Merge pull request #2683 from trycompai/feat/split-sanitized-inputs-check

feat(integrations): split GitHub sanitized inputs check into two automations

Author: tofikwest

packages/integration-platform/src/manifests/github/checks/code-scanning.ts

@@ -0,0 +1,318 @@
+/**
+ * Code Scanning Check
+ *
+ * Verifies repositories have automated static analysis configured. Detects:
+ * - GitHub CodeQL default setup
+ * - Custom CodeQL workflow files (.github/workflows/*.yml with codeql-action)
+ * - Third-party SARIF uploaders (Semgrep, Snyk, Trivy, etc.)
+ */
+
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { IntegrationCheck } from '../../../types';
+import type {
+  GitHubCodeScanningDefaultSetup,
+  GitHubRepo,
+  GitHubTreeEntry,
+  GitHubTreeResponse,
+} from '../types';
+import { parseRepoBranch, targetReposVariable } from '../variables';
+
+// Patterns that indicate code scanning is configured in a workflow
+const CODE_SCANNING_PATTERNS = [
+  'github/codeql-action/init',
+  'github/codeql-action/analyze',
+  'github/codeql-action/upload-sarif',
+  'codeql-action/init',
+  'codeql-action/analyze',
+  'codeql-action/upload-sarif',
+  'upload-sarif', // Generic SARIF upload
+];
+
+interface GitHubFileResponse {
+  content: string;
+  encoding: 'base64' | 'utf-8';
+  path: string;
+}
+
+type CodeScanningStatus =
+  | {
+      status: 'enabled';
+      method: 'default-setup' | 'workflow';
+      languages?: string[];
+      workflow?: string;
+    }
+  | { status: 'not-configured' }
+  | { status: 'permission-denied'; isPrivate: boolean }
+  | { status: 'ghas-required' };
+
+const decodeFile = (file: GitHubFileResponse): string => {
+  if (!file?.content) return '';
+  if (file.encoding === 'base64') {
+    return Buffer.from(file.content, 'base64').toString('utf-8');
+  }
+  return file.content;
+};
+
+export const codeScanningCheck: IntegrationCheck = {
+  id: 'code_scanning',
+  name: 'Code Scanning',
+  description:
+    'Verifies repositories have GitHub CodeQL or an equivalent static analysis tool configured. Detects default-setup CodeQL, custom CodeQL workflows, and third-party SARIF uploaders.',
+  service: 'code-security',
+  taskMapping: TASK_TEMPLATES.sanitizedInputs,
+  defaultSeverity: 'medium',
+  variables: [targetReposVariable],
+
+  run: async (ctx) => {
+    const targetReposRaw = (ctx.variables.target_repos as string[] | undefined) ?? [];
+    const targetRepos = targetReposRaw.map((v) => parseRepoBranch(v).repo);
+
+    if (targetRepos.length === 0) {
+      ctx.fail({
+        title: 'No repositories selected',
+        description:
+          'Select at least one repository to monitor in the integration settings so we can verify code scanning.',
+        resourceType: 'integration',
+        resourceId: 'github',
+        severity: 'low',
+        remediation: 'Open the integration settings and choose repositories to monitor.',
+      });
+      return;
+    }
+
+    const fetchRepo = async (fullName: string): Promise<GitHubRepo | null> => {
+      try {
+        return await ctx.fetch<GitHubRepo>(`/repos/${fullName}`);
+      } catch (error) {
+        ctx.warn(`Failed to fetch repo ${fullName}: ${String(error)}`);
+        return null;
+      }
+    };
+
+    const fetchRepoTree = async (repoName: string, branch: string): Promise<GitHubTreeEntry[]> => {
+      try {
+        const tree = await ctx.fetch<GitHubTreeResponse>(
+          `/repos/${repoName}/git/trees/${branch}?recursive=1`,
+        );
+        if (tree.truncated) {
+          ctx.warn(`Repository ${repoName} has too many files, tree was truncated`);
+        }
+        return tree.tree;
+      } catch (error) {
+        ctx.warn(`Failed to fetch tree for ${repoName}: ${String(error)}`);
+        return [];
+      }
+    };
+
+    const fetchFile = async (repoName: string, path: string): Promise<string | null> => {
+      try {
+        const file = await ctx.fetch<GitHubFileResponse>(`/repos/${repoName}/contents/${path}`);
+        return decodeFile(file);
+      } catch {
+        return null;
+      }
+    };
+
+    const hasCodeScanningInWorkflow = (content: string): boolean => {
+      const lower = content.toLowerCase();
+      return CODE_SCANNING_PATTERNS.some((pattern) => lower.includes(pattern.toLowerCase()));
+    };
+
+    const findCodeScanningWorkflows = async (
+      repoName: string,
+      tree: GitHubTreeEntry[],
+    ): Promise<string[]> => {
+      const workflowFiles = tree.filter(
+        (entry) =>
+          entry.type === 'blob' &&
+          entry.path.startsWith('.github/workflows/') &&
+          (entry.path.endsWith('.yml') || entry.path.endsWith('.yaml')),
+      );
+
+      const codeScanningWorkflows: string[] = [];
+
+      for (const entry of workflowFiles) {
+        const content = await fetchFile(repoName, entry.path);
+        if (content && hasCodeScanningInWorkflow(content)) {
+          codeScanningWorkflows.push(entry.path);
+        }
+      }
+
+      return codeScanningWorkflows;
+    };
+
+    const getCodeScanningStatus = async ({
+      repoName,
+      tree,
+      isPrivate,
+      isGhasEnabled,
+    }: {
+      repoName: string;
+      tree: GitHubTreeEntry[];
+      isPrivate: boolean;
+      isGhasEnabled: boolean;
+    }): Promise<CodeScanningStatus> => {
+      let apiGot403 = false;
+
+      // First, try the default setup API
+      try {
+        const setup = await ctx.fetch<GitHubCodeScanningDefaultSetup>(
+          `/repos/${repoName}/code-scanning/default-setup`,
+        );
+        if (setup.state === 'configured') {
+          return {
+            status: 'enabled',
+            method: 'default-setup',
+            languages: setup.languages || [],
+          };
+        }
+      } catch (error) {
+        const errorStr = String(error);
+
+        if (errorStr.includes('403') || errorStr.includes('Forbidden')) {
+          // The code-scanning API requires GHAS for private repos, but reading
+          // workflow file contents only requires contents:read. A 403 here does
+          // not mean we can't check for code scanning workflows.
+          ctx.log(
+            `Code scanning API returned 403 for ${repoName} (private: ${isPrivate}, ghas: ${isGhasEnabled}). Falling back to workflow file scanning.`,
+          );
+          apiGot403 = true;
+        } else {
+          // Other errors - API might not be available, continue to check workflows
+          ctx.log(`Code scanning default setup not available for ${repoName}: ${errorStr}`);
+        }
+      }
+
+      // Fall back to checking for workflow files with code scanning.
+      // This catches repos using third-party SAST tools (Semgrep, Snyk, Trivy, etc.)
+      // that upload SARIF results via github/codeql-action/upload-sarif.
+      const codeScanningWorkflows = await findCodeScanningWorkflows(repoName, tree);
+      if (codeScanningWorkflows.length > 0) {
+        return {
+          status: 'enabled',
+          method: 'workflow',
+          workflow: codeScanningWorkflows[0],
+        };
+      }
+
+      if (apiGot403) {
+        if (isPrivate) {
+          if (isGhasEnabled) {
+            return { status: 'permission-denied', isPrivate };
+          }
+          return { status: 'ghas-required' };
+        }
+        return { status: 'permission-denied', isPrivate };
+      }
+
+      return { status: 'not-configured' };
+    };
+
+    for (const repoName of targetRepos) {
+      const repo = await fetchRepo(repoName);
+      if (!repo) continue;
+
+      const tree = await fetchRepoTree(repo.full_name, repo.default_branch);
+      const isGhasEnabled = repo.security_and_analysis?.advanced_security?.status === 'enabled';
+
+      const codeScanningStatus = await getCodeScanningStatus({
+        repoName: repo.full_name,
+        tree,
+        isPrivate: repo.private,
+        isGhasEnabled,
+      });
+
+      switch (codeScanningStatus.status) {
+        case 'enabled': {
+          const methodDescription =
+            codeScanningStatus.method === 'default-setup'
+              ? 'GitHub CodeQL default setup is enabled.'
+              : `Code scanning configured via workflow: ${codeScanningStatus.workflow}`;
+
+          ctx.pass({
+            title: `CodeQL scanning configured for ${repo.name}`,
+            description: methodDescription,
+            resourceType: 'repository',
+            resourceId: repo.full_name,
+            evidence: {
+              [repo.full_name]: {
+                code_scanning: {
+                  status: 'enabled',
+                  method: codeScanningStatus.method,
+                  ...(codeScanningStatus.languages && { languages: codeScanningStatus.languages }),
+                  ...(codeScanningStatus.workflow && { workflow: codeScanningStatus.workflow }),
+                  checked_at: new Date().toISOString(),
+                },
+              },
+            },
+          });
+          break;
+        }
+
+        case 'ghas-required':
+          ctx.fail({
+            title: `Code scanning requires GitHub Advanced Security for ${repo.name}`,
+            description:
+              'This is a private repository. GitHub Advanced Security (GHAS) must be enabled before CodeQL can be configured. GHAS is a paid feature for private repositories.',
+            resourceType: 'repository',
+            resourceId: repo.full_name,
+            severity: 'medium',
+            remediation:
+              'Enable GitHub Advanced Security in the repository settings (Settings → Code security and analysis → GitHub Advanced Security), then enable CodeQL.',
+            evidence: {
+              [repo.full_name]: {
+                code_scanning: {
+                  status: 'ghas_required',
+                  checked_at: new Date().toISOString(),
+                },
+              },
+            },
+          });
+          break;
+
+        case 'permission-denied':
+          ctx.fail({
+            title: `Cannot access code scanning configuration for ${repo.name}`,
+            description:
+              'The GitHub integration does not have permission to read code scanning configuration. This may be due to missing permissions or organization policies.',
+            resourceType: 'repository',
+            resourceId: repo.full_name,
+            severity: 'medium',
+            remediation:
+              'Ensure the GitHub App has "Code scanning alerts: Read" permission. If this is an organization repository, check that organization policies allow access.',
+            evidence: {
+              [repo.full_name]: {
+                code_scanning: {
+                  status: 'permission_denied',
+                  checked_at: new Date().toISOString(),
+                },
+              },
+            },
+          });
+          break;
+
+        case 'not-configured':
+        default:
+          ctx.fail({
+            title: `Code scanning not enabled for ${repo.name}`,
+            description:
+              'GitHub CodeQL (or an equivalent static analysis tool) is not configured. Enable it to automatically detect insecure patterns.',
+            resourceType: 'repository',
+            resourceId: repo.full_name,
+            severity: 'medium',
+            remediation:
+              'In the repository Security tab, enable CodeQL default setup (or add a custom workflow) to run on every push.',
+            evidence: {
+              [repo.full_name]: {
+                code_scanning: {
+                  status: 'not_configured',
+                  checked_at: new Date().toISOString(),
+                },
+              },
+            },
+          });
+          break;
+      }
+    }
+  },
+};

packages/integration-platform/src/manifests/github/checks/index.ts

@@ -4,6 +4,7 @@
  */
 
 export { branchProtectionCheck } from './branch-protection';
+export { codeScanningCheck } from './code-scanning';
 export { dependabotCheck } from './dependabot';
 export { sanitizedInputsCheck } from './sanitized-inputs';
 export { twoFactorAuthCheck } from './two-factor-auth';