Preview/v1.3.2#6
Conversation
…ommended actions, and improve script robustness and editor detection.
…ion, and refine `detect.sh` to prevent false positives.
|
Warning Rate limit exceeded@miccy has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 1 minutes and 8 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (3)
Warning
|
| Cohort / File(s) | Summary |
|---|---|
CI/CD Release Pipeline \.github/workflows/release.yml |
Added pnpm and Node 20 setup, install with frozen lockfile/ignore-scripts, lockfile-lint and pnpm audit steps; consolidated and hardened the Extract Version step (regex allowing any 3-segment version, explicit error on failure, writes to GITHUB_OUTPUT). |
Supply-chain workflow \.github/workflows/supply-chain-security.yml |
Replaced single-step detector run with a shell block that preserves exit code, ensures results.txt exists, sets found and exit_code outputs from content/rc, and updated failure condition to use steps.detect.outputs.found. |
Detection Script & Helpers scripts/detect.sh, scripts/check-github-repos.sh, scripts/release.sh |
detect.sh: bumped version to 1.3.2, added --github-check / GITHUB_CHECK, rewrote arg parsing, normalized/created OUTPUT_FILE, added exit trap to append final summary, gated GitHub CLI checks, extended grep exclusions, ensured outputs in CI and non-CI paths. check-github-repos.sh: use ${1:-} default to avoid unbound parameter. release.sh: added fallback editors (nano, vim, vi) when code/$EDITOR unavailable. |
Changelog & Documentation CHANGELOG.md, docs/DETECTION.md, cs/docs/DETECTION.md, cs/README.md |
Added v1.3.2 changelog entry; appended “Automated Detection Script” docs (usage examples, CI notes) in both EN/CZ paths; changed two headings in cs/README.md from bold labels to level-4 headings. |
IOC Data ioc/malicious-packages.json |
Replaced several affected_versions with "unknown", added vendor_note fields, and expanded key_dates timeline entries with recommended_action guidance. |
Repository Metadata package.json |
Added root package.json (pnpm project) with metadata, lint:lockfile script, lockfile-lint devDependency, packageManager: [email protected], and engines: node >= 20. |
Misc / Artifacts results_debug.txt |
Added debugging output artifact showing a short Shai-Hulud scan log. |
CodeRabbit Config .coderabbit.yaml |
Removed poem and auto_approve keys; preserved walkthrough and auto_review.drafts. |
Sequence Diagram(s)
mermaid
sequenceDiagram
autonumber
participant CI as CI/User
participant Detect as scripts/detect.sh
participant FS as Filesystem (results.txt / OUTPUT_FILE)
participant GH as gh CLI → GitHub API
CI->>Detect: invoke detect.sh (--ci / --github-check)
Detect->>FS: ensure OUTPUT_FILE exists
alt GITHUB_CHECK enabled
Detect->>GH: call `gh repo view` (if gh present)
GH-->>Detect: repo info or error
Detect->>FS: append GitHub check results
else GITHUB_CHECK disabled
Detect->>FS: write skip message (verbose)
end
Detect->>FS: run scans, collect findings → write results.txt
Detect->>CI: set exit code / trap writes final summary
CI->>FS: consume results.txt for workflow outputs
Estimated code review effort
🎯 3 (Moderate) | ⏱️ ~25 minutes
- Focus areas:
scripts/detect.sh(argument parsing rewrite, trap/exit behavior, output-file creation, GitHub-check gating)..github/workflows/release.yml(version-extraction regex and pnpm/Node setup steps).ioc/malicious-packages.jsonschema changes (vendor_note,recommended_action) for downstream consumers.
Possibly related PRs
- Preview/v1.3.1 #5 — Modifies the same release workflow, supply-chain-security workflow, and detection script; likely directly related.
Suggested labels
docs, feat
Poem
I nibble scripts and chase a patch, 🥕
I bump a version, tidy a batch,
I gate the GH checks, write files with care,
Tiny paws push outputs everywhere,
Hooray — builds hop onward, light as air! 🐇
Pre-merge checks and finishing touches
✅ Passed checks (3 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title 'Preview/v1.3.2' is concise and directly refers to the version release being prepared, which aligns with the CHANGELOG and version bump changes throughout the PR. |
| Docstring Coverage | ✅ Passed | Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%. |
Comment @coderabbitai help to get the list of available commands and usage tips.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
scripts/detect.sh (1)
349-365: GitHub check implementation looks safe, but needs verification. The opt-in--github-checkfeature is well-designed with graceful degradation. However, a couple of things to verify:
- Line 353: The jq filter on
gh repo listoutput usesgrep -i "hulud"directly on JSON. Is this reliable, or should it usejqfiltering instead?- Error handling: What happens if
gh repo listfails? Should there be explicit error handling?Consider refactoring to use jq's built-in filtering for robustness:
gh_repos=$(gh repo list --json name,description 2>/dev/null | jq -r '.[] | select(.description | test("hulud"; "i")) | "\(.name): \(.description)"' || true)
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (7)
.github/workflows/release.yml(1 hunks)CHANGELOG.md(1 hunks)cs/README.md(2 hunks)ioc/malicious-packages.json(5 hunks)scripts/check-github-repos.sh(1 hunks)scripts/detect.sh(7 hunks)scripts/release.sh(1 hunks)
🧰 Additional context used
📓 Path-based instructions (5)
cs/{README.md,cs/README.md}
📄 CodeRabbit inference engine (cs/AGENTS.md)
Root README files must exist in both English (README.md) and Czech (cs/README.md) versions with identical feature parity
Files:
cs/README.md
**/*.sh
📄 CodeRabbit inference engine (AGENTS.md)
**/*.sh: Use English comments only in shell script files (.sh)
Use shellcheck for validation of all shell script modifications
Files:
scripts/detect.shscripts/release.shscripts/check-github-repos.sh
scripts/**/*.sh
📄 CodeRabbit inference engine (AGENTS.md)
scripts/**/*.sh: Scripts must be tested for compatibility with both macOS and Linux before suggesting modifications
Maintain safety checks in all detection scripts and never auto-run security scripts without explicit user confirmation
All detection scripts must include documentation inDETECTION.mdand updates toCHANGELOG.md
Files:
scripts/detect.shscripts/release.shscripts/check-github-repos.sh
**/*.{json,yml,yaml}
📄 CodeRabbit inference engine (AGENTS.md)
Use English comments only in configuration files (
.json,.yml)
Files:
ioc/malicious-packages.json
ioc/malicious-packages.json
📄 CodeRabbit inference engine (AGENTS.md)
IOC (Indicators of Compromise) additions must be verified from official sources before adding to
ioc/malicious-packages.json
Files:
ioc/malicious-packages.json
🧠 Learnings (12)
📓 Common learnings
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : All detection scripts must include documentation in `DETECTION.md` and updates to `CHANGELOG.md`
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/**/CHANGELOG.md : CHANGELOG.md must be updated when detekční logika is added or modified
Applied to files:
CHANGELOG.mdcs/README.md
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Commit messages for IOC updates must follow the format: `feat(ioc): add [package-name] IOC`
Applied to files:
CHANGELOG.mdioc/malicious-packages.json
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Prioritize changes in order: critical security updates (new IOCs, vulnerability fixes), broken functionality, documentation accuracy, enhancements, then style/formatting
Applied to files:
CHANGELOG.mdioc/malicious-packages.json
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/ioc/**/*.json : Git commit messages for new IOC additions must follow the format: 'feat(ioc): add [package-name] IOC'
Applied to files:
CHANGELOG.mdioc/malicious-packages.json
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/{README.md,cs/README.md} : Root README files must exist in both English (README.md) and Czech (cs/README.md) versions with identical feature parity
Applied to files:
cs/README.md
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/docs/**/*.md : Documentation updates must include commit message scope indicating affected language(s): 'docs(en)', 'docs(cs)', or 'docs(all)'
Applied to files:
cs/README.md
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : All detection scripts must include documentation in `DETECTION.md` and updates to `CHANGELOG.md`
Applied to files:
scripts/detect.sh
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : Maintain safety checks in all detection scripts and never auto-run security scripts without explicit user confirmation
Applied to files:
scripts/detect.sh
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to ioc/malicious-packages.json : IOC (Indicators of Compromise) additions must be verified from official sources before adding to `ioc/malicious-packages.json`
Applied to files:
ioc/malicious-packages.json
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Critical security updates (new IOCs, vulnerability fixes) take priority over other changes
Applied to files:
ioc/malicious-packages.json
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/ioc/**/*.json : IOC (Indicators of Compromise) database additions must be verified from official sources before inclusion
Applied to files:
ioc/malicious-packages.json
🧬 Code graph analysis (1)
scripts/detect.sh (1)
scripts/full-audit.sh (2)
log_info(79-81)log_ok(75-77)
🔇 Additional comments (10)
cs/README.md (1)
44-44: Formatting consistency improved. Switching from bold text to proper level-4 headings improves the document hierarchy. ✓Also applies to: 55-55
scripts/check-github-repos.sh (1)
4-4: Good defensive programming: safe parameter expansion prevents unbound variable errors. The${1:-}pattern correctly handles the case where no arguments are provided.scripts/release.sh (1)
83-88: Excellent fallback editor chain. The progression from nano → vim → vi ensures the script can open CHANGELOG.md for editing in most environments, while maintaining the safety principle of requiring user interaction.ioc/malicious-packages.json (1)
432-484: Timeline enhancements are well-structured. Therecommended_actionfield provides helpful incident response guidance for each critical date. This improves the IOC database's operational value.Please verify the recommended actions align with official CISA and vendor guidance (especially for the 2025-12-09 npm token deadline).
scripts/detect.sh (3)
25-27: Version bump is consistent. The version update from 1.3.1 → 1.3.2 aligns with CHANGELOG.md and overall PR objectives. The newGITHUB_CHECKflag provides opt-in GitHub API integration, which is safe by default.Also applies to: 48-50
417-417: Grep hardening reduces false positives—good thinking! The--excludeflags on lines 417 and 435 prevent the detection script from flagging patterns in its own documentation.Please confirm that
grep --excludeis supported on both macOS and Linux. The--excludeflag is a GNU grep extension and may not be available on all systems. Consider testing with:#!/bin/bash # Verify --exclude flag availability grep --help | grep -q exclude && echo "Supported" || echo "Not supported"If portability is a concern, consider falling back to piping through
grep -vpatterns instead.Also applies to: 435-435
491-530: Output file handling ensures CI reliability. The safeguard at lines 527-529 prevents CI jobs from failing due to missing output files, which is good defensive programming.CHANGELOG.md (1)
8-26: Changelog entry is well-structured and informative. The v1.3.2 entry clearly documents the three major categories of changes with appropriate detail level.A couple of clarifications needed:
Line 14: "Fallback
results.txtgeneration" — In the code, this appears as genericOUTPUT_FILEhandling. Isresults.txtthe standard filename, or is this just describing the output file feature generically?Documentation update requirement: Per coding guidelines, "All detection scripts must include documentation in
DETECTION.md". Wasdocs/DETECTION.mdupdated to document the new--github-checkflag and grep hardening changes?.github/workflows/release.yml (2)
21-40: Release workflow enhancements are solid. The pnpm setup, frozen lockfile, and security controls (--ignore-scripts) are excellent practices for release reproducibility and security.One thing to verify: Does
lockfile-lintsupportpnpm-lock.yaml? The tool was originally designed for npm and yarn. If it doesn't support pnpm's lock format, this step will fail. Consider checking the tool's documentation or testing with:#!/bin/bash # Verify lockfile-lint pnpm support npm info lockfile-lint | grep -i pnpmIf not supported, you might need to use pnpm's own verification:
pnpm lsorpnpm import --prodvalidation.
41-49: Version extraction logic is clean. The grep pattern correctly extracts semantic versions from commit messages like "chore: release v1.3.2".Minor suggestion: The grep on line 47 assumes the version is always present in the commit message. Consider adding error handling in case the grep returns empty:
VERSION=$(echo "$COMMIT_MSG" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' || echo "0.0.0") if [[ -z "$VERSION" ]] || [[ "$VERSION" == "0.0.0" ]]; then echo "Error: Could not extract version from commit message" exit 1 fiThis prevents silent failures if the commit message format changes.
| "affected_versions": ["unknown"], | ||
| "vendor_note": "Check vendor sources", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's see the git status and examine the actual diff for this file
git diff --no-color HEAD -- ioc/malicious-packages.json | head -200Repository: miccy/dont-be-shy-hulud
Length of output: 49
🏁 Script executed:
# Also check the commit message to see if it follows the format from learnings
git log --oneline -1Repository: miccy/dont-be-shy-hulud
Length of output: 199
🏁 Script executed:
# Let's examine the context around the lines mentioned to understand what changed
cat -n ioc/malicious-packages.json | sed -n '60,200p'Repository: miccy/dont-be-shy-hulud
Length of output: 5535
🏁 Script executed:
# Check git log for this specific file to see change history
git log --oneline -20 -- ioc/malicious-packages.jsonRepository: miccy/dont-be-shy-hulud
Length of output: 199
🏁 Script executed:
# Get the actual diff showing what changed for this file in recent commits
git log -p --follow -3 -- ioc/malicious-packages.json | head -300Repository: miccy/dont-be-shy-hulud
Length of output: 49
🏁 Script executed:
# Check for any IOC-related commits
git log --oneline --all | grep -i "ioc\|malicious\|affected" | head -20Repository: miccy/dont-be-shy-hulud
Length of output: 194
🏁 Script executed:
# Show the specific commit with full diff
git show d40c157 -- ioc/malicious-packages.json | head -400Repository: miccy/dont-be-shy-hulud
Length of output: 9274
🏁 Script executed:
# Also check if there's any documentation about the IOC sources or verification
find . -type f \( -name "*.md" -o -name "*.txt" \) -exec grep -l "affected_versions\|IOC\|shai-hulud" {} \; | head -20Repository: miccy/dont-be-shy-hulud
Length of output: 417
🏁 Script executed:
# Compare what the commit has vs what the file currently has for a few packages
echo "=== Current file state ===" && cat -n ioc/malicious-packages.json | sed -n '65,90p'
echo -e "\n=== Checking git show for same lines ===" && git show d40c157:ioc/malicious-packages.json | cat -n | sed -n '50,90p'Repository: miccy/dont-be-shy-hulud
Length of output: 2656
🏁 Script executed:
# Search documentation for explanation of version data or verification process
grep -r "affected_versions\|Check vendor sources\|unknown" ./docs ./CONTRIBUTING.md ./SECURITY.md 2>/dev/null | head -30Repository: miccy/dont-be-shy-hulud
Length of output: 132
🏁 Script executed:
# Check if there's any PR description or issue notes about verification
git log --all --grep="affected_versions\|vendor sources\|unknown" --onelineRepository: miccy/dont-be-shy-hulud
Length of output: 49
🏁 Script executed:
# Check if any of the official IOC sources are accessible/documented in the repo
grep -r "tenable\|DataDog\|safedep\|wiz-sec" README.md CONTRIBUTING.md SECURITY.md ./docs/ 2>/dev/null | head -20Repository: miccy/dont-be-shy-hulud
Length of output: 1034
🏁 Script executed:
# Check the full malicious-packages.json to see the current state of all affected packages
cat ioc/malicious-packages.json | grep -A 3 '"affected_versions"' | head -60Repository: miccy/dont-be-shy-hulud
Length of output: 1704
IOC data completeness issue: 10 packages lack verified affected versions.
Multiple packages have "affected_versions": ["unknown"] with "vendor_note": "Check vendor sources", while other packages in the same file have documented specific versions. Per the learnings and coding guidelines, IOC additions must be verified from official sources.
Cross-reference these packages against the official IOC sources documented in README.md (Tenable, Datadog, Wiz Research, SafeDep) to determine the actual affected versions:
- @asyncapi/openapi-schema-parser, @asyncapi/avro-schema-parser, @asyncapi/raml-dt-schema-parser, zapier-platform-cli, ngx-bootstrap, angulartics2, koa2-swagger-ui, @postman/postman-mcp-cli, ethereum-ens, @ensdomains/content-hash
For each package, either document the specific affected versions or provide explicit verification that the version information is genuinely unavailable from official sources. The current "unknown" designation must be supported by documented verification attempts.
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
scripts/detect.sh (1)
1-27: CreateDETECTION.mdto document detection script features and flags.Per the coding guidelines, all detection scripts must include documentation in
DETECTION.md. WhileCHANGELOG.mdhas been properly updated with version 1.3.2 entry documenting the--github-checkflag and other changes,DETECTION.mddoes not exist and must be created to document the detection script's features, flags (--output,--verbose,--ci,--github-check,--skip-hash), and usage patterns.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.coderabbit.yaml(1 hunks)scripts/detect.sh(6 hunks)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.sh
📄 CodeRabbit inference engine (AGENTS.md)
**/*.sh: Use English comments only in shell script files (.sh)
Use shellcheck for validation of all shell script modifications
Files:
scripts/detect.sh
scripts/**/*.sh
📄 CodeRabbit inference engine (AGENTS.md)
scripts/**/*.sh: Scripts must be tested for compatibility with both macOS and Linux before suggesting modifications
Maintain safety checks in all detection scripts and never auto-run security scripts without explicit user confirmation
All detection scripts must include documentation inDETECTION.mdand updates toCHANGELOG.md
Files:
scripts/detect.sh
🧠 Learnings (4)
📓 Common learnings
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Prioritize changes in order: critical security updates (new IOCs, vulnerability fixes), broken functionality, documentation accuracy, enhancements, then style/formatting
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : All detection scripts must include documentation in `DETECTION.md` and updates to `CHANGELOG.md`
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : All detection scripts must include documentation in `DETECTION.md` and updates to `CHANGELOG.md`
Applied to files:
scripts/detect.sh
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : Maintain safety checks in all detection scripts and never auto-run security scripts without explicit user confirmation
Applied to files:
scripts/detect.sh
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/scripts/**/*.sh : Breaking changes to public script APIs must not be made without proper versioning and migration documentation
Applied to files:
scripts/detect.sh
🧬 Code graph analysis (1)
scripts/detect.sh (1)
scripts/full-audit.sh (2)
log_info(79-81)log_ok(75-77)
🪛 YAMLlint (1.37.1)
.coderabbit.yaml
[error] 25-25: duplication of key "drafts" in mapping
(key-duplicates)
🔇 Additional comments (5)
scripts/detect.sh (5)
361-377: GitHub check feature is properly gated behind opt-in flag.The
--github-checkflag implements the feature correctly as an opt-in mechanism with proper safety checks:
- Line 363 checks for
ghCLI availability before attempting to use it.- Line 373 logs a warning if the flag is requested but
ghis unavailable (graceful degradation).- Line 376 logs when the check is skipped in verbose mode (good observability).
This maintains the safety requirement to not auto-run security scripts without explicit user confirmation. Based on learnings, the implementation aligns with security best practices.
503-507: Output file handling ensures results are captured in all exit paths.The placement of output file writing at lines 503-507 (before the final summary and exit) ensures that results are recorded even if the script exits early. This is good for CI/CD integration.
539-541: Fallback output file creation in CI mode guards against missing results.The safeguard at lines 539-541 ensures that
OUTPUT_FILEis created with a placeholder message if no scan results were produced. This prevents CI/CD pipelines from failing due to missing artifact files.
429-429: Create DETECTION.md to document the metadata service abuse detection.The
grep -r --excludesyntax at lines 429 and 447 is compatible with both macOS and Linux—GNU grep supports the--excludeflag and the implementation correctly filters the specified file types. The CHANGELOG.md has been appropriately updated to document the exclusion changes.However, per coding guidelines, all detection scripts must include documentation in
DETECTION.md. This file is currently missing and should be created to document:
- The metadata service abuse detection pattern (169.254.169.254)
- Secondary phase indicators being scanned
- File exclusion logic and rationale
- Usage examples
30-70: Argument parsing refactor passes shellcheck validation.The while-loop refactoring is correct and implements proper shift operations for each argument pattern. Shellcheck validation passes with no errors or warnings. All flags (--version, --output, --verbose, --ci, --skip-hash, --github-check) are parsed correctly with appropriate shift counts. The --github-check flag maintains the opt-in safety requirement, and CHANGELOG.md confirms all 1.3.2 changes including the new flag, grep exclusions to prevent false positives, and fallback output file generation are properly documented.
…tion script, and improve release workflow version extraction with robust error handling.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
… results and add a debug output file.
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
scripts/detect.sh (1)
6-6: Update usage documentation to include new flags.The usage comment at line 6 doesn't document the new
--skip-hashand--github-checkflags that are implemented in the argument parsing below.-# Usage: ./detect.sh [path] [--output file] [--verbose] [--ci] +# Usage: ./detect.sh [path] [--output file] [--verbose] [--ci] [--skip-hash] [--github-check]
♻️ Duplicate comments (1)
scripts/detect.sh (1)
528-532: Duplicate comment: File write issue already flagged in lines 72-95 review.This section has overlapping file write logic with the trap setup reviewed earlier. See the previous review comment (lines 72-95) for the recommended consolidation of all file writes through the trap mechanism.
🧹 Nitpick comments (2)
scripts/detect.sh (2)
386-402: GitHub check output should be user-friendly and handle gh CLI errors gracefully.The GitHub check flow at line 390 pipes raw JSON through grep, which returns unformatted JSON lines to the user. Consider improving the output format and error handling:
- The gh CLI error handling only checks if the command exists, not if authentication is available or the API call succeeds
- The output at line 392 will show raw JSON, which isn't user-friendly (e.g.,
{"name":"my-repo","description":"some text"})# If gh CLI is available and user opted in if [[ "$GITHUB_CHECK" == true ]]; then if command -v gh &> /dev/null; then log_info "GitHub CLI detected. Running automated check..." - gh_repos=$(gh repo list --json name,description 2>/dev/null | grep -i "hulud" || true) + if gh_repos=$(gh repo list --json name,description -q '.[] | select(.description | contains("hulud")) | .name' 2>/dev/null); then if [[ -n "$gh_repos" ]]; then log_error "Found suspicious repositories on your account!" - echo "$gh_repos" + echo "$gh_repos" | while read -r repo; do echo " → $repo"; done else log_ok "No suspicious repos found via GitHub CLI" fi + else + log_warn "GitHub CLI check failed (may need re-authentication or network error)" + fi else log_warn "GitHub check requested (--github-check) but 'gh' CLI not found." fi else $VERBOSE && log_info "Skipping GitHub API check (use --github-check to enable)" fiThis uses jq-like filtering in gh (available in recent versions) for cleaner output and better error handling.
1-1: Verify documentation updates for DETECTION.md and CHANGELOG.md.Based on the learnings and PR objectives, detection scripts must include documentation in
DETECTION.mdand updates toCHANGELOG.md. The PR objectives mention a changelog entry for version 1.3.2, and the script version was bumped (line 27).Ensure that:
DETECTION.mdincludes documentation for the new--github-checkand--skip-hashflagsCHANGELOG.mdis updated with version 1.3.2 changes, including the new flags and the GitHub check flow modifications- Any breaking changes are clearly documented (the PR indicates this is a breaking change)
As per coding guidelines, all detection scripts must include documentation in DETECTION.md and updates to CHANGELOG.md.
Would you like me to verify the documentation files by searching the repository for DETECTION.md and CHANGELOG.md, or would you like me to help generate the required documentation sections?
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.github/workflows/supply-chain-security.yml(2 hunks)results_debug.txt(1 hunks)scripts/detect.sh(6 hunks)
✅ Files skipped from review due to trivial changes (1)
- results_debug.txt
🧰 Additional context used
📓 Path-based instructions (2)
**/*.sh
📄 CodeRabbit inference engine (AGENTS.md)
**/*.sh: Use English comments only in shell script files (.sh)
Use shellcheck for validation of all shell script modifications
Files:
scripts/detect.sh
scripts/**/*.sh
📄 CodeRabbit inference engine (AGENTS.md)
scripts/**/*.sh: Scripts must be tested for compatibility with both macOS and Linux before suggesting modifications
Maintain safety checks in all detection scripts and never auto-run security scripts without explicit user confirmation
All detection scripts must include documentation inDETECTION.mdand updates toCHANGELOG.md
Files:
scripts/detect.sh
🧠 Learnings (3)
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : All detection scripts must include documentation in `DETECTION.md` and updates to `CHANGELOG.md`
Applied to files:
.github/workflows/supply-chain-security.ymlscripts/detect.sh
📚 Learning: 2025-11-30T14:28:13.600Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:13.600Z
Learning: Applies to scripts/**/*.sh : Maintain safety checks in all detection scripts and never auto-run security scripts without explicit user confirmation
Applied to files:
scripts/detect.sh
📚 Learning: 2025-11-30T14:28:26.180Z
Learnt from: CR
Repo: miccy/dont-be-shy-hulud PR: 0
File: cs/AGENTS.md:0-0
Timestamp: 2025-11-30T14:28:26.180Z
Learning: Applies to cs/scripts/**/*.sh : Breaking changes to public script APIs must not be made without proper versioning and migration documentation
Applied to files:
scripts/detect.sh
🧬 Code graph analysis (1)
scripts/detect.sh (1)
scripts/full-audit.sh (2)
log_info(79-81)log_ok(75-77)
🔇 Additional comments (3)
.github/workflows/supply-chain-security.yml (1)
72-77: Good: Explicit output-based failure condition and diagnostic messaging.The shift from
steps.detect.outcome == 'failure'to checkingsteps.detect.outputs.found == 'true'is the right approach for separating script robustness from finding detection. The diagnostic message (line 76) is helpful for debugging in CI.This will be correct once the grep pattern issue (lines 51-62) is fixed.
scripts/detect.sh (2)
31-70: LGTM: Argument parsing is robust and handles all flags correctly.The refactored while-loop based parsing correctly handles all flags including both
--output=fileand--output fileformats, proper shift operations, and graceful handling of unknown flags.
454-454: LGTM: Noise reduction excludes are correctly applied to prevent self-detection.The grep patterns at lines 454 and 472 properly exclude documentation (
*.md), the IOC reference file, and the detection script itself. This prevents false positives where the script detects its own patterns in comments or documentation, which aligns with the PR objective to reduce false positives.The
--excludeflag is compatible across macOS/Linux grep versions.Also applies to: 472-472
… logs, and ignore local result files.
Pull Request
Description
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context.
Changelog
[1.3.2] - 2025-11-30
Added
release.ymlworkflowrecommended_actionfield to IOC timeline--github-checkflag toscripts/detect.sh(opt-in)results.txtgeneration inscripts/detect.shto ensure artifact uploadChanged
affected_versionsinioc/malicious-packages.jsonscripts/release.sh(nano, vim, vi)scripts/detect.shto exclude documentation and IOC files from self-detection (False Positives)Fixed
scripts/check-github-repos.shrelease.ymlscripts/detect.shwhere the script detected its own patterns in documentationType of change
Checklist:
Summary by CodeRabbit
New Features
Bug Fixes
Documentation
Chores
✏️ Tip: You can customize this high-level summary in your review settings.