Update isGitHubHosted implementation #425
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Please find StepSecurity AI-CodeWise code comments below.
Code Comments
dist/pre/index.js
- [High]Avoid exposing environment variables unnecessarily
The code uses an environment variable to determine if the application is running on a Github-hosted environment. Instead of checking environment variables directly in the code, consider setting up an environment variable to indicate if the application is running on Github-hosted, and set its value accordingly. Use this environment variable in the code to check if the application is running on Github-hosted. This helps avoid exposing environment variables unnecessarily. For example,export GITHUB_HOSTED=truecould be set in the environment where the application is running on Github-hosted, and the code can be updated as follows:
function isGithubHosted() {
const githubHosted = process.env.GITHUB_HOSTED === 'true';
return githubHosted;
}
- [Low]Use triple equals for strict equality check
The code uses double equals (==) for equality check. Replace all instances of==with===to enforce strict equality checks. For example, replacerunnerEnvironment == 'github-hosted'withrunnerEnvironment === 'github-hosted'.
dist/pre/index.js.map
I'm sorry, but there is no code included inside the XML tags for me to review. Can you please provide sample code for me to review?
src/tls-inspect.ts
- [High]Do not trust environment variables
Environment variables can be manipulated by an attacker. Hence, do not trust them blindly while making security decisions. Add additional verification to ensure the value of RUNNER_ENVIRONMENT is as expected. - [Medium]Use strict equality comparison operator
Using the strict equality comparison operator '===' ensures type and value matches, hence avoids bugs in the code. Replace the 'startsWith' method with strict equality comparison operator '==='. - [Low]Use descriptive variables
Descriptive variables improve code readability and make it easier to understand what the code is doing. Rename the variable 'runnerEnvironment' to a more descriptive name such as 'hostingEnvironment'.
Feedback
We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.
h0x0er
approved these changes
Jun 7, 2024
ericwyles
pushed a commit
to defenseunicorns/uds-package-mattermost
that referenced
this pull request
Jun 11, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | action | patch | `v4.3.2` -> `v4.3.3` | | [defenseunicorns/uds-common](https://github.com/defenseunicorns/uds-common) | | minor | `v0.4.5` -> `v0.5.0` | | [defenseunicorns/uds-common](https://github.com/defenseunicorns/uds-common) | action | minor | `v0.4.5` -> `v0.5.0` | | [golangci/golangci-lint](https://github.com/golangci/golangci-lint) | repository | patch | `v1.59.0` -> `v1.59.1` | | [python-jsonschema/check-jsonschema](https://github.com/python-jsonschema/check-jsonschema) | repository | patch | `0.28.4` -> `0.28.5` | | [renovatebot/pre-commit-hooks](https://github.com/renovatebot/pre-commit-hooks) | repository | minor | `37.391.0` -> `37.399.9` | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | action | patch | `v2.8.0` -> `v2.8.1` | Note: The `pre-commit` manager in Renovate is not supported by the `pre-commit` maintainers or community. Please do not report any problems there, instead [create a Discussion in the Renovate repository](https://github.com/renovatebot/renovate/discussions/new) if you have any questions. --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.3.3`](https://github.com/actions/dependency-review-action/releases/tag/v4.3.3): Notes for v4.3.3 [Compare Source](https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3) #### What's Changed - Allow slashes in purl package names by [@​juxtin](https://github.com/juxtin) in [actions/dependency-review-action#765 - use the v3 version of the deps.dev API by [@​josieang](https://github.com/josieang) in [actions/dependency-review-action#741 - PR with suggestions - \[Improvement]: Help streamline / simplify dependency review action README by [@​am-stead](https://github.com/am-stead) in [actions/dependency-review-action#773 - fix show-openssf-scorecard-levels input by [@​ramann](https://github.com/ramann) in [actions/dependency-review-action#776 - Updates to the contribution guidelines by [@​jonjanego](https://github.com/jonjanego) in [actions/dependency-review-action#778 - Create issue templates by [@​jonjanego](https://github.com/jonjanego) in [actions/dependency-review-action#777 - Fix the max comment length issue by [@​jhutchings1](https://github.com/jhutchings1) and [@​elireisman](https://github.com/elireisman) in [actions/dependency-review-action#767 - Bump project version to 4.3.3 in prep for a release by [@​elireisman](https://github.com/elireisman) in [actions/dependency-review-action#781 #### New Contributors - [@​josieang](https://github.com/josieang) made their first contribution in [actions/dependency-review-action#741 - [@​am-stead](https://github.com/am-stead) made their first contribution in [actions/dependency-review-action#773 - [@​ramann](https://github.com/ramann) made their first contribution in [actions/dependency-review-action#776 **Full Changelog**: actions/dependency-review-action@v4.3.2...v4.3.3 </details> <details> <summary>defenseunicorns/uds-common (defenseunicorns/uds-common)</summary> ### [`v0.5.0`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.5.0) [Compare Source](https://github.com/defenseunicorns/uds-common/compare/v0.4.6...v0.5.0) ##### ⚠ BREAKING CHANGES - update publish to take architecture as an input ([#​143](https://github.com/defenseunicorns/uds-common/issues/143)) ##### Miscellaneous - update publish to take architecture as an input ([#​143](https://github.com/defenseunicorns/uds-common/issues/143)) ([62620f5](https://github.com/defenseunicorns/uds-common/commit/62620f59c14c773e5f6f07aaafc70ae34cff36bd)) ### [`v0.4.6`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.4.6) [Compare Source](https://github.com/defenseunicorns/uds-common/compare/v0.4.5...v0.4.6) ##### Bug Fixes - renovate incorrectly matching oci helm charts for helm datasources ([#​141](https://github.com/defenseunicorns/uds-common/issues/141)) ([2761f2a](https://github.com/defenseunicorns/uds-common/commit/2761f2a5f69bae3967bb8a9ff6d392007f90a21b)) ##### Miscellaneous - allow debug logs to continue through failure ([#​146](https://github.com/defenseunicorns/uds-common/issues/146)) ([bec4fc3](https://github.com/defenseunicorns/uds-common/commit/bec4fc330d720673f645bda7e56006218ec96aad)) - **deps:** update uds common support dependencies to v0.22.1 ([#​144](https://github.com/defenseunicorns/uds-common/issues/144)) ([d618bd2](https://github.com/defenseunicorns/uds-common/commit/d618bd2be3f75d62346594cb8d6d8c339b074f93)) </details> <details> <summary>golangci/golangci-lint (golangci/golangci-lint)</summary> ### [`v1.59.1`](https://github.com/golangci/golangci-lint/releases/tag/v1.59.1) [Compare Source](https://github.com/golangci/golangci-lint/compare/v1.59.0...v1.59.1) `golangci-lint` is a free and open-source project built by volunteers. If you value it, consider supporting us, the [maintainers](https://opencollective.com/golangci-lint) and [linter authors](https://golangci-lint.run/product/thanks/). We appreciate it! ❤️ For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#​1591). #### Changelog - [`f738736`](https://github.com/golangci/golangci-lint/commit/f7387361) build(deps): bump github.com/Antonboom/testifylint from 1.3.0 to 1.3.1 ([#​4759](https://github.com/golangci/golangci-lint/issues/4759)) - [`44b3cdd`](https://github.com/golangci/golangci-lint/commit/44b3cdd1) build(deps): bump github.com/go-viper/mapstructure/v2 from 2.0.0-alpha.1 to 2.0.0 ([#​4788](https://github.com/golangci/golangci-lint/issues/4788)) - [`1a55854`](https://github.com/golangci/golangci-lint/commit/1a55854a) build(deps): bump github.com/golangci/misspell from 0.5.1 to 0.6.0 ([#​4804](https://github.com/golangci/golangci-lint/issues/4804)) - [`9a7a1ad`](https://github.com/golangci/golangci-lint/commit/9a7a1ad4) build(deps): bump github.com/polyfloyd/go-errorlint from 1.5.1 to 1.5.2 ([#​4785](https://github.com/golangci/golangci-lint/issues/4785)) - [`aaff918`](https://github.com/golangci/golangci-lint/commit/aaff9184) build(deps): bump github.com/sashamelentyev/usestdlibvars from 1.25.0 to 1.26.0 ([#​4801](https://github.com/golangci/golangci-lint/issues/4801)) - [`a0d2c83`](https://github.com/golangci/golangci-lint/commit/a0d2c830) build(deps): bump github.com/shirou/gopsutil/v3 from 3.24.4 to 3.24.5 ([#​4782](https://github.com/golangci/golangci-lint/issues/4782)) - [`2042b1f`](https://github.com/golangci/golangci-lint/commit/2042b1f1) build(deps): bump go-simpler.org/sloglint from 0.7.0 to 0.7.1 ([#​4784](https://github.com/golangci/golangci-lint/issues/4784)) - [`327a78a`](https://github.com/golangci/golangci-lint/commit/327a78a8) build(deps): bump golang.org/x/tools from 0.21.0 to 0.22.0 ([#​4802](https://github.com/golangci/golangci-lint/issues/4802)) - [`e1a8055`](https://github.com/golangci/golangci-lint/commit/e1a80557) fix: SARIF format require issue column >= 1 ([#​4775](https://github.com/golangci/golangci-lint/issues/4775)) - [`88f60c8`](https://github.com/golangci/golangci-lint/commit/88f60c8c) fix: gomnd deprecated configuration compatibility ([#​4768](https://github.com/golangci/golangci-lint/issues/4768)) - [`8173166`](https://github.com/golangci/golangci-lint/commit/81731668) fix: init empty result slice for SARIF printer ([#​4758](https://github.com/golangci/golangci-lint/issues/4758)) - [`02740ea`](https://github.com/golangci/golangci-lint/commit/02740ea1) intrange: add style preset ([#​4797](https://github.com/golangci/golangci-lint/issues/4797)) - [`615b873`](https://github.com/golangci/golangci-lint/commit/615b873d) unparam: bump to HEAD ([#​4786](https://github.com/golangci/golangci-lint/issues/4786)) </details> <details> <summary>python-jsonschema/check-jsonschema (python-jsonschema/check-jsonschema)</summary> ### [`v0.28.5`](https://github.com/python-jsonschema/check-jsonschema/blob/HEAD/CHANGELOG.rst#0285) [Compare Source](https://github.com/python-jsonschema/check-jsonschema/compare/0.28.4...0.28.5) - Update vendored schemas: bitbucket-pipelines, dependabot, github-actions, github-workflows, gitlab-ci, readthedocs, renovate (2024-06-10) - Update bitbucket schema to use the option from the intellij-bitbucket-references-plugin . For more details on this decision, see :issue:`440` . Thanks [@​blade2005](https://github.com/blade2005) for the PR! (:pr:`442`) </details> <details> <summary>renovatebot/pre-commit-hooks (renovatebot/pre-commit-hooks)</summary> ### [`v37.399.9`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.399.9) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.399.8...37.399.9) See https://github.com/renovatebot/renovate/releases/tag/37.399.9 for more changes ### [`v37.399.8`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.399.8) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.399.6...37.399.8) See https://github.com/renovatebot/renovate/releases/tag/37.399.8 for more changes ### [`v37.399.6`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.399.6) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.399.5...37.399.6) See https://github.com/renovatebot/renovate/releases/tag/37.399.6 for more changes ### [`v37.399.5`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.399.5) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.399.3...37.399.5) See https://github.com/renovatebot/renovate/releases/tag/37.399.5 for more changes ### [`v37.399.3`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.399.3) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.399.0...37.399.3) See https://github.com/renovatebot/renovate/releases/tag/37.399.3 for more changes ### [`v37.399.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.399.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.398.2...37.399.0) See https://github.com/renovatebot/renovate/releases/tag/37.399.0 for more changes ### [`v37.398.2`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.398.2) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.398.1...37.398.2) See https://github.com/renovatebot/renovate/releases/tag/37.398.2 for more changes ### [`v37.398.1`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.398.1) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.398.0...37.398.1) See https://github.com/renovatebot/renovate/releases/tag/37.398.1 for more changes ### [`v37.398.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.398.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.397.0...37.398.0) See https://github.com/renovatebot/renovate/releases/tag/37.398.0 for more changes ### [`v37.397.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.397.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.396.0...37.397.0) See https://github.com/renovatebot/renovate/releases/tag/37.397.0 for more changes ### [`v37.396.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.396.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.395.0...37.396.0) See https://github.com/renovatebot/renovate/releases/tag/37.396.0 for more changes ### [`v37.395.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.395.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.393.0...37.395.0) See https://github.com/renovatebot/renovate/releases/tag/37.395.0 for more changes ### [`v37.393.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.393.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.392.0...37.393.0) See https://github.com/renovatebot/renovate/releases/tag/37.393.0 for more changes ### [`v37.392.0`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.392.0) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.391.3...37.392.0) See https://github.com/renovatebot/renovate/releases/tag/37.392.0 for more changes ### [`v37.391.3`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.391.3) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.391.2...37.391.3) See https://github.com/renovatebot/renovate/releases/tag/37.391.3 for more changes ### [`v37.391.2`](https://github.com/renovatebot/pre-commit-hooks/releases/tag/37.391.2) [Compare Source](https://github.com/renovatebot/pre-commit-hooks/compare/37.391.0...37.391.2) See https://github.com/renovatebot/renovate/releases/tag/37.391.2 for more changes </details> <details> <summary>step-security/harden-runner (step-security/harden-runner)</summary> ### [`v2.8.1`](https://github.com/step-security/harden-runner/releases/tag/v2.8.1) [Compare Source](https://github.com/step-security/harden-runner/compare/v2.8.0...v2.8.1) ##### What's Changed - Bug fix: Update isGitHubHosted implementation by [@​varunsh-coder](https://github.com/varunsh-coder) in [step-security/harden-runner#425 The previous implementation incorrectly identified large GitHub-hosted runners as self-hosted runners. As a result, harden-runner was not executing on these large GitHub-hosted runners. **Full Changelog**: step-security/harden-runner@v2...v2.8.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/uds-package-mattermost). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zODguMSIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzdXBwb3J0LWRlcHMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
karfau
pushed a commit
to xmldom/xmldom
that referenced
this pull request
Jun 19, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [step-security/harden-runner](https://github.com/step-security/harden-runner) | action | patch | `v2.8.0` -> `v2.8.1` | --- ### Release Notes <details> <summary>step-security/harden-runner (step-security/harden-runner)</summary> ### [`v2.8.1`](https://github.com/step-security/harden-runner/releases/tag/v2.8.1) [Compare Source](https://github.com/step-security/harden-runner/compare/v2.8.0...v2.8.1) ##### What's Changed - Bug fix: Update isGitHubHosted implementation by [@​varunsh-coder](https://github.com/varunsh-coder) in [step-security/harden-runner#425 The previous implementation incorrectly identified large GitHub-hosted runners as self-hosted runners. As a result, harden-runner was not executing on these large GitHub-hosted runners. **Full Changelog**: step-security/harden-runner@v2...v2.8.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/xmldom/xmldom). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MTAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQxMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.