From 367398236dad1beaca32da17f9657b43a6801fdd Mon Sep 17 00:00:00 2001 From: Kanwalpreet Dhindsa Date: Mon, 29 Jun 2026 11:52:48 -0700 Subject: [PATCH 1/3] add socket tier 1 reachability analysis --- .github/workflows/socket-scan.yml | 79 +++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/socket-scan.yml diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml new file mode 100644 index 000000000..63b1bfc1c --- /dev/null +++ b/.github/workflows/socket-scan.yml @@ -0,0 +1,79 @@ +# Socket reachability scan for stellar-docs. +# For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability +# Node project (yarn — yarn.lock). +# +# Schedule: Sun 15:36 UTC weekly. Use workflow_dispatch to run on demand. +# +# ============================================================================ +# Socket scan — reading the job status. (The scan step below produces this: an +# exit code + an optional ::warning:: annotation, which GitHub Actions renders +# as the job's state.) +# ============================================================================ +# GREEN (exit 0, no warning): scan completed and every analyzed vulnerability +# got full Tier 1 reachability (precise, your-code-aware). Nothing to do. +# YELLOW (exit 0 + "::warning:: Socket scan completed with Tier 2 fallbacks"): +# scan completed, but Tier 1 could NOT be computed for some/all +# vulnerabilities, which fell back to Tier 2 (precomputed) reachability. +# You still get CVE detection + Tier 2 results, just reduced precision +# for the affected CVEs. The job is NOT failing. +# RED (non-zero exit): scan did not complete. Do not assume any part +# succeeded — could be reachability hard-failing, a missing language +# toolchain, the runner out of memory, a network/API error, or even the +# underlying CVE/SBOM detection failing. Check the logs and fix before +# relying on results. +# ============================================================================ + +name: Socket reachability scan + +on: + schedule: + - cron: '36 15 * * 0' + workflow_dispatch: + +permissions: + contents: read + +env: + # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to + # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove + # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true + +jobs: + socket-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: "24.18.0" + - name: Enable Corepack (yarn/pnpm per repo packageManager) + run: corepack enable + + - name: Install Socket CLI + run: npm install -g socket + + - name: Run Socket reachability scan + env: + SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} + run: | + # Stream the scan output through tee so the run log captures it AND + # we can grep it for Tier-2-fallback markers; capture the scan's + # exit code via ${PIPESTATUS[0]} (tee always exits 0). If the scan + # succeeded but logged a Tier 2 fallback, emit a ::warning:: + # annotation that GitHub Actions renders as a yellow run-level + # warning without failing the job. + set +e + socket scan create --reach \ + --org=stellar \ + --no-interactive \ + --reach-continue-on-no-source-files \ + --reach-continue-on-analysis-errors \ + --reach-continue-on-install-errors \ + --reach-continue-on-missing-lock-files \ + . 2>&1 | tee /tmp/scan.log + rc=${PIPESTATUS[0]} + if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then + echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1" + fi + exit $rc From b40a18a6768975b868717f910d7356935feef6b7 Mon Sep 17 00:00:00 2001 From: Elliot Voris Date: Wed, 8 Jul 2026 10:48:43 -0500 Subject: [PATCH 2/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/socket-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml index 63b1bfc1c..bff7bbdaa 100644 --- a/.github/workflows/socket-scan.yml +++ b/.github/workflows/socket-scan.yml @@ -1,6 +1,6 @@ # Socket reachability scan for stellar-docs. # For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability -# Node project (yarn — yarn.lock). +# Node project (pnpm — pnpm-lock.yaml). # # Schedule: Sun 15:36 UTC weekly. Use workflow_dispatch to run on demand. # From f0d4d9b31ac9294af6edb70dbbfac8f81da62a6f Mon Sep 17 00:00:00 2001 From: Elliot Date: Wed, 8 Jul 2026 10:51:07 -0500 Subject: [PATCH 3/3] remove no-op node24 setting (runs on v24 by default as of june 16) refs: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners --- .github/workflows/socket-scan.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml index bff7bbdaa..46b2536f7 100644 --- a/.github/workflows/socket-scan.yml +++ b/.github/workflows/socket-scan.yml @@ -33,12 +33,6 @@ on: permissions: contents: read -env: - # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to - # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove - # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true - jobs: socket-scan: runs-on: ubuntu-latest