Skip to content

feat: onboarding setup-jfrog-cli#2

Merged
Raj-StepSecurity merged 2 commits intomainfrom
release
Dec 8, 2025
Merged

feat: onboarding setup-jfrog-cli#2
Raj-StepSecurity merged 2 commits intomainfrom
release

Conversation

@Raj-StepSecurity
Copy link
Collaborator

@Raj-StepSecurity Raj-StepSecurity commented Dec 5, 2025

No description provided.

@Raj-StepSecurity
onboarding setup-jfrog-cli
5550733 
build updated

subscription check added

workflow updated

workflow updated

workflow updated

test

test

test

test

Update test.yml
@claude
Copy link

claude bot commented Dec 5, 2025
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Pull Request Review - Setup JFrog CLI Action

I've completed a comprehensive review of this pull request against all the specified criteria. Here's my detailed analysis:

Todo List:

  • Determine action type (Node.js/Docker/Composite)
  • Check general action requirements
  • Check Node.js-specific requirements
  • Review subscription check implementation
  • Security vulnerability scan
  • README usage examples review
  • Provide comprehensive feedback

Action Type Identification

This is a Node.js-based action as confirmed by:

  • action.yml specifies runs: using: "node20" and points to dist/index.js
  • Package.json with TypeScript build setup
  • Source code in src/*.ts files

General Action Requirements - PASSED

✅ License Requirements:

  • LICENSE file present with proper "Copyright 2025 StepSecurity" copyright
  • Apache 2.0 license properly configured

✅ Author Fields:

  • action.yml: author field correctly set to "step-security" (line 3)

✅ Required Files:

  • ✅ SECURITY.md file present
  • ✅ Required workflow files present:
    • .github/workflows/auto_cherry_pick.yml
    • .github/workflows/actions_release.yml

✅ Prohibited Files - All Clear:

  • ✅ No FUNDING.yml or funding.yml files found
  • ✅ No renovate.json file found
  • ✅ No PULL_REQUEST.md file found
  • ✅ No ISSUE_TEMPLATE folder found
  • ✅ No CHANGELOG.md file found
  • ✅ No .vscode folder found

Node.js-Specific Requirements - PASSED

✅ package.json Configuration:

✅ Dependencies Analysis:

  • ✅ dist/ folder is present
  • All 9 dependencies are actively used - no unused dependencies found:
    • @actions/core, @actions/exec, @actions/github, @actions/http-client
    • @actions/tool-cache, @octokit/core, axios, js-yaml, semver

Subscription Check Implementation - CORRECTLY IMPLEMENTED

The subscription validation is properly implemented in src/main.ts:6-19:

  • ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/subscription
  • ✅ Handles 403 errors properly by exiting with error message
  • ✅ Has timeout handling (3000ms) and continues on other errors
  • ✅ Called at the beginning of main() function before any other operations

⚠️ Security Analysis - ONE MINOR ISSUE FOUND

✅ Positive Security Practices:

  • Proper secret management with core.setSecret() for tokens, passwords, and credentials
  • No hardcoded secrets found
  • Environment variables used appropriately
  • OIDC token exchange handled securely
  • JWT validation implemented correctly

⚠️ Minor Security Issue:

  • src/oidc-utils.ts:274: Application key logged in debug mode could potentially expose sensitive data: 
    console.debug('Found application key: ' + applicationKey);
    Recommendation: Replace with console.debug('Found application key: [REDACTED]');

ℹ️ General Recommendations:

  • Consider using core.debug() instead of console.debug() for consistency
  • Most console usage is safe (informational messages only)

README Usage Examples - CORRECT

The README properly uses major version only:

- uses: step-security/setup-jfrog-cli@v4

This follows the requirement to use major version tags rather than complete semantic versions.

📋 Summary

This is a well-implemented Node.js GitHub Action that meets almost all requirements:

Strengths:

  • Comprehensive JFrog CLI setup with multiple authentication methods
  • Proper subscription validation implementation
  • Excellent secret management practices
  • All required files and configurations present
  • Clean codebase with no unused dependencies
  • Proper semantic versioning in usage examples

⚠️ Minor Issues:

  1. One debug logging statement could potentially expose application key in debug mode

📊 Overall Assessment:

APPROVED WITH MINOR RECOMMENDATION - This PR demonstrates excellent security practices and follows all Step Security requirements. The single debug logging issue is minor and easily addressed.

@claude
Copy link

claude bot commented Dec 5, 2025
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Pull Request Review - Setup JFrog CLI Action

I've completed a comprehensive review of this pull request against all the specified criteria. Here's my detailed analysis:

Todo List:

  • Determine action type (Node.js/Docker/Composite)
  • Check general action requirements
  • Check Node.js-specific requirements
  • Review subscription check implementation
  • Security vulnerability scan
  • README usage examples review
  • Provide comprehensive feedback

Action Type Identification

This is a Node.js-based action as confirmed by:

  • action.yml specifies runs: using: "node20" and points to dist/index.js
  • Package.json with TypeScript build setup
  • Source code in src/*.ts files

General Action Requirements - PASSED

✅ License Requirements:

  • LICENSE file present with proper "Copyright 2025 StepSecurity" copyright
  • Apache 2.0 license properly configured

✅ Author Fields:

  • action.yml: author field correctly set to "step-security" (line 3)

✅ Required Files:

  • ✅ SECURITY.md file present
  • ✅ Required workflow files present:
    • .github/workflows/auto_cherry_pick.yml
    • .github/workflows/actions_release.yml

✅ Prohibited Files - All Clear:

  • ✅ No FUNDING.yml or funding.yml files found
  • ✅ No renovate.json file found
  • ✅ No PULL_REQUEST.md file found
  • ✅ No ISSUE_TEMPLATE folder found
  • ✅ No CHANGELOG.md file found
  • ✅ No .vscode folder found

Node.js-Specific Requirements - PASSED

✅ package.json Configuration:

✅ Dependencies Analysis:

  • ✅ dist/ folder is present
  • All 9 dependencies are actively used - no unused dependencies found:
    • @actions/core, @actions/exec, @actions/github, @actions/http-client
    • @actions/tool-cache, @octokit/core, axios, js-yaml, semver

Subscription Check Implementation - CORRECTLY IMPLEMENTED

The subscription validation is properly implemented in src/main.ts:6-19:

  • ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/subscription
  • ✅ Handles 403 errors properly by exiting with error message
  • ✅ Has timeout handling (3000ms) and continues on other errors
  • ✅ Called at the beginning of main() function before any other operations

⚠️ Security Analysis - SEVERAL ISSUES FOUND

✅ Positive Security Practices:

  • Proper secret management with core.setSecret() for tokens, passwords, and credentials
  • No hardcoded secrets found
  • Environment variables used appropriately
  • OIDC token exchange handled securely
  • Command injection prevention using array-based command execution

⚠️ Critical Security Issues:

  1. src/oidc-utils.ts:259,265,271: Uses console.debug(), console.log(), console.error() instead of core.debug(), core.info(), core.error()
    • Risk: May bypass GitHub Actions secret masking mechanisms

⚠️ Medium Security Issues:
2. src/utils.ts:472: Unvalidated JSON parsing of config tokens without try-catch
3. src/evidence-collection.ts:114: JSON parsing of HTTP response without validation
4. src/oidc-utils.ts:104 & src/evidence-collection.ts:82: HTTP clients created without explicit timeout configurations

ℹ️ Recommendations:

  • Replace console.* with core.* logging methods in OIDC utils
  • Add try-catch blocks around JSON.parse operations
  • Configure HTTP clients with appropriate timeouts

README Usage Examples - CORRECT

The README properly uses major version only:

- uses: step-security/setup-jfrog-cli@v4

This follows the requirement to use major version tags rather than complete semantic versions.

📋 Summary

This is a well-implemented Node.js GitHub Action that meets most requirements:

Strengths:

  • Comprehensive JFrog CLI setup with multiple authentication methods
  • Proper subscription validation implementation
  • Excellent secret management practices (where core.* methods are used)
  • All required files and configurations present
  • Clean codebase with no unused dependencies
  • Proper semantic versioning in usage examples

⚠️ Issues to Address:

  1. Console logging in OIDC utils - should use core.* methods instead of console.*
  2. JSON parsing without validation - needs try-catch blocks
  3. HTTP client configuration - should include timeout settings

📊 Overall Assessment:

APPROVED WITH RECOMMENDATIONS - This PR demonstrates good security practices overall, but the logging inconsistencies in the OIDC module should be addressed to ensure proper secret masking.

@Raj-StepSecurity Raj-StepSecurity merged commit f260de0 into main Dec 8, 2025
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varunsh-coder varunsh-coder varunsh-coder approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raj-StepSecurity @varunsh-coder