milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
1223 commits 61 branches 106 tags 3.3 MiB
Commit graph

1223 commits

This branch
This branch
All branches
Author SHA1 Message Date
bitterpanda
f2cce7b7e9 temp: skip if branch already exists instead of checking for PR 2026-05-19 14:56:15 -07:00
bitterpanda
0b46c5408b
Update bump-endpoint.yml 2026-05-19 14:55:22 -07:00
bitterpanda
07b8571758 temp: post compare URL to Slack instead of creating PR 2026-05-19 14:52:37 -07:00
bitterpanda
3f0837c65a temp: use open-source-releaser runner 2026-05-19 14:48:23 -07:00
bitterpanda
47e9ed0f6c temp: trigger bump-endpoint on push to test 2026-05-19 14:47:33 -07:00
bitterpanda
cbbbe703d3 Add a slack webhook curl req for endpoint bumps 2026-05-19 14:45:26 -07:00
bitterpanda
9d44eca1d1
Apply suggestion from @bitterpanda63 2026-05-19 14:39:04 -07:00
bitterpanda
b38aba43dd Create a bump-endpoint.yml workflow 2026-05-19 14:37:02 -07:00
bitterpanda
93c264ef84
Merge pull request #463 from AikidoSec/remove-npm-token 
Remove obsolete npm token from pipeline
 2026-05-18 09:55:47 -07:00
Sander Declerck
34898980d7
Remove obsolete npm token from pipeline 2026-05-18 10:24:37 +02:00
Reinier Criel
a5c29d9e49
Merge pull request #399 from greenpixie/feat/pdm-support 
Support for PDM package manager (Python)
 2026-05-15 08:43:38 -07:00
Chris Ingram
bf2d37d114
Merge branch 'main' into feat/pdm-support 2026-05-15 08:46:06 +01:00
Sander Declerck
65a8075b0e
Merge pull request #459 from AikidoSec/bug/execpath 
unset PKG_EXECPATH before invoking safe-chain binary
 2026-05-15 09:11:32 +02:00
Chris Ingram
a1b89a55f8
Make block-count assertions count-agnostic in bun e2e 
Bun retries blocked downloads, so the count in "blocked N malicious
package downloads" can be >1. Match on the surrounding text rather than
a fixed count to keep the assertion robust.

Also drops the brittle "pdm update updates dependencies" case.
 2026-05-14 17:16:57 +01:00
Chris Ingram
8ab5cebd4f
Match actual block output in pdm e2e assertions 
The user-facing message is "Safe-chain: blocked N malicious package
downloads", not "blocked by safe-chain" (which only appears in the
proxy's HTTP response, not the rendered CLI output).
 2026-05-14 16:48:18 +01:00
Chris Ingram
ffe7f8de1f
Use numpy==2.4.4 as test malware in pdm e2e tests 
The safe-chain-pi-test package no longer exists on PyPI. Aikido now
patches numpy==2.4.4 into the malware list for tests, matching the
pattern already used in the poetry e2e suite.
 2026-05-14 16:28:50 +01:00
Chris Ingram
54db058ac7
Use getPackageManagerList in safe-chain setup help text 
The install message in `safe-chain setup` help was hardcoding a stale
list of package managers (missing uv, uvx, poetry, pipx, pdm). Use the
existing getPackageManagerList() helper so the list stays in sync with
knownAikidoTools.
 2026-05-14 10:04:18 +01:00
Chris Ingram
8453012f7b
Merge remote-tracking branch 'aikido/main' into feat/pdm-support 2026-05-14 09:51:31 +01:00
Reinier Criel
e0e06431d1 Fix tests 2026-05-13 20:28:58 -07:00
Reinier Criel
6cdad3df98 Fix tests 2026-05-13 20:27:27 -07:00
Reinier Criel
d9b7aefd34 unset PKG_EXECPATH before invoking safe-chain binary 2026-05-13 14:33:58 -07:00
Reinier Criel
0c8de1e606
Merge pull request #382 from mcmeeking/feature/add-rush-monorepo-support 
Add Rush support (for monorepos)
 2026-05-12 10:03:34 -07:00
James McMeeking
fde0003a0a
Fix expected format to account for retries 
Count is apparently not deterministic
 2026-05-12 17:33:31 +01:00
James McMeeking
c93f1920fb
Skip min safe age to allow brand new PNPM boostrap 2026-05-12 16:53:51 +01:00
James McMeeking
d812231b2f
Merge branch 'main' into feature/add-rush-monorepo-support 2026-05-12 16:43:38 +01:00
Sander Declerck
e5cd9eed91
Merge pull request #453 from AikidoSec/fix-e2e-pnpm 
E2E: Use pnpm 10 in node versions that don't support pnpm 11
 2026-05-12 17:27:17 +02:00
James McMeeking
25d966bfa9
Switch to using the versions from the CI matrix 
Incorporates the actual Rush and PNPM versions instead of pinning an old known-good version of PNPM
 2026-05-12 10:52:38 +01:00
James McMeeking
5f0ad7ecfd
Address e2e suite failures 2026-05-12 10:33:26 +01:00
Sander Declerck
6667e5d7b4
E2E: Use pnpm 10 in node versions that don't support pnpm 11 2026-05-11 16:04:27 +02:00
James McMeeking
e891d1a992
Update e2e suite to cover supported package managers 2026-05-08 13:13:37 +01:00
James McMeeking
26f1dfb81a
Use the standard install command for rush 2026-05-08 13:12:57 +01:00
James McMeeking
7ce44b4c62
Remove the unecessary proxy setting 2026-05-08 13:12:40 +01:00
James McMeeking
28132ba3fc
Merge branch 'main' into feature/add-rush-monorepo-support 2026-05-08 11:25:47 +01:00
James McMeeking
55f2123f5c
Remove the normalisation bits added in error 2026-05-08 11:25:07 +01:00
James McMeeking
5f56114185
Add e2e tests 
Note: rushx only dispatches package.json scripts, so it's probably not necessary to add it as a distinct manager at all.
 2026-05-08 11:24:17 +01:00
James McMeeking
08ae1ef732
Pull parsing logic into distinct file and remove invalid continue 2026-05-08 11:08:58 +01:00
bitterpanda
2eb32d4297
Merge pull request #446 from AikidoSec/troubleshooting-guide 
moved troubleshooting from docs to repo
 2026-05-06 16:53:43 +08:00
Samuel Vandamme
fbe094802e reverted copy 2026-05-06 10:51:35 +02:00
Samuel Vandamme
bd876275b3 updated troubleshooting guide and linked from readme 2026-05-06 10:51:13 +02:00
Samuel Vandamme
cd5040c3be moved troubleshooting from docs to here 2026-05-06 10:47:37 +02:00
Reinier Criel
7b39239b81
Merge pull request #444 from AikidoSec/feat/bump-endpoint-1-3-4 
Bump Endpoint to 1.3.4
 2026-05-01 15:20:07 -07:00
Reinier Criel
369a94948a Bump Endpoint to 1.3.4 2026-05-01 14:34:35 -07:00
James McMeeking
98a1ba7d10
Add rushx support too 
Co-authored-by: Copilot <copilot@github.com>
 2026-05-01 17:04:38 +01:00
James McMeeking
5cf2ffe201
Merge branch 'main' into feature/add-rush-monorepo-support 2026-05-01 16:49:49 +01:00
Reinier Criel
cb8db6c7a2
Merge pull request #443 from AikidoSec/vbump-v1.3.3 
Bump Endpoint Protection to latest
 2026-05-01 07:26:31 -07:00
Tudor Timcu
f4aa444cd8
Bump Endpoint Protection to latest 2026-05-01 14:43:41 +03:00
bitterpanda
da419a7785
Merge pull request #442 from AikidoSec/feat/readme-pypi-conf 
Add PIP_CONFIG_FILE section in readme
 2026-05-01 11:53:16 +02:00
Sander Declerck
00be33aa10
Merge pull request #423 from xandervr/security/proxy-loopback-only 
Bind registry proxy to loopback only
 2026-04-30 23:46:02 -07:00
Reinier Criel
a0f0372e15 Add PIP_CONFIG_FILE section in readme 2026-04-30 15:21:51 -07:00
Xander Van Raemdonck
19d2dee5c9
Bind registry proxy to loopback only 
Without an explicit host, `server.listen(0)` binds to every interface,
turning safe-chain's unauthenticated forward proxy into an open relay
while `aikido-*` commands are running. Anyone reachable on the network
can use it to hit the victim's localhost, intranet, or cloud metadata
endpoints. The advertised HTTPS_PROXY URL already used `localhost`
(loopback), but the listener itself was wide open.

Bind to 127.0.0.1 explicitly and update the advertised URL to match.
Add a regression test that verifies the listener refuses connections
on non-loopback interfaces.
 2026-04-30 20:37:41 +02:00