Skip to content

Fix: Patch high-severity vulnerable dependency packages #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ping-huang1 wants to merge 4 commits into from
Closed

Fix: Patch high-severity vulnerable dependency packages #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
327b544
feat: add Socket Security Tier 1 reachability scan workflow
ping-huang1 Apr 2, 2026
41cf6a0
fix: remove redundant SOCKET_SECURITY_API_KEY env var
ping-huang1 Apr 8, 2026
13ce1ea
fix: source Socket API token from SOCKET_SECURITY_API_KEY secret
ping-huang1 Apr 8, 2026
5a61b0d
fix: patch high-severity vulnerable dependency packages
ping-huang1 Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions .github/workflows/socket_reachability.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Socket Security Scan with Tier 1 Reachability Analysis
#
# This workflow scans dependencies and performs reachability analysis
# to identify which vulnerabilities are actually reachable in the code.
#
# Required: SOCKET_SECURITY_API_KEY secret with enterprise plan
# API token scopes needed: socket-basics, uploaded-artifacts, full-scans, repo

name: Socket Security Scan

on:
schedule:
- cron: "0 2 * * *" # Everyday at 2 AM UTC
workflow_dispatch:
inputs:
enable_reachability:
description: "Enable Tier 1 reachability analysis"
required: false
default: "true"
type: choice
options:
- "true"
- "false"

concurrency:
group: socket-security-scan
cancel-in-progress: true

jobs:
socket-security:
name: Socket Security Scan
runs-on: ubuntu-latest
timeout-minutes: 120
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Install uv (Python package manager)
uses: astral-sh/setup-uv@v4
Copy link
Copy Markdown

@semgrep-code-webflow semgrep-code-webflow bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

The GitHub action astral-sh/setup-uv@v4 uses a mutable version tag that could be rewritten by an attacker to inject malicious code into your workflow.

More details about this

The astral-sh/setup-uv@v4 action is pinned to a version tag instead of a full commit SHA. Version tags in GitHub are mutable—a maintainer can move or re-tag a release at any time. An attacker who compromises the astral-sh/setup-uv repository could overwrite the v4 tag to point to malicious code.

Exploit scenario:

  1. An attacker compromises the astral-sh/setup-uv repository and gains push access
  2. They force-push a commit containing a backdoor to rewrite the v4 tag
  3. Your workflow runs and pulls the malicious code via uses: astral-sh/setup-uv@v4
  4. The backdoor executes in the runner environment with access to secrets.SOCKET_SECURITY_API_KEY and your repository code
  5. The attacker exfiltrates credentials and source code

Pinning to a specific commit SHA (e.g., @a1b2c3d4e5f6...) creates an immutable reference that cannot be altered after commit creation, even if the tag is rewritten.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
uses: astral-sh/setup-uv@v4
# Pinned to v4 for security; see https://github.com/astral-sh/setup-uv/tags
uses: astral-sh/setup-uv@ed597411d8f924073f98dfc5c65a23a2325f34cd
View step-by-step instructions
  1. Replace the action version in uses: astral-sh/setup-uv@v4 with a full 40-character commit SHA from the official setup-uv repository. For example: uses: astral-sh/setup-uv@ed597411d8f924073f98dfc5c65a23a2325f34cd
  2. (Optional but recommended) Add a comment with the pinned SHA to indicate why it's pinned and provide a link to the action/tag for reference, e.g. # Pinned to v4 for security; see https://github.com/astral-sh/setup-uv/tags

Pinning to a commit SHA makes the workflow more secure and prevents unexpected changes if the upstream action is updated.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Install Socket CLI
run: uv pip install socketsecurity --upgrade --system

- name: Run Socket Security Scan
env:
SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_KEY }}
PYTHONUNBUFFERED: "1"
ENABLE_REACH: ${{ github.event.inputs.enable_reachability }}
run: |
REPO_NAME="${GITHUB_REPOSITORY#*/}"

# Build reachability flags if enabled
REACH_FLAGS=""
if [[ "${ENABLE_REACH}" != "false" ]]; then
REACH_FLAGS="--reach --reach-memory-limit 16384 --reach-timeout 3600"
echo "Reachability analysis enabled"
fi

echo "Scanning repository: $REPO_NAME"

socketcli \
--target-path "$GITHUB_WORKSPACE" \
--repo "$REPO_NAME" \
--enable-debug \
$REACH_FLAGS
Loading
Loading