sentinel-ci 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/README.md +4 -3
- data/lib/rules/jq_arg_escape.rb +27 -0
- data/lib/version.rb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 23aa715c0e322cb64a295126e1c7ea6d799b5e2160b1f9afb6781c70d6d67e74
|
|
4
|
+
data.tar.gz: 4dcef6fdb0ce75cc6df95b875c184bb2eac4664cfaa3cc08c887cba17b01544b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a73ae7c6c62199f997171d442a4f34b5f8ba01d57606e9b4a95be3841a9b4939860dfeb4f240c6f3e1aa766d8416dc13a9b40aaeef8cd09cad96db3770caf5a2
|
|
7
|
+
data.tar.gz: 7db22bcd42d182031dbb1d2adfa9da5e6073d9655ac58900065afd37be674bc4d477ba9ab775756c067569b0f02ec1a6d7730dfd81f0a87298d49cea796315cb
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,22 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 1.3.0 (2026-05-18)
|
|
4
|
+
|
|
5
|
+
### New Features
|
|
6
|
+
- PR lifecycle tracker (state model, GitHub sync, bootstrap, CLI + web dashboards)
|
|
7
|
+
- jq-arg-escape-sequences rule (rule 32, total now 32)
|
|
8
|
+
- Audit trail wiring (12 audit calls across all bot decision points)
|
|
9
|
+
- Gist-based state backup (--backup/--restore, auto-backup after runs)
|
|
10
|
+
|
|
11
|
+
### Testing & CI
|
|
12
|
+
- Bot integration tests (19 tests covering decision flow)
|
|
13
|
+
- CI workflow (Ruby 3.2+3.3 matrix, self-scan on all PRs)
|
|
14
|
+
- 646 total tests
|
|
15
|
+
|
|
16
|
+
### Infrastructure
|
|
17
|
+
- Stable file locking for concurrent bot/web access
|
|
18
|
+
- PST/PDT timezone handling (correct year-round)
|
|
19
|
+
|
|
3
20
|
## 1.2.0 (2026-05-18)
|
|
4
21
|
|
|
5
22
|
### Bot Hardening
|
data/README.md
CHANGED
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
|
|
8
8
|
|
|
9
9
|
|
|
10
|
-
Scan GitHub Actions workflows for
|
|
10
|
+
Scan GitHub Actions workflows for 32 security vulnerabilities. Optional AI-powered remediation via Claude. Pure Ruby stdlib.
|
|
11
11
|
|
|
12
12
|
Documentation: https://sentinel.copilotkit.dev
|
|
13
13
|
|
|
@@ -102,7 +102,7 @@ medium as warnings, low as notices.
|
|
|
102
102
|
| Name | Default | Description |
|
|
103
103
|
|------|---------|-------------|
|
|
104
104
|
| `fix` | `false` | Auto-fix findings. Pushes to PR branch, or creates fix PR on main. |
|
|
105
|
-
| `anthropic-key` | -- | Anthropic API key -- enables AI-powered fixes for all
|
|
105
|
+
| `anthropic-key` | -- | Anthropic API key -- enables AI-powered fixes for all 32 rules |
|
|
106
106
|
|
|
107
107
|
**Fix mode outputs:**
|
|
108
108
|
|
|
@@ -208,10 +208,11 @@ sentinel scan --local . --platform bitbucket # Bitbucket only
|
|
|
208
208
|
| 29 | `ide-config-injection` | critical | Workflow writes to IDE/AI config files (.claude/, .vscode/tasks.json) |
|
|
209
209
|
| 30 | `dangerous-lifecycle-scripts` | medium | Package install without --ignore-scripts in workflows with secrets |
|
|
210
210
|
| 31 | `github-dependency-refs` | medium | Direct GitHub commit/branch ref in package install |
|
|
211
|
+
| 32 | `jq-arg-escape-sequences` | medium | jq `--arg` value contains backslash escape sequences that won't be interpreted |
|
|
211
212
|
|
|
212
213
|
## Auto-Fix
|
|
213
214
|
|
|
214
|
-
Sentinel can automatically fix findings -- 6 rules mechanically, all
|
|
215
|
+
Sentinel can automatically fix findings -- 6 rules mechanically, all 32 with AI:
|
|
215
216
|
|
|
216
217
|
```bash
|
|
217
218
|
# Mechanical fixes (free, deterministic)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
module Rules
|
|
2
|
+
class JqArgEscape < Base
|
|
3
|
+
def name = "jq-arg-escape-sequences"
|
|
4
|
+
def description = "jq --arg value contains backslash escape sequences that won't be interpreted"
|
|
5
|
+
def severity = :medium
|
|
6
|
+
|
|
7
|
+
PATTERN = /jq\s.*--arg\s+\w+\s+"[^"]*\\[nt\\][^"]*"/
|
|
8
|
+
|
|
9
|
+
def check(workflow)
|
|
10
|
+
findings = []
|
|
11
|
+
|
|
12
|
+
workflow.raw_lines.each_with_index do |line, i|
|
|
13
|
+
next if line.strip.start_with?("#")
|
|
14
|
+
next unless line.match?(PATTERN)
|
|
15
|
+
|
|
16
|
+
findings << finding(workflow,
|
|
17
|
+
line: i + 1,
|
|
18
|
+
code: line.strip,
|
|
19
|
+
message: "jq --arg treats values as raw literals — \\n becomes literal backslash-n, not a newline",
|
|
20
|
+
fix: "Use real newlines via $'\\n' or multi-line variable, or use --argjson with pre-escaped JSON"
|
|
21
|
+
)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
findings
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
data/lib/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sentinel-ci
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jordan Ritter
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-05-
|
|
11
|
+
date: 2026-05-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
|
-
description: Scan GitHub Actions workflows for
|
|
13
|
+
description: Scan GitHub Actions workflows for 32 security vulnerabilities. SHA pinning,
|
|
14
14
|
shell injection, credential exposure, dangerous triggers. Optional AI-powered remediation
|
|
15
15
|
via Claude. Pure Ruby stdlib.
|
|
16
16
|
email: jpr5@darkridge.com
|
|
@@ -59,6 +59,7 @@ files:
|
|
|
59
59
|
- lib/rules/github_script_injection.rb
|
|
60
60
|
- lib/rules/hardcoded_secrets.rb
|
|
61
61
|
- lib/rules/ide_config_injection.rb
|
|
62
|
+
- lib/rules/jq_arg_escape.rb
|
|
62
63
|
- lib/rules/missing_env_protection.rb
|
|
63
64
|
- lib/rules/missing_frozen_lockfile.rb
|
|
64
65
|
- lib/rules/missing_permissions.rb
|