* feat: add Dependabot configuration for GitHub Actions, npm, and pip updates
feat: implement CodeQL analysis workflow for security scanning
fix: update permissions in community advisory workflow for better access control
fix: adjust permissions in poll NVD CVEs workflow for enhanced functionality
fix: update Scorecard workflow to use specific version of upload-sarif action
fix: refine permissions in skill release workflow for improved security and functionality
* feat: add guidance documentation for agents and development setup
* Update .github/workflows/codeql.yml
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
---------
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
This workflow analyzes the supply-chain security of the repository using Scorecard and uploads the results.
Co-authored-by: davida-ps <david.a@prompt.security>
* ci: sign advisory feed and checksums in workflows
* feat(clawsec-suite): add verifier-side signature and checksum enforcement
Implements cryptographic verification for advisory feed loading:
- Ed25519 detached signature verification for feed.json
- Supports raw base64 and JSON-wrapped signature formats
- Pinned public key at advisories/feed-signing-public.pem
- SHA-256 checksum manifest (checksums.json) verification
- Signed checksums.json.sig prevents partial artifact substitution
- Verifies feed.json, feed.json.sig, and public key against manifest
- Remote feed: returns null on verification failure (triggers fallback)
- Local feed: throws on verification failure (hard fail)
- No silent bypass of verification
- CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification
- Warning logged when bypass mode is enabled
- Intended for transition period only
- guarded_skill_install without --version matches any advisory for skill
- Encourages explicit version specification
- scripts/sign_detached_ed25519.mjs - signing utility
- scripts/verify_detached_ed25519.mjs - verification utility
- scripts/generate_checksums_json.mjs - checksum manifest generator
- test/feed_verification.test.mjs - 14 verification tests
- test/guarded_install.test.mjs - 6 install flow tests
- hooks/.../lib/feed.mjs - full rewrite with verification
- hooks/.../handler.ts - verification options integration
- scripts/guarded_skill_install.mjs - verification integration
- skill.json - v0.0.9, new SBOM entries, openssl requirement
- SKILL.md - signed install flow, env vars documentation
- HOOK.md - new environment variables
- ci.yml - added verification test job
Refs: fail-closed verification, Ed25519 signatures, checksum manifests
* fix: update action versions in CI workflows for improved stability
* chore(clawsec-suite): bump version to 0.0.10
* feat: enhance security measures in asset deployment and add changelog for version history
* feat: add dry-run signing for advisory artifacts and generate checksums
* fix: enhance error handling in loadRemoteFeed for security policy violations
* feat: implement Ed25519 signing and verification for advisory artifacts and checksums
* feat: implement signing and verification for advisory artifacts and checksums in workflows
* feat: update dry-run signing key generation to use Ed25519 algorithm
* feat: update Ed25519 signing and verification to use -rawin flag for compatibility
* feat: add public key copying to advisory directory and implement safe basename extraction for URLs
* feat: remove Product Hunt promotion section from README and Home page
* feat: add clawsec-advisory-guardian hook for advisory monitoring and user approval
- Implemented clawsec-advisory-guardian hook to detect advisories for installed skills.
- Added handler for processing advisory matches and notifying users.
- Created scripts for setting up advisory hooks and cron jobs for periodic scans.
- Introduced guarded skill installation script requiring user confirmation for high-risk advisories.
- Updated skill.json to reflect new features and embedded components for advisory monitoring.
* chore(clawsec-suite): bump version to 0.0.8
* feat: enhance release script to support version tagging and improve install function
* fix: use globalThis for AbortController and timeout functions in loadRemoteFeed
* Update scripts/release-skill.sh
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update skills/clawsec-suite/scripts/guarded_skill_install.mjs
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update scripts/release-skill.sh
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Normalize version input by removing leading 'v' in versionMatches function
* Add dirName property to InstalledSkill and update alert message paths
* Enhance file permission handling in persistState function and add warning for chmod errors
* Refactor advisory guardian hook: modularize utility functions, version handling, and feed management
- Moved utility functions (isObject, normalizeSkillName, uniqueStrings) to lib/utils.mjs
- Created version handling functions (parseSemver, compareSemver, versionMatches) in lib/version.mjs
- Implemented feed management functions (parseAffectedSpecifier, isValidFeedPayload, loadRemoteFeed) in lib/feed.mjs
- Updated handler.ts to utilize new modular functions for improved readability and maintainability
- Added new types and state management in lib/types.ts and lib/state.ts
- Updated scripts to reflect new file structure and dependencies
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/matching.ts
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Add published field to Advisory type and refine version matching logic
* Set default version to "unknown" in discoverInstalledSkills and adjust versionMatches logic
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/version.mjs
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/matching.ts
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/version.mjs
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
---------
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Refactor skill packaging and checksum generation process
- Removed .skill package creation from the skill-release workflow and scripts, focusing on checksum generation only.
- Updated README and SKILL.md files to reflect new installation methods using clawhub.
- Simplified the skill checksums generator script to only generate checksums without packaging.
- Adjusted installation instructions across various skills to promote clawhub for easier installation.
- Enhanced error handling and verification steps in the installation scripts for individual files.
* Add ext-docs to .gitignore to exclude documentation files from version control
dependabot[bot]
davida-ps
Zvika Ronen