From ce7587817cb1c5211aafb8160e48373b81e15c70 Mon Sep 17 00:00:00 2001 From: breaking-break Date: Mon, 17 Nov 2025 09:19:09 +0900 Subject: [PATCH 1/3] feat: integrate Snyk security scanning for dependency vulnerability detection Implements Issue #80 Phase 2-4: - Added GitHub Actions workflow for automated Snyk scanning - Added Snyk policy file (.snyk) for vulnerability management - Created SECURITY.md with security policy and reporting procedures - Added Snyk vulnerability badge to README.md Security scanning includes: - Weekly automated scans (every Monday) - Scans on push/PR to main and production branches - Separate scanning for root and webview projects - GitHub Code Scanning integration via SARIF Closes #80 --- .github/workflows/security-scan.yml | 84 ++++++++++++++++++++ .snyk | 6 ++ README.md | 4 + SECURITY.md | 114 ++++++++++++++++++++++++++++ 4 files changed, 208 insertions(+) create mode 100644 .github/workflows/security-scan.yml create mode 100644 .snyk create mode 100644 SECURITY.md diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 00000000..df47e3b9 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,84 @@ +name: Security Scan + +on: + push: + branches: [main, production] + pull_request: + branches: [main, production] + schedule: + # 毎週月曜日 9:00 JST (00:00 UTC) に実行 + - cron: '0 0 * * 1' + +permissions: + contents: read + security-events: write + actions: read + +jobs: + snyk-security-scan: + name: Snyk Security Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install root dependencies + run: npm ci + + - name: Install webview dependencies + run: | + cd src/webview + npm ci + + # ルートプロジェクトのスキャン + - name: Run Snyk to check root project + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --severity-threshold=high --file=package.json --project-name=cc-wf-studio-root + + # Webviewプロジェクトのスキャン + - name: Run Snyk to check webview project + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --severity-threshold=high --file=src/webview/package.json --project-name=cc-wf-studio-webview + + # SARIF形式でのスキャン(GitHub Code Scanning用) + - name: Run Snyk to generate SARIF file + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --all-projects --severity-threshold=low --sarif-file-output=snyk.sarif + + # すべてのプロジェクトのモニタリング(継続的な監視) + - name: Monitor all projects with Snyk + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor + args: --all-projects + + # GitHub Code Scanningへのアップロード + - name: Upload Snyk results to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: snyk.sarif diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..4e826566 --- /dev/null +++ b/.snyk @@ -0,0 +1,6 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.22.1 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: {} diff --git a/README.md b/README.md index f4fa0149..c870f9c7 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # Claude Code Workflow Studio +

+ Known Vulnerabilities +

+

Claude Code Workflow Studio

diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..fa5bbe16 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,114 @@ +# Security Policy + +## Supported Versions + +We release patches for security vulnerabilities. Currently supported versions: + +| Version | Supported | +| ------- | ------------------ | +| 2.x.x | :white_check_mark: | +| < 2.0 | :x: | + +## Reporting a Vulnerability + +We take the security of Claude Code Workflow Studio seriously. If you believe you have found a security vulnerability, please report it to us as described below. + +### Reporting Process + +**Please do NOT report security vulnerabilities through public GitHub issues.** + +Instead, please report them via: + +1. **GitHub Security Advisory** + - Go to the [Security tab](https://github.com/breaking-brake/cc-wf-studio/security/advisories) of this repository + - Click "Report a vulnerability" + - Provide detailed information about the vulnerability + +2. **Email** (if GitHub Security Advisory is not available) + - Contact the maintainers directly via GitHub + - Include "SECURITY" in the subject line + - Provide as much information as possible about the vulnerability + +### What to Include in Your Report + +Please include the following information: + +- Type of vulnerability (e.g., code injection, privilege escalation, etc.) +- Full paths of source file(s) related to the vulnerability +- Location of the affected source code (tag/branch/commit or direct URL) +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the vulnerability, including how an attacker might exploit it + +### Response Timeline + +- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours +- **Initial Assessment**: We will provide an initial assessment within 5 business days +- **Fix & Disclosure**: We aim to release a fix within 30 days, depending on complexity + +## Security Measures + +This project implements the following security measures: + +### Automated Vulnerability Scanning + +- **Snyk**: Continuous monitoring of dependencies for known vulnerabilities + - Weekly automated scans every Monday + - Scans on every push to `main` and `production` branches + - PR-based scanning for all pull requests + - [![Known Vulnerabilities](https://snyk.io/test/github/breaking-brake/cc-wf-studio/badge.svg)](https://snyk.io/test/github/breaking-brake/cc-wf-studio) + +- **GitHub Dependabot**: Automated dependency updates for security patches + +### Development Practices + +- **Code Review**: All changes require review before merging +- **TypeScript Strict Mode**: Type safety enforcement +- **ESLint**: Static code analysis for potential security issues +- **Automated Release**: Semantic Release for controlled versioning + +### VSCode Extension Security + +As a VSCode extension, this project follows [VSCode Extension Security Best Practices](https://code.visualstudio.com/api/references/extension-guidelines#security): + +- **Sandboxed Webview**: UI components run in isolated webview context +- **Content Security Policy**: Strict CSP headers for webview content +- **Input Validation**: All user inputs are validated and sanitized +- **Local-First Design**: Most operations run locally without network access +- **MCP Server Transparency**: Network-dependent MCP tools are clearly documented + +## Known Limitations + +### Network Access (MCP Nodes) + +MCP Tool nodes may require network connectivity depending on the specific MCP server configuration (e.g., remote API servers). Users should: + +- Review MCP server configurations before use +- Only use trusted MCP servers +- Be aware of data transmission when using remote MCP tools + +### File System Access + +This extension requires file system access to: + +- Read/write workflows in `.vscode/workflows/` +- Export agents/commands to `.claude/agents/` and `.claude/commands/` +- Scan Skills in `~/.claude/skills/` and `.claude/skills/` + +All file operations include conflict detection and user confirmation before overwriting. + +## Security Updates + +Security updates are released as patch versions (e.g., 2.5.1) and announced via: + +- GitHub Security Advisories +- GitHub Releases +- CHANGELOG.md + +## Acknowledgments + +We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Contributors who report valid security issues will be acknowledged in the CHANGELOG (with their permission). + +--- + +For general questions about security, please open a discussion in the [GitHub Discussions](https://github.com/breaking-brake/cc-wf-studio/discussions) section. From c1c969c963e3ac618b2978762d2b3c10e21a7f18 Mon Sep 17 00:00:00 2001 From: breaking-break Date: Mon, 17 Nov 2025 09:25:43 +0900 Subject: [PATCH 2/3] fix: update CodeQL Action from v3 to v4 to avoid deprecation warning --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index df47e3b9..655dbf6d 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -78,7 +78,7 @@ jobs: # GitHub Code Scanningへのアップロード - name: Upload Snyk results to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: snyk.sarif From 4d5f2b8ea75f0988b2fb93cee0bcd1f376719a43 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 17 Nov 2025 00:36:27 +0000 Subject: [PATCH 3/3] chore(release): 2.6.0 [skip ci] ## [2.6.0](https://github.com/breaking-brake/cc-wf-studio/compare/v2.5.1...v2.6.0) (2025-11-17) ### Features * integrate Snyk security scanning for dependency vulnerability detection ([ce75878](https://github.com/breaking-brake/cc-wf-studio/commit/ce7587817cb1c5211aafb8160e48373b81e15c70)), closes [#80](https://github.com/breaking-brake/cc-wf-studio/issues/80) [#80](https://github.com/breaking-brake/cc-wf-studio/issues/80) ### Bug Fixes * update CodeQL Action from v3 to v4 to avoid deprecation warning ([c1c969c](https://github.com/breaking-brake/cc-wf-studio/commit/c1c969c963e3ac618b2978762d2b3c10e21a7f18)) --- CHANGELOG.md | 10 ++++++++++ package.json | 2 +- src/webview/package-lock.json | 4 ++-- src/webview/package.json | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 746c7a13..d8262273 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## [2.6.0](https://github.com/breaking-brake/cc-wf-studio/compare/v2.5.1...v2.6.0) (2025-11-17) + +### Features + +* integrate Snyk security scanning for dependency vulnerability detection ([ce75878](https://github.com/breaking-brake/cc-wf-studio/commit/ce7587817cb1c5211aafb8160e48373b81e15c70)), closes [#80](https://github.com/breaking-brake/cc-wf-studio/issues/80) [#80](https://github.com/breaking-brake/cc-wf-studio/issues/80) + +### Bug Fixes + +* update CodeQL Action from v3 to v4 to avoid deprecation warning ([c1c969c](https://github.com/breaking-brake/cc-wf-studio/commit/c1c969c963e3ac618b2978762d2b3c10e21a7f18)) + ## [2.5.1](https://github.com/breaking-brake/cc-wf-studio/compare/v2.5.0...v2.5.1) (2025-11-16) ### Bug Fixes diff --git a/package.json b/package.json index 7d0a281b..890e9bda 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "cc-wf-studio", "displayName": "Claude Code Workflow Studio", "description": "Visual workflow editor for Claude Code Slash Commands, Sub Agents, Agent Skills, and MCP Tools", - "version": "2.5.1", + "version": "2.6.0", "publisher": "breaking-brake", "icon": "resources/icon.png", "repository": { diff --git a/src/webview/package-lock.json b/src/webview/package-lock.json index bb26bb6a..e82b3509 100644 --- a/src/webview/package-lock.json +++ b/src/webview/package-lock.json @@ -1,12 +1,12 @@ { "name": "cc-wf-studio-webview", - "version": "2.5.1", + "version": "2.6.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "cc-wf-studio-webview", - "version": "2.5.1", + "version": "2.6.0", "dependencies": { "react": "^18.2.0", "react-dom": "^18.2.0", diff --git a/src/webview/package.json b/src/webview/package.json index 7a096441..edead7ce 100644 --- a/src/webview/package.json +++ b/src/webview/package.json @@ -1,6 +1,6 @@ { "name": "cc-wf-studio-webview", - "version": "2.5.1", + "version": "2.6.0", "private": true, "type": "module", "scripts": {