AST-160121: OAuth check + agent hooks#1514
Conversation
…support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types
…oject/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…nd opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix)
- Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config
…support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types
…oject/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…nd opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix)
- Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config
…arx/ast-cli into other/release-integration
- Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599) pulled transitively through gonum.org/v1/gonum v0.17.0 - Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881) pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1 - Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986) pulled transitively through github.com/containerd/containerd v1.7.32 - Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade) Note: do not run go mod tidy on this module — it strips these security overrides because the packages are indirect and not directly imported. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Introduced `ignore-vulnerability` command to manage the realtime ignore file for various scan types (OSS, secrets, containers, IaC, ASCA). - Implemented functionality to add, remove, and validate ignored findings. - Added tests for the command and ignore file operations to ensure correct behavior. - Created supporting structures and methods for handling ignore entries and file operations. - Updated relevant files to integrate the new command into the CLI structure.
- Removed unnecessary dependency on guardrails in asca.go. - Updated ScanFileEdit function to return findings without appending the deny message directly. - Enhanced findingsSummary function to include file name, line number, rule ID, severity, and remediation details for better context. - Improved permissionDecisionReason and additionalContext functions to provide clearer instructions on handling findings and false positives.
Introduces a new sca/ package that gates package-manager installs (Bash hook) and manifest edits (Write/Edit/MultiEdit hook) against the Checkmarx OSS realtime scanner: - ParseInstall recognises npm/yarn/pnpm/pip/go/dotnet/maven install commands and normalises partial semver (e.g. "4.10" → "4.10.0") - CheckBashInstall scans packages before the shell command runs - CheckManifestEdit diffs before/after manifest content and scans only newly-added packages; reconstructs full file content for Edit ops so the manifest parser receives a valid document - Both return (finding, remediation) separately so the denial reason and MCP remediation instructions land in distinct hook fields (permissionDecisionReason and additionalContext) - Remediation note instructs the agent to use mcp__Checkmarx__packageRemediation exclusively, and to ask the user to install/enable the MCP server if the tool is unavailable Wires the scanner into RegisterGuardrails alongside the existing ASCA file-edit scan; adds /cx to .gitignore. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ASCA additionalContext now generates pre-filled cx ignore-vulnerability commands with actual FileName/Line/RuleID per finding instead of a generic placeholder; uses full executable path so the agent can run it regardless of PATH - SCA DenyVulnerable remediation now includes per-package ignore commands when no safe version is found, replacing the Dev Assist fallback - SCA scanner passes the realtime ignore file path to RunOssRealtimeScan so suppressed packages are filtered out on subsequent scans - ASCA permissionDecisionReason shows only findings to the user; agent instructions moved entirely to additionalContext Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added `auth login` command for browser-based OAuth authentication to Checkmarx One, supporting session modes: local, global, and yaml. - Introduced `auth logout` command to revoke the current refresh token and clear stored credentials across all session types. - Integrated session management functionality to handle active mode persistence and cleanup. - Updated command structure to include new authentication commands in the CLI. - Added tests for session management and command functionality to ensure reliability. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Introduced a new `cx mcp bridge` command that acts as a transparent stdio<->HTTP proxy to the Checkmarx Security MCP. - Implemented functionality to derive the realm-scoped Security MCP URL from the JWT issuer claim or through environment variables and command-line flags. - Added tests for URL derivation and bridge command functionality to ensure reliability. - Updated the existing MCP command structure to include the new bridge command while maintaining backward compatibility. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Expanded the `cx mcp bridge` command to support a resilient connection lifecycle, allowing the bridge to operate in a degraded state until valid credentials are available. - Implemented a new `bridgeSession` structure to manage connection states and ensure thread-safe operations. - Added comprehensive tests for deriving the MCP URL from various sources, including JWT claims and environment variables, ensuring robust functionality. - Updated the command structure to maintain backward compatibility while integrating new features.
* copilot=chnages * removed-temp-dependency * removed-temp-dependency1 * Fix SCA bypass on CRLF/LF line-ending mismatch (#7) * Fix SCA guardrail bypass on CRLF/LF line-ending mismatch fullAfterContent now tries an exact replacement first, then falls back to a line-ending-normalized replacement (CRLF→LF) when the exact match fails. If the edited region still cannot be located, it logs a warning and scans the proposed snippet rather than silently returning the unchanged file, ensuring newly added dependencies are always given a chance to be detected. Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com> * Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * copilot-changes (#8) * copilot=chnages * removed-temp-dependency * removed-temp-dependency1 --------- Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com> * Bump ast-cx-hooks to v1.0.3 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Resolve realtime ignore file from hook event WorkDir, not process CWD (#9) The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was resolved as a CWD-relative path against the hook subprocess's own working directory. Claude Code launches the hook from the workspace root, so it found the file; Copilot CLI launches it from a different directory, so the lookup missed the file the ignore command wrote under the workspace and the finding kept getting blocked. Anchor the lookup to the workspace the hook event reports via ev.WorkDir: - Add ignore.PathFor(workDir) (falls back to DefaultPath when empty). - SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit. - ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit. - Pin the emitted `cx ignore-vulnerability` remediation to an explicit --ignored-file-path under ev.WorkDir so the write and later read use the same absolute file regardless of either process's CWD. Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup, and the remediation flag. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * added-telemetry * checked-telemetry-payload * checked-telemetry-payload1 --------- Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
- Improve OAuth PKCE flow with session management and token caching - Enhance HTTP client with retry logic and better error handling - Add comprehensive unit tests for auth login (186 lines) - Update MCP bridge with improved error handling and testing - Fix build tag consistency across agenthooks test files - Sanitize sensitive data in logger utils Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
* copilot=chnages * removed-temp-dependency * removed-temp-dependency1 --------- Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…#9) The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was resolved as a CWD-relative path against the hook subprocess's own working directory. Claude Code launches the hook from the workspace root, so it found the file; Copilot CLI launches it from a different directory, so the lookup missed the file the ignore command wrote under the workspace and the finding kept getting blocked. Anchor the lookup to the workspace the hook event reports via ev.WorkDir: - Add ignore.PathFor(workDir) (falls back to DefaultPath when empty). - SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit. - ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit. - Pin the emitted `cx ignore-vulnerability` remediation to an explicit --ignored-file-path under ev.WorkDir so the write and later read use the same absolute file regardless of either process's CWD. Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup, and the remediation flag. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Enhance auth login command and improve security measures - Introduced a new constant for config file permissions to restrict access to owner only, ensuring better security for stored refresh tokens. - Updated the auth login flow to preserve existing credentials during authentication failures, enhancing user experience. - Improved the nuke phase to revoke prior refresh tokens only after a new credential is established, ensuring a clean state. - Added HTML escaping for error messages in the OAuth PKCE callback to prevent potential XSS vulnerabilities. - Standardized build tags across multiple test files to ensure consistent test execution. This commit enhances the security and reliability of the authentication process while improving code maintainability. * Introduce telemetry for the ignore command Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com> * removed-telemetry-error-msg * Add proxy support to newBridgeClient and enhance tests - Implemented the newBridgeClient function to configure an HTTP client that respects proxy settings from the environment or configuration. - Added unit tests to verify the behavior of the newBridgeClient, ensuring it correctly handles both default and proxy-aware transports. - Updated the runBridge function to utilize the newBridgeClient for improved proxy handling. This commit enhances the MCP bridge functionality by ensuring proper proxy configuration and testing. --------- Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com> Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
* chore: remove Dependabot configuration * Add KICS IaC guardrail to agent file-edit hook Wire a KICS-based guardrail into cxBeforeFileEdit that blocks AI-introduced IaC misconfigurations before they are written to disk, using delta detection on edits (new findings only) and any-vuln on new files. Honors user suppressions from the realtime ignore file. Unlike ASCA, the agent is not given discretion to treat KICS findings as false positives: KICS is a deterministic IaC rule engine whose findings are not caused by missing cross-file context, and forcing a fix on an IaC finding produces benign additive hardening rather than contorted code. The remediation prompt instructs the agent to fix every finding and to add any externally required resources rather than skipping. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(actions): declare secrets used by reusable workflows (#6) Adds explicit on.workflow_call.secrets declarations for all secrets referenced in the workflow body, replacing implicit reliance on callers using secrets: inherit. * chore: remove Dependabot configuration --------- Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com> Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com> Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Resolved conflicts while preserving all changes from both branches: - release.yml: removed duplicate descriptions, kept dispatch_auto_release job - go.mod/go.sum: merged dependencies, preferring newer versions - hooks.go: added asca import and telemetry support - asca.go: added telemetry wrapper and finding count tracking - root.go: merged command registration, using telemetryWrapper in ignoreVulnerabilityCmd Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. Secret references detected:
To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-aniket-shinde) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
Security Policy Alert: Actions Policy ViolationThis workflow run has been blocked by StepSecurity's actions policy. Disallowed Actions:
To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed. For more information, see StepSecurity's Actions Policy documentation. |
Adds OAuth login/session support and agent hooks (KICS/ASCA guardrails, MCP bridge).