Automatic security scanning via Github's free tooling

[g105b]

All PHP.GT repositories have just had a new Github Action enabled by default, which scans everything from unit tests to Actions workflow files for security vulnerabilities. CodeQL and Dependabot can be enabled via the Secutity tab on any repository - and some minor patches have already been gathered.

CodeQL immediately caught an issue with how Github Actions was set up across the PHP.GT repositories - in between workflow runs, there was a very short period of time where the action's artifacts could be intercepted by the Github API, the Github token extracted and used to perform a malicious act on the codebase or repository settings. A quick patch bolting down the permissions of the runner was provided automatically after the first test run, and now every time any commit is made, a full repository scan is performed.

Dependabot checks all upstream requirements for security vulnerabilities, and if any issues are detected, will try to automatically patch a fix in a new pull request. Already, a vulnerability has been discovered and patched! The www.php.gt website repository relies on Markdown for its content management (from Github Wikis). The thephpleague/commonmark library is used to convert Markdown to HTML, but a vulnerability was detected where a malicious user could write some code within a Github Wiki markdown file, so that it would get executed on the server when converting to HTML! Sounds scary, but before the code could even be deployed to the server there was a PR raised to fix this.

The reason I'm writing this update is because I'm so impressed with the free security tooling available to open source projects. I urge every open source contributor to check the Security tab on their GitHub repositories and see what options are available. You may be as pleasantly surprised as I was.

Thank you Github, and thank you to the many contributors that make all of this possible!