Add GitHub Action: Qwiet preZero Static Analysis

[confusedcrib]

This pull request adds a GitHub Action workflow file that executes Qwiet preZero's Static Application Security Testing (SAST) on this PR. Once merged, it will also execute SAST on all future PRs opened in this repository.

Visit app.shiftleft.io to see the security findings for this repository.

We've done a few things on your behalf

• Created a new branch and opened this pull request
• Generated a unique secret SHIFTLEFT_ACCESS_TOKEN to allow GitHub Actions in this repository to communicate with the Qwiet API
• Created a GitHub Action that will send this pull request to Qwiet for analysis
• Added a status check that displays the result of the GitHub Action

Questions? Comments? Want to learn more? Get in touch with us or check out our documentation.

[dryrunsecurity]

DryRun Security Summary

The pull request implements ShiftLeft security testing configuration in GitHub Actions but introduces several security concerns including token exposure risks, vulnerable HTTP downloads, exposed repository information, and permission control issues.

Expand for full summary

This PR adds ShiftLeft configuration files for security testing in GitHub Actions, introducing build rules and static analysis workflow. Security findings include:

1. Sensitive environment token (SHIFTLEFT_ACCESS_TOKEN) with potential exposure risk in .github/workflows/shiftleft.yml
2. HTTP download of ShiftLeft CLI potentially vulnerable to man-in-the-middle attacks
3. Workflow exposes branch name, revealing repository structure
4. External API hosts (www.shiftleft.io, telemetry.shiftleft.io, api.shiftleft.io) with potential security risks
5. No explicit permission restrictions in GitHub Actions workflow, creating potential overly permissive configuration
6. Commented-out job with potential future GitHub token exposure

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to bffe78e.

Security Overview

• 🔎 Scanned files: 2 changed file(s)

Detected Code Changes

Change Type	Relevant files
Configuration changes	► .github/workflows/shiftleft.yml     Add Qwiet preZero Static Analysis workflow configuration ► shiftleft.yml     Add build rules configuration for security findings

Reply to this PR with @zeropath-ai followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

[codacy-production]

❌ Codacy found a critical Security issue: Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner.

The issue identified by the Semgrep linter is related to the usage of variable interpolation with the github context data in a run: step. This can potentially expose the workflow to code injection vulnerabilities if the interpolated values are derived from untrusted sources. An attacker could manipulate the input to inject malicious commands into the runner.

To mitigate this risk, it is advisable to avoid directly using the github context data in a way that could lead to command injection. Instead, we can store the interpolated value in an environment variable before using it in the run: step.

Here’s the suggested change to store the branch name in an environment variable before using it in the command:

Suggested change

	run: |
	BRANCH_NAME=${{ github.head_ref }} && ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app insecure-kubernetes-deployments --tag branch=$BRANCH_NAME --pythonsrc $(pwd)

---

This comment was generated by an experimental AI tool.