Skip to content

npm-security container code#1

Open
giriparus wants to merge 3 commits intomainfrom
init
Open

npm-security container code#1
giriparus wants to merge 3 commits intomainfrom
init

Conversation

@giriparus
Copy link
Contributor

@giriparus giriparus commented Dec 9, 2025

No description provided.

Copilot AI review requested due to automatic review settings December 9, 2025 06:35
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a Docker-based security scanning solution for npm dependencies, specifically designed to detect the Sha1-Hulud malware that emerged on November 24, 2025. The container performs security validation of GitHub tokens, installs npm dependencies, and scans JavaScript files for known malicious hashes and patterns.

Key Changes:

  • Implements a containerized npm security scanner with checksum and pattern-based detection
  • Adds token validation to prevent write-access tokens from being used
  • Provides structured exit codes for different failure scenarios (security alerts vs installation errors)

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
Dockerfile Sets up Alpine-based Node.js container with security-focused user permissions
entrypoint.sh Main security scanning logic including token validation, npm installation, and malware detection
checksums/sha1-hulud.txt Database of malicious SHA256 hashes for Sha1-Hulud malware detection
patterns/sha1-hulud.txt Pattern signatures for detecting malicious code structures
README.md Comprehensive documentation of the security container's usage, features, and integration examples

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Dockerfile Outdated

WORKDIR /home/node/test

COPY .npmrc /home/node/.npmrc
Copy link

Copilot AI Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile copies .npmrc but this file is not included in the PR. If .npmrc doesn't exist in the repository, the Docker build will fail. Either add the .npmrc file or make this copy operation conditional.

Suggested change
COPY .npmrc /home/node/.npmrc
RUN if [ -f .npmrc ]; then cp .npmrc /home/node/.npmrc; fi

Copilot uses AI. Check for mistakes.
Dockerfile
WORKDIR /home/node/test

COPY .npmrc /home/node/.npmrc
COPY entrypoint.sh /entrypoint.sh
Copy link

Copilot AI Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checksum and pattern files in the checksums/ and patterns/ directories are not copied into the Docker image, but entrypoint.sh references them. This will cause the security scanning to fail silently. Add COPY commands for these directories.

Suggested change
COPY entrypoint.sh /entrypoint.sh
COPY entrypoint.sh /entrypoint.sh
COPY checksums/ /home/node/test/checksums/
COPY patterns/ /home/node/test/patterns/

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@giriparus @rickygarg