Open
Conversation
Adds supply-chain security scanning for dependency changes. Scans package artifacts when lockfiles change in a PR. Requires QODO_API_KEY secret — see repo settings.
Contributor
Review Summary by QodoAdd Dependency Guard workflow for supply-chain security
WalkthroughsDescription• Adds Dependency Guard workflow for supply-chain security scanning • Triggers on lockfile changes across multiple package managers • Posts verdict comments (SAFE/WARNING/MALICIOUS) on PRs • Requires QODO_API_KEY secret configuration in repository Diagramflowchart LR
PR["Pull Request with<br/>lockfile changes"]
TRIGGER["Dependency Guard<br/>workflow triggered"]
SCAN["Scan package<br/>artifacts"]
VERDICT["Post verdict<br/>comment"]
PR -- "on: paths" --> TRIGGER
TRIGGER -- "checkout code" --> SCAN
SCAN -- "QODO_API_KEY" --> VERDICT
File Changes1. .github/workflows/dependency-guard.yml
|
Contributor
Code Review by Qodo
1.
|
![qodo-free-for-open-source-projects[bot]](https://avatars.githubusercontent.com/in/1068000?s=60&v=4){kind=small}
- Pin actions/checkout to 11bd7190 (v4.2.2) - Pin dependency-guard to 6b89a704 (v1.0.0-alpha.1) - Add concurrency group to cancel stale runs on push - Fail fast with clear error if QODO_API_KEY secret is missing
- Concurrency group now uses workflow name + PR number to avoid conflicts with other workflows on the same branch - persist-credentials: false on checkout — GITHUB_TOKEN not stored in git config after the step completes
- Concurrency: use github.ref || github.run_id instead of PR number. github.event.pull_request.number is null for non-PR triggers; this form handles future trigger expansions safely. - Checkout: pin to github.event.pull_request.head.sha (exact commit the developer pushed) rather than the default merge commit. Avoids merge-conflict lockfile artifacts causing false positives.
- fetch-depth: 0 — full history needed for git diff origin/main...HEAD three-dot merge-base computation. Shallow clone silently breaks the lockfile diff, causing detect-changes to return zero packages. - timeout-minutes: 30 — prevents a hung LLM call from burning 6h of Actions minutes. Scan completes in <15 min under normal conditions. - Reject: pr-number concurrency group (loses run_id fallback we added)
Three code review issues addressed: 1. Fork PRs under pull_request event have no access to repo secrets. Failing hard produces a permanent red check on external contributions. Fix: job-level if condition skips cleanly (shows as 'skipped'). Condition covers both missing secret and fork PR cases. 2. Explicit check step removed — it was redundant once the job condition handles the missing-secret case. Also eliminates the underlying shell injection risk (secret interpolated into bash run script body). 3. requirements*.txt kept in paths — pip freeze output is a de facto lockfile in Python. Renamed to 'dependency files' in descriptions to be accurate rather than removing real-world coverage.
Finding 1 (red): pull_request withholds secrets from forks — valid architectural concern, known limitation. All current repos are internal qodo-ai with no fork PRs. Job condition already handles this correctly (skips cleanly). workflow_run pattern is the proper fix for external- facing repos; tracked for when alpha expands beyond internal repos. Finding 2 (yellow): mutable tags — already fixed. SHAs pinned since commit 6b89a70. Reviewer was looking at a stale version.
Replaces single pull_request workflow with a safe two-workflow pattern that allows scanning fork PRs with access to secrets: 1. dependency-guard-prepare.yml (pull_request, no secrets) - Triggered on lockfile path changes from any source including forks - Saves PR metadata (number, head SHA, base ref, repo) as an artifact - Does NOT execute any fork code or analysis 2. dependency-guard.yml (workflow_run, has secrets) - Triggered when prepare workflow completes successfully - Runs in base repo context — QODO_API_KEY always available - Downloads artifact, fetches PR head via git ref - Runs scan against the PR's exact lockfile state - Posts verdict as a PR comment Fork code is brought in via git fetch but never executed in the privileged context — the action reads lockfiles and downloads packages from public npm/PyPI registries only. Resolves the red finding from code review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds supply-chain security scanning via qodo-ai/dependency-guard.
Fires on PRs that change lockfiles. Posts a verdict comment (SAFE / WARNING / MALICIOUS).
Setup required: Add
QODO_API_KEYsecret in repo settings before merging.Alpha — GitHub only, comment-only (no merge blocking yet).