ci: supply-chain security gate (OSV-Scanner + Socket) [failproofai-394]

[NiveditJain]

What & why

Step one of hardening the project against supply-chain attacks. The repo had no dependency-security scanning, so a malicious or vulnerable dependency (including via Dependabot bumps) could land unnoticed. This adds a CI gate that flags supply-chain threats on every PR.

The gate — OSV-Scanner (.github/workflows/osv-scanner.yml)

• Scans the resolved bun.lock tree against OSV.dev — GitHub/npm advisories plus the OpenSSF malicious-packages feed (confirmed malware: typosquats, account-takeover injections, …).
• Policy: block on any finding — fails on any known-vulnerable/malicious package, not just newly-introduced ones.
• Runs on every PR (incl. Dependabot), pushes to main, and weekly (catches advisories disclosed after merge).
• A single contents: read job calls the SHA-pinned osv-scanner-action directly and fails on any finding (the scanner exits non-zero). contents: read keeps it working on Dependabot's read-only token. The osv-scanner.toml allow-list is auto-loaded from the repo root.

Behavioral layer — Socket

OSV-Scanner is advisory-based. Socket (via its GitHub App) adds behavioral detection of novel attacks (malicious install scripts, suspicious network/fs access, obfuscation) before they reach any advisory DB. See SECURITY.md.

Remediation (required by block-on-any-finding)

The new gate surfaced 18 pre-existing transitive advisories (9 High, 9 Medium) in brace-expansion, flatted, minimatch, picomatch, postcss, vite, ws. All fixable — remediated by refreshing bun.lock within range, plus two overrides:

• postcss → patched 8.5.x (Next.js pins the vulnerable 8.4.31).
• eslint-plugin-react-hooks held at main's 7.0.1, so the refresh doesn't also bump the linter (avoids unrelated lint-rule churn).

Scan now reports "No issues found."

Also added

• SECURITY.md — policy, triage/allow-list runbook, maintainer setup, vulnerability reporting.
• osv-scanner.toml — documented allow-list (currently empty; tree is clean).
• README supply chain status badge.

Validation

• ✅ OSV scan: clean (0 findings)
• ✅ bun run lint: 0 errors (matches main)
• ✅ bun run build: success (Next build OK with the postcss override)
• ✅ bun run test:run: 1690 passed
• ✅ actionlint: clean

Maintainer follow-ups (need repo admin; see SECURITY.md)

1. Install the Socket GitHub App.
2. Add the OSV-Scanner check (OSV-Scanner) as a required status check for main.
3. (optional) Add SOCKET_SECURITY_API_KEY + Socket CI action.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added automated supply-chain security scanning on PRs, main-branch pushes, and weekly runs to block known vulnerable/malicious dependencies.

• Documentation

  • Added a security policy with reporting and triage guidance.
  • Updated the README with a scanner status badge.
  • Added a config for managing scanner allow-list/ignores.
  • Updated the changelog entry for the release.

• Chores

  • Pinned specific transitive dependency versions to stabilize installs.

[coderabbitai]

Warning

Review limit reached

@NiveditJain, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 55 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fe6074cb-f9fe-4269-8a3a-06f488938ced

📥 Commits

Reviewing files that changed from the base of the PR and between 1f74206 and 157913d.

📒 Files selected for processing (2)

• .github/workflows/osv-scanner.yml
• SECURITY.md

📝 Walkthrough

Walkthrough

Adds an OSV-Scanner GitHub Actions job that checks out the repo and scans bun.lock on PRs, pushes to main, and weekly; plus SECURITY.md, osv-scanner.toml, targeted package.json overrides, and changelog/README updates.

Changes

Supply Chain Security Implementation

Layer / File(s)	Summary
OSV-Scanner CI workflow and permissions .github/workflows/osv-scanner.yml	Adds a single osv-scanner job that checks out the repository and runs google/osv-scanner-action --lockfile=bun.lock on PRs to main, pushes to main, weekly cron, and workflow_dispatch; sets workflow-level contents: read permissions.
Security policy and scanner configuration SECURITY.md, osv-scanner.toml	New SECURITY.md describes private reporting, OSV-Scanner as a blocking CI gate with triage guidance and Socket as an advisory layer. osv-scanner.toml documents the ignore/allow-list structure and states there are currently no ignored vulnerabilities.
Dependency version pinning package.json	Adds an overrides section pinning postcss to 8.5.14 and eslint-plugin-react-hooks to 7.0.1.
Release documentation and visibility CHANGELOG.md, README.md	CHANGELOG.md adds a 0.0.11-beta.3 feature bullet describing the OSV-Scanner supply-chain gate and remediation guidance; README.md gains a workflow badge for the OSV scanner.

🎯 3 (Moderate) | ⏱️ ~20 minutes

"I hop through locks with tiny paws so spry,
I sniff the deps and cast a watchful eye,
A scanner barks, Socket hums its tune,
Together we guard the code by moon and noon."

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: supply-chain security gate (OSV-Scanner + Socket)' clearly and concisely summarizes the main change: adding a CI security gate for supply-chain threat detection.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering the what/why, implementation details, remediation, validation, and follow-ups; while it doesn't follow the exact template structure, it provides all necessary context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/osv-scanner.yml:
- Around line 39-40: Update the "Checkout" step that uses
actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 to disable credential
persistence by adding the with: persist-credentials: false setting; locate the
step named "Checkout" (the block that calls uses: actions/checkout@...) and add
the persist-credentials: false under its with configuration so the GitHub token
is not written to local git config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ed5b21c-da53-4a70-923c-7e7aae6b4ec8

📥 Commits

Reviewing files that changed from the base of the PR and between 5c0e0b6 and 1f74206.

📒 Files selected for processing (2)

• .github/workflows/osv-scanner.yml
• SECURITY.md

✅ Files skipped from review due to trivial changes (1)

• SECURITY.md