chore: add security scanning and enforce no-npx rule#177
Open
chore: add security scanning and enforce no-npx rule#177
Conversation
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
jdalton
force-pushed
the
chore/security-guardrails
branch
from
cc733bf to
f4611b0
Compare
- Add ecc-agentshield as pinned devDep for Claude Code config scanning - Add `pnpm run security` script (agentshield + zizmor) - Add /security-scan command for Claude - Add npx/dlx/yarn-dlx check to pre-commit hook - Add NEVER npx/dlx rule to CLAUDE.md ABSOLUTE RULES - Remove dead .husky/security-checks.sh (duplicate of .git-hooks/pre-commit)
jdalton
force-pushed
the
chore/security-guardrails
branch
from
f4611b0 to
cb2d285
Compare
Agents (reference CLAUDE.md rules, don't duplicate them): - code-reviewer: applies code style, test style, sorting rules - security-reviewer: applies safe file ops, secret detection, dependency rules - refactor-cleaner: applies pre-action protocol, dead code removal, scope rules Skills: - ci-cascade: extracts SHA pin cascade procedure from CLAUDE.md into executable workflow Commands: - release-changelog: generates changelog entries following Keep a Changelog format
jdalton
force-pushed
the
chore/security-guardrails
branch
from
d302eb5 to
76f47bf
Compare
- security-reviewer: remove fabricated os.tmpdir() prohibition (CLAUDE.md recommends it), add fetch() prohibition from CLAUDE.md - code-reviewer: add missing rules (undefined over null, __proto__: null, error handling, backward compat, spawn, loop annotations) - ci-cascade: add missing Layer 4 (local wrappers) before external propagation - quality-scan: fix "4 scan types" → "all scan types", fix "Task tool" → "Agent tool" - quality-loop: remove stale architectural issue from wrong repo (socket-btm) - Delete stale scratch scripts from .claude/ (migration scripts, update-workflow-shas)
jdalton
force-pushed
the
chore/security-guardrails
branch
from
76f47bf to
111c855
Compare
Shared subskills (_shared/): - env-check: environment validation for all pipelines - verify-build: pnpm fix/check/test pattern - security-tools: zizmor + agentshield + socket CLI detection - report-format: severity levels, A-F grading, HANDOFF protocol New skills: - security-scan: promoted from command to full pipeline (agentshield → zizmor → security-reviewer agent grading) - release: orchestrator pipeline (quality gate → security gate → changelog → version bump) Pipeline state tracking: - .claude/ops/queue.yaml: tracks pipeline runs with phase progression Updated commands: - security-scan: delegates to security-scan skill - release-changelog: delegates to release skill - quality-loop: references refactor-cleaner agent for fixes Architecture: 5 pipelines, 4 shared subskills, 3 agents wired in. Follows arscontexta queue pattern and Socket Skills orchestrator pattern.
- quality-scan: reference _shared/env-check, _shared/security-tools, wire code-reviewer + security-reviewer agents into scan phase, replace <promise> with HANDOFF block, add queue tracking, fix constraints (not read-only), fix tool references - updating: reference _shared/env-check + _shared/verify-build, add HANDOFF output, add queue tracking - ci-cascade: reference _shared/env-check, add queue tracking, add HANDOFF output - queue.yaml: fix phase_order to match actual skill phases
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ecc-agentshield(1.4.0) as pinned devDep for Claude Code config scanningpnpm run securityscript — runs agentshield (Grade A, 97/100) + zizmor (0 findings)/security-scancommand for Claude.git-hooks/pre-commit(blocks commits with npx usage)NEVER use npx/dlxto CLAUDE.md ABSOLUTE RULES.husky/security-checks.sh(was exact duplicate of.git-hooks/pre-commit)Test plan
pnpm run securityruns both agentshield and zizmorpnpm run fix --allcleanpnpm run check --allclean