feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows (#69483)

* feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted] Stand up an end-to-end pipeline that turns every published openclaw GitHub Security Advisory into a reusable OpenGrep rule, and wire the compiled rules into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub Code Scanning. The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude Code, Codex, OpenCode, or anything you can shell out to) can drive it via the runner script's --harness flag. Built-in adapters cover the four common harnesses; --harness-cmd '<template>' supports anything else with shell-style {prompt}/{model}/{output_file} substitution. Pipeline pieces: - scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness in parallel against every advisory using the agent-agnostic detector-review spec at security/detector-review/detector-review-spec.md. Each case produces an opengrep general-rule.yml (precise) and broad-rule.yml (review-aid), plus a coverage-validated report against the vulnerable commit's changed files. - scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/ detector-bucket/source-rule-id metadata, and uses opengrep itself to drop rules with InvalidRuleSchemaError so the published super-configs load cleanly. Compiled outputs: - security/opengrep/precise.yml (336 rules) - security/opengrep/broad.yml (459 rules) - security/opengrep/compile-manifest.json (per-rule provenance map) CI workflows (manual workflow_dispatch only): - .github/workflows/opengrep-precise.yml - .github/workflows/opengrep-broad.yml Both install a pinned opengrep, run opengrep scan against src/, upload SARIF to Code Scanning under categories opengrep-precise / opengrep-broad, and use continue-on-error: true so findings never block the workflow. Detector-review spec and assets: - security/detector-review/detector-review-spec.md the agent-agnostic spec the runner injects into each per-case prompt - security/detector-review/references/{detector-rubric,report-template}.md - security/detector-review/scripts/init_case.py - security/prompt-suffix-coverage-first.md mandatory prompt addendum that enforces coverage-first validation (rule must catch the OG vuln, not just pass synthetic fixtures) Docs: - security/README.md end-to-end flow, supported harnesses, regen recipe - security/opengrep/README.md compiled-config details + recompile recipe * security: tighten GHSA OpenGrep detector workflow * chore: refine precise opengrep workflow * chore: remove stale opengrep metadata * fix: harden GHSA OpenGrep workflow * ci: split OpenGrep diff and full scans * chore: remove performance-only opengrep rule * ci: use OpenGrep installer path * chore: enforce opengrep rule metadata provenance * chore: generalize opengrep rule compilation * docs: align opengrep rulepack guidance * chore: support generic opengrep rule sources * fix: validate opengrep rulepack-only changes --------- Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>
2026-05-06 19:50:43 +00:00 · 2026-04-30 02:42:20 +10:00
parent c7aaa40848
commit 6de9d71bfb
16 changed files with 6488 additions and 0 deletions
--- a/test/scripts/check-opengrep-rule-metadata.test.ts
+++ b/test/scripts/check-opengrep-rule-metadata.test.ts
@@ -0,0 +1,70 @@
+import { describe, expect, it } from "vitest";
+import { validateRuleMetadata } from "../../security/opengrep/check-rule-metadata.mjs";
+
+const validRule = {
+  id: "ghsa-1234-abcd-5678.source-rule",
+  metadata: {
+    ghsa: "GHSA-1234-ABCD-5678",
+    "advisory-url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-1234-ABCD-5678",
+    "detector-bucket": "precise",
+    "source-rule-id": "source-rule",
+  },
+};
+
+describe("check-opengrep-rule-metadata", () => {
+  it("accepts GHSA-backed rules with durable source metadata", () => {
+    expect(validateRuleMetadata([validRule])).toEqual([]);
+  });
+
+  it("requires source metadata on every compiled rule", () => {
+    expect(
+      validateRuleMetadata([
+        {
+          id: "ghsa-1234-abcd-5678.source-rule",
+          metadata: {
+            ghsa: "GHSA-1234-ABCD-5678",
+            "detector-bucket": "precise",
+          },
+        },
+      ]),
+    ).toEqual([
+      "ghsa-1234-abcd-5678.source-rule: missing metadata.advisory-url",
+      "ghsa-1234-abcd-5678.source-rule: missing metadata.source-rule-id",
+    ]);
+  });
+
+  it("accepts non-GHSA source-backed rules with durable source metadata", () => {
+    expect(
+      validateRuleMetadata([
+        {
+          id: "cve-2026-12345.source-rule",
+          metadata: {
+            "advisory-id": "CVE-2026-12345",
+            "advisory-url": "https://example.test/advisories/CVE-2026-12345",
+            "detector-bucket": "precise",
+            "source-rule-id": "source-rule",
+          },
+        },
+      ]),
+    ).toEqual([]);
+  });
+
+  it("keeps the source id, rule id, and GHSA advisory URL consistent", () => {
+    expect(
+      validateRuleMetadata([
+        {
+          ...validRule,
+          metadata: {
+            ...validRule.metadata,
+            ghsa: "GHSA-9999-ABCD-5678",
+            "advisory-url":
+              "https://github.com/openclaw/openclaw/security/advisories/GHSA-1234-ABCD-5678",
+          },
+        },
+      ]),
+    ).toEqual([
+      "ghsa-1234-abcd-5678.source-rule: source id in metadata (GHSA-9999-ABCD-5678) must match source id in rule id (ghsa-1234-abcd-5678)",
+      "ghsa-1234-abcd-5678.source-rule: metadata.advisory-url must be https://github.com/openclaw/openclaw/security/advisories/GHSA-9999-ABCD-5678",
+    ]);
+  });
+});
--- a/test/scripts/run-opengrep.test.ts
+++ b/test/scripts/run-opengrep.test.ts
@@ -0,0 +1,60 @@
+import { execFileSync } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { createScriptTestHarness } from "./test-helpers.js";
+
+const { createTempDir } = createScriptTestHarness();
+
+function git(cwd: string, ...args: string[]): string {
+  return execFileSync("git", args, { cwd, encoding: "utf8" }).trim();
+}
+
+function writeFile(filePath: string, content: string): void {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, content);
+}
+
+describe("run-opengrep.sh", () => {
+  it("validates the rulepack when only OpenGrep rulepack files changed", () => {
+    const repo = createTempDir("openclaw-run-opengrep-");
+    git(repo, "init", "-q");
+    git(repo, "config", "user.email", "test@example.com");
+    git(repo, "config", "user.name", "Test User");
+
+    const scriptSource = path.resolve("scripts/run-opengrep.sh");
+    writeFile(path.join(repo, "scripts/run-opengrep.sh"), fs.readFileSync(scriptSource, "utf8"));
+    fs.chmodSync(path.join(repo, "scripts/run-opengrep.sh"), 0o755);
+    writeFile(path.join(repo, "security/opengrep/precise.yml"), "rules: []\n");
+    git(repo, "add", ".");
+    git(repo, "commit", "-qm", "initial");
+
+    fs.appendFileSync(path.join(repo, "security/opengrep/precise.yml"), "# changed\n");
+    const argsPath = path.join(repo, "opengrep-args.txt");
+    const binDir = path.join(repo, "bin");
+    fs.mkdirSync(binDir);
+    writeFile(
+      path.join(binDir, "opengrep"),
+      [
+        "#!/usr/bin/env bash",
+        `printf '%s\\n' "$@" > ${JSON.stringify(argsPath)}`,
+        "exit 0",
+        "",
+      ].join("\n"),
+    );
+    fs.chmodSync(path.join(binDir, "opengrep"), 0o755);
+
+    execFileSync("bash", ["scripts/run-opengrep.sh", "--changed"], {
+      cwd: repo,
+      env: {
+        ...process.env,
+        PATH: `${binDir}${path.delimiter}${process.env.PATH ?? ""}`,
+        OPENCLAW_OPENGREP_BASE_REF: "HEAD",
+      },
+      encoding: "utf8",
+    });
+
+    const args = fs.readFileSync(path.join(repo, "opengrep-args.txt"), "utf8");
+    expect(args).toContain("security/opengrep/precise.yml");
+  });
+});