Skip to content

Feature/oauth check rebased#1517

Open
cx-aniket-shinde wants to merge 61 commits into
other/integration-mainfrom
feature/oauth-check-rebased
Open

Feature/oauth check rebased#1517
cx-aniket-shinde wants to merge 61 commits into
other/integration-mainfrom
feature/oauth-check-rebased

Conversation

@cx-aniket-shinde

Copy link
Copy Markdown
Contributor

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Please provide a summary of the changes and the related issue. Include relevant motivation and context.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

Link any related issues or tickets.

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Add any other relevant information.

cx-atish-jadhav and others added 30 commits July 2, 2026 17:37
…oject/application management improvements

- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…nd opencontainers/runc

- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)
- Add explicit requirement for golang.org/x/image v0.39.0 to override
  gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config
…oject/application management improvements

- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…nd opencontainers/runc

- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)
- Add explicit requirement for golang.org/x/image v0.39.0 to override
  gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config
- Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599)
  pulled transitively through gonum.org/v1/gonum v0.17.0
- Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881)
  pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1
- Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986)
  pulled transitively through github.com/containerd/containerd v1.7.32
- Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade)

Note: do not run go mod tidy on this module — it strips these security
overrides because the packages are indirect and not directly imported.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0
also flagged as vulnerable by Checkmarx SCA.

CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are
marked as Not Exploitable (NE) because:

1. CLI does NOT perform authorization logic (CVE-2026-46595)
   - Authorization decisions are delegated to Git layer

2. CLI does NOT verify cryptographic signatures (CVE-2026-39829)
   - No signature verification code in CLI
   - SSH keys only used for Git authentication

3. Vulnerable code paths in x/crypto are not exercised by CLI
   - Direct crypto imports (sha256, tls, etc) are from stdlib
   - Indirect x/crypto usage limited to SSH authentication

Acceptable Risk: YES

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Introduced `ignore-vulnerability` command to manage the realtime ignore file for various scan types (OSS, secrets, containers, IaC, ASCA).
- Implemented functionality to add, remove, and validate ignored findings.
- Added tests for the command and ignore file operations to ensure correct behavior.
- Created supporting structures and methods for handling ignore entries and file operations.
- Updated relevant files to integrate the new command into the CLI structure.
- Removed unnecessary dependency on guardrails in asca.go.
- Updated ScanFileEdit function to return findings without appending the deny message directly.
- Enhanced findingsSummary function to include file name, line number, rule ID, severity, and remediation details for better context.
- Improved permissionDecisionReason and additionalContext functions to provide clearer instructions on handling findings and false positives.
Introduces a new sca/ package that gates package-manager installs
(Bash hook) and manifest edits (Write/Edit/MultiEdit hook) against
the Checkmarx OSS realtime scanner:

- ParseInstall recognises npm/yarn/pnpm/pip/go/dotnet/maven install
  commands and normalises partial semver (e.g. "4.10" → "4.10.0")
- CheckBashInstall scans packages before the shell command runs
- CheckManifestEdit diffs before/after manifest content and scans
  only newly-added packages; reconstructs full file content for Edit
  ops so the manifest parser receives a valid document
- Both return (finding, remediation) separately so the denial reason
  and MCP remediation instructions land in distinct hook fields
  (permissionDecisionReason and additionalContext)
- Remediation note instructs the agent to use mcp__Checkmarx__packageRemediation
  exclusively, and to ask the user to install/enable the MCP server
  if the tool is unavailable

Wires the scanner into RegisterGuardrails alongside the existing ASCA
file-edit scan; adds /cx to .gitignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ASCA additionalContext now generates pre-filled cx ignore-vulnerability
  commands with actual FileName/Line/RuleID per finding instead of a generic
  placeholder; uses full executable path so the agent can run it regardless
  of PATH
- SCA DenyVulnerable remediation now includes per-package ignore commands
  when no safe version is found, replacing the Dev Assist fallback
- SCA scanner passes the realtime ignore file path to RunOssRealtimeScan so
  suppressed packages are filtered out on subsequent scans
- ASCA permissionDecisionReason shows only findings to the user; agent
  instructions moved entirely to additionalContext

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cx-amol-mane and others added 28 commits July 2, 2026 17:38
- Expanded the `cx mcp bridge` command to support a resilient connection lifecycle, allowing the bridge to operate in a degraded state until valid credentials are available.
- Implemented a new `bridgeSession` structure to manage connection states and ensure thread-safe operations.
- Added comprehensive tests for deriving the MCP URL from various sources, including JWT claims and environment variables, ensuring robust functionality.
- Updated the command structure to maintain backward compatibility while integrating new features.
* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

* Fix SCA bypass on CRLF/LF line-ending mismatch (#7)

* Fix SCA guardrail bypass on CRLF/LF line-ending mismatch

fullAfterContent now tries an exact replacement first, then falls back to
a line-ending-normalized replacement (CRLF→LF) when the exact match fails.
If the edited region still cannot be located, it logs a warning and scans
the proposed snippet rather than silently returning the unchanged file,
ensuring newly added dependencies are always given a chance to be detected.

Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com>

* Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* added-telemetry

* checked-telemetry-payload

* checked-telemetry-payload1

---------

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
- Improve OAuth PKCE flow with session management and token caching
- Enhance HTTP client with retry logic and better error handling
- Add comprehensive unit tests for auth login (186 lines)
- Update MCP bridge with improved error handling and testing
- Fix build tag consistency across agenthooks test files
- Sanitize sensitive data in logger utils

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Enhance auth login command and improve security measures

- Introduced a new constant for config file permissions to restrict access to owner only, ensuring better security for stored refresh tokens.
- Updated the auth login flow to preserve existing credentials during authentication failures, enhancing user experience.
- Improved the nuke phase to revoke prior refresh tokens only after a new credential is established, ensuring a clean state.
- Added HTML escaping for error messages in the OAuth PKCE callback to prevent potential XSS vulnerabilities.
- Standardized build tags across multiple test files to ensure consistent test execution.

This commit enhances the security and reliability of the authentication process while improving code maintainability.

* Introduce telemetry for the ignore command

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* removed-telemetry-error-msg

* Add proxy support to newBridgeClient and enhance tests

- Implemented the newBridgeClient function to configure an HTTP client that respects proxy settings from the environment or configuration.
- Added unit tests to verify the behavior of the newBridgeClient, ensuring it correctly handles both default and proxy-aware transports.
- Updated the runBridge function to utilize the newBridgeClient for improved proxy handling.

This commit enhances the MCP bridge functionality by ensuring proper proxy configuration and testing.

---------

Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
* chore: remove Dependabot configuration

* Add KICS IaC guardrail to agent file-edit hook

Wire a KICS-based guardrail into cxBeforeFileEdit that blocks AI-introduced
IaC misconfigurations before they are written to disk, using delta detection
on edits (new findings only) and any-vuln on new files. Honors user
suppressions from the realtime ignore file.

Unlike ASCA, the agent is not given discretion to treat KICS findings as
false positives: KICS is a deterministic IaC rule engine whose findings are
not caused by missing cross-file context, and forcing a fix on an IaC finding
produces benign additive hardening rather than contorted code. The remediation
prompt instructs the agent to fix every finding and to add any externally
required resources rather than skipping.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(actions): declare secrets used by reusable workflows (#6)

Adds explicit on.workflow_call.secrets declarations for all secrets
referenced in the workflow body, replacing implicit reliance on
callers using secrets: inherit.

* chore: remove Dependabot configuration

---------

Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com>
Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com>
Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
- Introduced `ignore-vulnerability` command to manage the realtime ignore file for various scan types (OSS, secrets, containers, IaC, ASCA).
- Implemented functionality to add, remove, and validate ignored findings.
- Added tests for the command and ignore file operations to ensure correct behavior.
- Created supporting structures and methods for handling ignore entries and file operations.
- Updated relevant files to integrate the new command into the CLI structure.
- Removed unnecessary dependency on guardrails in asca.go.
- Updated ScanFileEdit function to return findings without appending the deny message directly.
- Enhanced findingsSummary function to include file name, line number, rule ID, severity, and remediation details for better context.
- Improved permissionDecisionReason and additionalContext functions to provide clearer instructions on handling findings and false positives.
Introduces a new sca/ package that gates package-manager installs
(Bash hook) and manifest edits (Write/Edit/MultiEdit hook) against
the Checkmarx OSS realtime scanner:

- ParseInstall recognises npm/yarn/pnpm/pip/go/dotnet/maven install
  commands and normalises partial semver (e.g. "4.10" → "4.10.0")
- CheckBashInstall scans packages before the shell command runs
- CheckManifestEdit diffs before/after manifest content and scans
  only newly-added packages; reconstructs full file content for Edit
  ops so the manifest parser receives a valid document
- Both return (finding, remediation) separately so the denial reason
  and MCP remediation instructions land in distinct hook fields
  (permissionDecisionReason and additionalContext)
- Remediation note instructs the agent to use mcp__Checkmarx__packageRemediation
  exclusively, and to ask the user to install/enable the MCP server
  if the tool is unavailable

Wires the scanner into RegisterGuardrails alongside the existing ASCA
file-edit scan; adds /cx to .gitignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ASCA additionalContext now generates pre-filled cx ignore-vulnerability
  commands with actual FileName/Line/RuleID per finding instead of a generic
  placeholder; uses full executable path so the agent can run it regardless
  of PATH
- SCA DenyVulnerable remediation now includes per-package ignore commands
  when no safe version is found, replacing the Dev Assist fallback
- SCA scanner passes the realtime ignore file path to RunOssRealtimeScan so
  suppressed packages are filtered out on subsequent scans
- ASCA permissionDecisionReason shows only findings to the user; agent
  instructions moved entirely to additionalContext

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added `auth login` command for browser-based OAuth authentication to Checkmarx One, supporting session modes: local, global, and yaml.
- Introduced `auth logout` command to revoke the current refresh token and clear stored credentials across all session types.
- Integrated session management functionality to handle active mode persistence and cleanup.
- Updated command structure to include new authentication commands in the CLI.
- Added tests for session management and command functionality to ensure reliability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Introduced a new `cx mcp bridge` command that acts as a transparent stdio<->HTTP proxy to the Checkmarx Security MCP.
- Implemented functionality to derive the realm-scoped Security MCP URL from the JWT issuer claim or through environment variables and command-line flags.
- Added tests for URL derivation and bridge command functionality to ensure reliability.
- Updated the existing MCP command structure to include the new bridge command while maintaining backward compatibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Expanded the `cx mcp bridge` command to support a resilient connection lifecycle, allowing the bridge to operate in a degraded state until valid credentials are available.
- Implemented a new `bridgeSession` structure to manage connection states and ensure thread-safe operations.
- Added comprehensive tests for deriving the MCP URL from various sources, including JWT claims and environment variables, ensuring robust functionality.
- Updated the command structure to maintain backward compatibility while integrating new features.
* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

* Fix SCA bypass on CRLF/LF line-ending mismatch (#7)

* Fix SCA guardrail bypass on CRLF/LF line-ending mismatch

fullAfterContent now tries an exact replacement first, then falls back to
a line-ending-normalized replacement (CRLF→LF) when the exact match fails.
If the edited region still cannot be located, it logs a warning and scans
the proposed snippet rather than silently returning the unchanged file,
ensuring newly added dependencies are always given a chance to be detected.

Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com>

* Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* added-telemetry

* checked-telemetry-payload

* checked-telemetry-payload1

---------

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
- Improve OAuth PKCE flow with session management and token caching
- Enhance HTTP client with retry logic and better error handling
- Add comprehensive unit tests for auth login (186 lines)
- Update MCP bridge with improved error handling and testing
- Fix build tag consistency across agenthooks test files
- Sanitize sensitive data in logger utils

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Enhance auth login command and improve security measures

- Introduced a new constant for config file permissions to restrict access to owner only, ensuring better security for stored refresh tokens.
- Updated the auth login flow to preserve existing credentials during authentication failures, enhancing user experience.
- Improved the nuke phase to revoke prior refresh tokens only after a new credential is established, ensuring a clean state.
- Added HTML escaping for error messages in the OAuth PKCE callback to prevent potential XSS vulnerabilities.
- Standardized build tags across multiple test files to ensure consistent test execution.

This commit enhances the security and reliability of the authentication process while improving code maintainability.

* Introduce telemetry for the ignore command

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* removed-telemetry-error-msg

* Add proxy support to newBridgeClient and enhance tests

- Implemented the newBridgeClient function to configure an HTTP client that respects proxy settings from the environment or configuration.
- Added unit tests to verify the behavior of the newBridgeClient, ensuring it correctly handles both default and proxy-aware transports.
- Updated the runBridge function to utilize the newBridgeClient for improved proxy handling.

This commit enhances the MCP bridge functionality by ensuring proper proxy configuration and testing.

---------

Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
* chore: remove Dependabot configuration

* Add KICS IaC guardrail to agent file-edit hook

Wire a KICS-based guardrail into cxBeforeFileEdit that blocks AI-introduced
IaC misconfigurations before they are written to disk, using delta detection
on edits (new findings only) and any-vuln on new files. Honors user
suppressions from the realtime ignore file.

Unlike ASCA, the agent is not given discretion to treat KICS findings as
false positives: KICS is a deterministic IaC rule engine whose findings are
not caused by missing cross-file context, and forcing a fix on an IaC finding
produces benign additive hardening rather than contorted code. The remediation
prompt instructs the agent to fix every finding and to add any externally
required resources rather than skipping.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(actions): declare secrets used by reusable workflows (#6)

Adds explicit on.workflow_call.secrets declarations for all secrets
referenced in the workflow body, replacing implicit reliance on
callers using secrets: inherit.

* chore: remove Dependabot configuration

---------

Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com>
Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com>
Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants