I frequently get little pokes from GitHub's dependabot to update dependencies in my repos. Sometimes, however, these depedencies happen to be devDependencies. To my understanding, devDependencies are only relavent in the dev environment — inside my local machine — which shouldn't really give any opportunity for XSS when running localhost:3000.
Does anybody know if these GitHub Dependabot alerts (that are pointing at devDependencies) are necessary to address?
Related
I am trying to configure dependabot.yml to get security updates for GitHub Actions.
I followed the Configuring Dependabot security updates documentation. During the configuration I had the following issues:
I did not understand if I need to enable in Code security and analysis the Dependabot alerts and Dependabot security updates along with creating the dependabot.yml.
I did not understand why Dependabot was not able to identify the security vulnerability in my action. I am testing with some-natalie/ghas-to-csv#v1 action, which has a GHSA.
I did not understand from About Dependabot security updates documentation what is the frequency that the vulnerabilities are checked and turned into alerts / PRs.
Perhaps the configuration did not work (yet) because Dependabot has not even identified the vulnerability, therefore has not created the updating PR.
Can you help me understand why is my configuration not working? Or if it's not supported?
All Dependabot features build on top of the Software Composition Analysis feature (first button to enable in that list) and that is the reason why that needs to be enabled.
It then checks ONLY the dependencies of your repo that it finds through parsing the manifest files in the repos
For security alerts and PRs you do not need to commit a Dependabot.yml file. That file is only needed for version updates.
Lastly Dependabot does not check security vulnerabilities in your code, only for dependencies! If you want to run static code analysis on your own code, you try CodeQL and other SAST tools (static code analysis tools.
The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)
The scope of tis question is GitHub repositories.
Is there an easy option to enforce a few code quality rules before a commit can be done?
I have linting tools that I can run in a GitHub action runner. I hope I can run the linting scripts and prevent the commit if the lint program has an error output.
I think I am missing a pattern or special GitHub feature here. A link to documentation would be a great help.
If you're using github.com (that is, not a GitHub Enterprise Server instance), then you cannot run hooks on the server side. That's because hooks execute arbitrary code, which is of course a security concern.
The easiest way to do this is to run a CI job, such as you have in the GitHub Actions runner. You'd create the workflow file that runs the linting tools, such that the linting tool or your check script exits nonzero if the commit should be rejected. You can see the workflow file for Git LFS that runs script/cibuild to perform this kind of check.
Once you have your CI job working as you expect, you can protect the branch by going into the repository settings. Choose Branches → Branch Protection Rules, and create a check for whatever branch you want to require checks for. Usually this is your default branch. Choose “Require status checks to pass before merging” and then enable the relevant checks to make them required.
From that point on, in order to merge code into the protected branch, the checks must pass. If you want to require this for all branches in the repository, then you can use a wildcard, but you'll need to use a forking model since this will prevent people from pushing branches into the repository.
Note that this is much better than trying to use a pre-commit hook on the user system. As the Git FAQ explains, pre-commit hooks are easily bypassed, so while you can provide them for developers who want to use them, you can't require them. pre-commit hooks are also an impediment to certain workflows, so advanced developers may not care for them.
I've installed the Google Cloud Build app from Github Marketplace, and enabled it on several repositories, only to discover that enabling access for those repositories automatically starts running the Google Cloud Build "check" after every PR or push to a PR. Since some of those repositories are not actually ready for Google Cloud build, I needed to turn off the checks... I used the URL mentioned in the docs to get to the page where you can select which repositories should be connected to your GCP project, and unchecked a bunch of them... this disconnected them from the project, but, surprisingly, did not disable the Github checks! So now, there are Github checks on several repositories that just result in an error because they're not connected to any projects in Cloud Build.
Surely, it is not an uncommon use case to need a way to "disable Checks" on a per-repository basis - is there any way to do that?
(If not, consider it a requested feature if there are any Google Engineers reading!) ;)
I did talk to chat support, and the only way we could figure out to remove the checks would be to uninstall Google Cloud Build completely from the entire organization, which I don't want to do because we do have some setup that I want to keep, and I don't know how much of that configuration would have to be redone if I uninstalled it completely.
Here is a screenshot of the broken check that I can't disable:
I think there are 2 steps to disable CloudBuild,
1. Disable on CloudBuild itself. For some time I kept seeing 2 builds per push made, but disabling a trigger on CloudBuild helped fix that.
2. On Github, you can configure the Cloudbuild app to monitor a specific repo on the organization level setting.
3. If you feel a lot adventurous though and it's not solved, on the project level setting, you could delete the Webhooks integration for cloudbuild, as that's what Github notifies of each build.
It can be found within GH App installations:
https://console.cloud.google.com/gcb-github-registration
Select the GH account used for your link between Cloud Build and GH, then the GCP project you want to edit.
Here connected repositories can be edited, and in the second step (Trigger settings), the "Default GitHub Checks" can be disabled.
You can also goto settings of your repository and click installations inside settings.
And then remove Google cloud build from Installed apps and authorized github apps.
Cloud Build Triggers are still in beta, and have gone through several updates since this question was posted, but it now appears that the "Github Default Checks" are no longer hidden from management. They are now explicitly offered (but not automatically created) when connecting a repo, and you can finally view and disable (or delete) individual "Github Default Checks" on the trigger management page: https://console.cloud.google.com/cloud-build/triggers
I'll leave this as unanswered, because I'm uncertain this is how it is working for everyone, or that this answer will remain true, but if it works for you, feel free to vote up the answer!
To link GCP Project to the Github repository, create a trigger by clicking on resolve link, besides Action Required and then disable the same. For me this procedure worked out.
Say I have a project, that depends on and build with the latest commit from a repository, managed by someone else, is there a generic way to get build triggering? I am not talking about for a project that you own where you have access to the Webhooks settings but where the project is someone else's.
An example I have for this is Docker images. Where I dockerise an application, I want to have a CI system rebuild that image whenever the application's source repository is updated. I don't have control over the webhooks of the application vendor's git so cannot add a webhook, but would like a trigger when it is updated. A short delay is reasonable (it does not need to be instant).
For argument's sake, we can assume that the repo is hosted on GitHub and that the CI supports web hooks.
Is there a tool/service that does this? I don't think that there is a way provided by GitHub or any of the other large Git hosts (GitLab or BitBucket) for doing this, but if I am mistaken please let me know. All I can think is to poll the repo in some schedules job and trigger the build from that. I suspect there may be a plugin for Jenkins to do this but would like something generic and if polling can be avoided in favour of the publish/subscribe model that would be perfect.