.rbac.allow`, send input +# {"user": "alice", "action": "delete", "resource": "doc-1"}, +# and read back the decision. +``` + +You can also drive it manually with `curl` over stdio (advanced — MCP is JSON-RPC over stdin/stdout): + +```bash +echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | mcp-opa +``` diff --git a/examples/abac.rego b/examples/abac.rego new file mode 100644 index 0000000..bd493ce --- /dev/null +++ b/examples/abac.rego @@ -0,0 +1,19 @@ +package abac + +# Attribute-based access control: subject + resource attributes must align. +# +# Query: data.abac.allow +# Input: { +# "subject": {"id": "alice", "clearance": "secret"}, +# "resource": {"id": "report-99", "classification": "secret"}, +# "action": "read" +# } + +default allow := false + +levels := {"public": 0, "internal": 1, "confidential": 2, "secret": 3} + +allow if { + input.action == "read" + levels[input.subject.clearance] >= levels[input.resource.classification] +} diff --git a/examples/k8s_admission.rego b/examples/k8s_admission.rego new file mode 100644 index 0000000..805b679 --- /dev/null +++ b/examples/k8s_admission.rego @@ -0,0 +1,15 @@ +package k8s.admission + +# Kubernetes admission control: every Pod must carry an `app` label. +# +# Query: data.k8s.admission.violations[_] +# Input: the AdmissionReview request (or just the Pod object's metadata) + +violations contains msg if { + input.kind.kind == "Pod" + not input.object.metadata.labels.app + msg := sprintf("Pod %s/%s is missing required label `app`", [ + input.object.metadata.namespace, + input.object.metadata.name, + ]) +} diff --git a/examples/rbac.rego b/examples/rbac.rego new file mode 100644 index 0000000..04c5b28 --- /dev/null +++ b/examples/rbac.rego @@ -0,0 +1,26 @@ +package rbac + +# Role-based access control. +# +# Query: data.rbac.allow +# Input: {"user": "alice", "action": "read", "resource": "doc-1"} + +default allow := false + +roles := { + "alice": {"editor"}, + "bob": {"viewer"}, + "carol": {"viewer", "auditor"}, +} + +permissions := { + "editor": {"read", "write", "delete"}, + "viewer": {"read"}, + "auditor": {"read", "audit"}, +} + +allow if { + some role in roles[input.user] + some perm in permissions[role] + perm == input.action +} diff --git a/scripts/smoke.sh b/scripts/smoke.sh new file mode 100755 index 0000000..cb71e8c --- /dev/null +++ b/scripts/smoke.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# Drive mcp-opa over stdio with a full MCP handshake and one tools/call. +# Useful before tagging a release, or after upgrading mcp-go. +# +# Exit codes: +# 0 decision was true (policy allowed) +# 1 decision was false (policy denied or no allow rule matched) +# 2 protocol failure (no result, no decision in payload) + +set -euo pipefail + +BIN="${1:-./mcp-opa}" +if [[ ! -x "$BIN" ]]; then + echo "build first: go build ." >&2 + exit 2 +fi + +read -r -d '' REGO <<'EOF' || true +package smoke + +default allow := false + +allow if input.user == "alice" +EOF + +OUT=$(printf '%s\n' \ + '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"smoke","version":"0"}}}' \ + '{"jsonrpc":"2.0","method":"notifications/initialized"}' \ + "$(jq -nc --arg r "$REGO" '{jsonrpc:"2.0",id:2,method:"tools/call",params:{name:"evaluate_policy",arguments:{rego:$r,query:"data.smoke.allow",input_json:"{\"user\":\"alice\"}"}}}')" \ + | "$BIN") + +DECISION=$(printf '%s\n' "$OUT" | tail -1 | jq -r '.result.content[0].text' | jq -r '.[0].expressions[0].value') + +case "$DECISION" in + true) echo "✓ smoke: allow=true"; exit 0 ;; + false) echo "✗ smoke: allow=false (expected true)"; exit 1 ;; + *) echo "✗ smoke: protocol failure; payload:"; printf '%s\n' "$OUT"; exit 2 ;; +esac From 2ab2758fa4eee3a7d16ba5a52a12a4bc4dc12dff Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:36:11 +0900 Subject: [PATCH 2/8] =?UTF-8?q?ci:=20pin=20golangci-lint=20v2.12.2=20(acti?= =?UTF-8?q?on=20v9)=20=E2=80=94=20v1.64=20was=20built=20with=20Go=201.24,?= =?UTF-8?q?=20can't=20read=20go1.26=20modules?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7112ba6..021eb8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,6 @@ jobs: - uses: actions/setup-go@v6 with: go-version-file: go.mod - - uses: golangci/golangci-lint-action@v6 + - uses: golangci/golangci-lint-action@v9 with: - version: latest + version: v2.12.2 From 60e95bb070bd1b7ee28916e0642fd33a73b96ed8 Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:43:16 +0900 Subject: [PATCH 3/8] chore: address PR review feedback - examples/README.md: drop misleading "curl" wording in the stdio note - examples/k8s_admission.rego: use object.get with fallbacks so an undefined namespace/name doesn't make sprintf evaluate to undefined and silently swallow the violation - scripts/smoke.sh: select the tools/call response by id=2 instead of tail -1 (more robust against stray output lines) - workflows: pin actions to full commit SHAs and set persist-credentials: false on checkout (zizmor / CodeRabbit hardening) --- .github/workflows/ci.yml | 14 +++++++++----- .github/workflows/release.yml | 11 ++++++----- examples/README.md | 2 +- examples/k8s_admission.rego | 10 ++++++---- scripts/smoke.sh | 2 +- 5 files changed, 23 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 021eb8d..f7b92cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,8 +12,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - run: go vet ./... @@ -22,10 +24,12 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - - uses: golangci/golangci-lint-action@v9 + - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 with: version: v2.12.2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81ab5a6..b90150f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,22 +14,23 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 + persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - name: Install syft - uses: anchore/sbom-action/download-syft@v0 + uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: distribution: goreleaser version: latest diff --git a/examples/README.md b/examples/README.md index a33554b..de58695 100644 --- a/examples/README.md +++ b/examples/README.md @@ -23,7 +23,7 @@ claude mcp add opa -- mcp-opa # and read back the decision. ``` -You can also drive it manually with `curl` over stdio (advanced — MCP is JSON-RPC over stdin/stdout): +You can also drive it manually over stdio (advanced; MCP is JSON-RPC over stdin/stdout): ```bash echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | mcp-opa diff --git a/examples/k8s_admission.rego b/examples/k8s_admission.rego index 805b679..e1ff799 100644 --- a/examples/k8s_admission.rego +++ b/examples/k8s_admission.rego @@ -8,8 +8,10 @@ package k8s.admission violations contains msg if { input.kind.kind == "Pod" not input.object.metadata.labels.app - msg := sprintf("Pod %s/%s is missing required label `app`", [ - input.object.metadata.namespace, - input.object.metadata.name, - ]) + # Use object.get with fallbacks so an undefined name/namespace doesn't make + # the whole sprintf evaluate to undefined and silently swallow the + # violation. + namespace := object.get(input.object.metadata, "namespace", "default") + name := object.get(input.object.metadata, "name", "") + msg := sprintf("Pod %s/%s is missing required label `app`", [namespace, name]) } diff --git a/scripts/smoke.sh b/scripts/smoke.sh index cb71e8c..d612a0e 100755 --- a/scripts/smoke.sh +++ b/scripts/smoke.sh @@ -29,7 +29,7 @@ OUT=$(printf '%s\n' \ "$(jq -nc --arg r "$REGO" '{jsonrpc:"2.0",id:2,method:"tools/call",params:{name:"evaluate_policy",arguments:{rego:$r,query:"data.smoke.allow",input_json:"{\"user\":\"alice\"}"}}}')" \ | "$BIN") -DECISION=$(printf '%s\n' "$OUT" | tail -1 | jq -r '.result.content[0].text' | jq -r '.[0].expressions[0].value') +DECISION=$(printf '%s\n' "$OUT" | jq -r 'select(.id == 2) | .result.content[0].text' | jq -r '.[0].expressions[0].value') case "$DECISION" in true) echo "✓ smoke: allow=true"; exit 0 ;; From 4dd0ba362d7a4e884f3fbffd9aa51a9bfbbc4077 Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:46:51 +0900 Subject: [PATCH 4/8] chore(release): use `go mod verify` (non-mutating) in goreleaser before hooks for reproducible releases --- .goreleaser.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 4b607ec..70c87b9 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -4,7 +4,9 @@ project_name: mcp-opa before: hooks: - - go mod tidy + # `verify` checks checksums without mutating go.mod / go.sum, so a + # release stays bit-reproducible. CI / dev should run `go mod tidy`. + - go mod verify builds: - id: mcp-opa From 3325591102668778164ad69d499224071575a93f Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:49:27 +0900 Subject: [PATCH 5/8] ci: add smoke / vuln / actionlint / coverage jobs - smoke: build and run the full MCP handshake via `make smoke`. Catches regressions in the actual server, not just unit tests. - vuln: govulncheck (Go reachable-CVE scan) + osv-scanner (OSV.dev cross- ecosystem scan). - actionlint: lint the workflow files themselves (catches typos, bad refs, missing inputs). - test: emit coverage with -covermode=atomic and print the function-level summary in the job output. All actions pinned to SHAs with version comments for Dependabot tracking. --- .github/workflows/ci.yml | 47 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f7b92cb..30aff9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,7 +19,10 @@ jobs: with: go-version-file: go.mod - run: go vet ./... - - run: go test -race -count=1 -v ./... + - name: Run tests with coverage + run: go test -race -count=1 -covermode=atomic -coverprofile=coverage.out -v ./... + - name: Coverage summary + run: go tool cover -func=coverage.out | tail -n 1 lint: runs-on: ubuntu-latest @@ -33,3 +36,45 @@ jobs: - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 with: version: v2.12.2 + + smoke: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + with: + go-version-file: go.mod + - name: Run end-to-end MCP smoke test + run: make smoke + + vuln: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + with: + go-version-file: go.mod + - name: govulncheck (Go module CVE scan) + run: | + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck ./... + - name: osv-scanner (OSV.dev cross-ecosystem scan) + uses: google/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + with: + scan-args: |- + --recursive + --skip-git + ./ + + actionlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - name: Lint GitHub Actions workflows + uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2 From dfcbb57763b37ee13095e10c3563226c0acf0041 Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:54:40 +0900 Subject: [PATCH 6/8] ci(vuln): correct osv-scanner-action path (uses subaction at osv-scanner-action/action.yml, not repo root) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30aff9c..e2e51f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,7 +63,7 @@ jobs: go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... - name: osv-scanner (OSV.dev cross-ecosystem scan) - uses: google/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: scan-args: |- --recursive From a2fc6505af558d918e0fce5d638507a86aa7569a Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:56:45 +0900 Subject: [PATCH 7/8] ci(vuln): drop --skip-git arg (removed in osv-scanner v2) --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2e51f8..a8cb947 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,7 +67,6 @@ jobs: with: scan-args: |- --recursive - --skip-git ./ actionlint: From 99538b8f6ef638528b257c88dcb781285d1b376a Mon Sep 17 00:00:00 2001 From: kanywst Date: Wed, 27 May 2026 23:59:10 +0900 Subject: [PATCH 8/8] =?UTF-8?q?chore(deps):=20bump=20x/crypto=20v0.50?= =?UTF-8?q?=E2=86=920.52=20and=20x/sys=20v0.43=E2=86=920.45=20to=20clear?= =?UTF-8?q?=20osv-scanner=20findings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pulled forward via OPA's transitive graph. 14 OSV advisories against v0.50.0 / v0.43.0 (all unrated/Unknown severity, none reachable by our code per govulncheck). Bumping clears the noise so osv-scanner doesn't gate the PR. --- go.mod | 6 +++--- go.sum | 24 ++++++++++++------------ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index f69a232..0c47dac 100644 --- a/go.mod +++ b/go.mod @@ -36,9 +36,9 @@ require ( github.com/yosida95/uritemplate/v3 v3.0.2 // indirect go.yaml.in/yaml/v2 v2.4.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/crypto v0.50.0 // indirect + golang.org/x/crypto v0.52.0 // indirect golang.org/x/sync v0.20.0 // indirect - golang.org/x/sys v0.43.0 // indirect - golang.org/x/text v0.36.0 // indirect + golang.org/x/sys v0.45.0 // indirect + golang.org/x/text v0.37.0 // indirect sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/go.sum b/go.sum index b50a7c7..e23d2e6 100644 --- a/go.sum +++ b/go.sum @@ -130,20 +130,20 @@ go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= -golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= -golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= -golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= -golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= -golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA= -golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs= +golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988= +golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc= +golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= +golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= +golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= +golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= -golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= -golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= -golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= -golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= -golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= +golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY= +golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= +golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= +golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= +golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=