ci: add security scanning workflow#21
Merged
Merged
Conversation
Extend security workflow with govulncheck (dependency vulnerabilities), gosec (static analysis), and gitleaks (committed secrets), matching the psina security baseline. Scanners run on push and pull_request; the Claude security review stays gated to pull requests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01K9Zykqo9eKjAtr3oqgCEwh
Address findings from the new security workflow: - Bump github.com/jackc/pgx/v5 v5.8.0 -> v5.9.2 to fix GO-2026-5004 (SQL injection via placeholder confusion with dollar-quoted literals), reached from PortfolioStore.ListTransactions. - Set http.Server.ReadHeaderTimeout to mitigate Slowloris (gosec G112). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01K9Zykqo9eKjAtr3oqgCEwh
- Add bounds-checked decimals conversions (decI32/intToI32/intToU32) in the portfolio service. Token decimals come from external chain metadata, so the narrowing conversions are now clamped to the target range instead of risking a silent overflow. - Annotate the marketdata count conversions with #nosec G115: they narrow row counts bounded by request size, well below int32 max. gosec now reports 0 issues. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01K9Zykqo9eKjAtr3oqgCEwh
- Drop the non-existent gRPC :50051 port; the server is a single Connect-RPC endpoint over h2c on :8080. - Correct the health check path to /eye/health. - Describe the API as Connect-RPC (REST + gRPC on one endpoint) instead of gRPC-Gateway, which is not used. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01K9Zykqo9eKjAtr3oqgCEwh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extend the security workflow to match the psina security baseline.
Added jobs:
-exclude-generated)Scanners run on push (
main,develop) and pull_request. The existing Claude security review stays gated to pull requests.🤖 Generated with Claude Code