Add one-command security tools setup and pre-push scanning#1185
Add one-command security tools setup and pre-push scanning#1185John-David Dalton (jdalton) wants to merge 1 commit intomainfrom
Conversation
One command to set up AgentShield, zizmor, and Socket Firewall. Downloads binaries with SHA-256 verification, creates PATH shims (bash + Windows .cmd), and adds blocking scans to pre-push hook.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: SFW free shims disable SSL verification globally
- Removed the
export GIT_SSL_NO_VERIFY=trueline and its comment from the sfw-free shim generation code, eliminating the global SSL verification bypass.
- Removed the
Or push these changes by commenting:
@cursor push 6216e6d7db
Preview (6216e6d7db)
diff --git a/.claude/hooks/setup-security-tools/index.mts b/.claude/hooks/setup-security-tools/index.mts
--- a/.claude/hooks/setup-security-tools/index.mts
+++ b/.claude/hooks/setup-security-tools/index.mts
@@ -273,10 +273,6 @@
'fi',
)
}
- if (!isEnterprise) {
- // Workaround: sfw-free does not yet set GIT_SSL_CAINFO (temporary).
- bashLines.push('export GIT_SSL_NO_VERIFY=true')
- }
bashLines.push(`exec "${binaryPath}" "${realBin}" "$@"`)
const bashContent = bashLines.join('\n') + '\n'
const bashPath = path.join(shimDir, cmd)You can send follow-ups to the cloud agent here.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit e9a48c5. Configure here.
| stream.on('end', () => resolve(hash.digest('hex'))) | ||
| stream.on('error', reject) | ||
| }) | ||
| } |
There was a problem hiding this comment.
Unused sha256File function is dead code
Low Severity
The sha256File function is defined but never called anywhere in the codebase. It also causes createReadStream to be imported unnecessarily. The actual SHA-256 verification is handled by httpDownload (via the sha256 option) and downloadBinary, making this function completely dead code.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit e9a48c5. Configure here.
| if (!isEnterprise) { | ||
| // Workaround: sfw-free does not yet set GIT_SSL_CAINFO (temporary). | ||
| bashLines.push('export GIT_SSL_NO_VERIFY=true') | ||
| } |
There was a problem hiding this comment.
SFW free shims disable SSL verification globally
High Severity
The sfw-free shims inject export GIT_SSL_NO_VERIFY=true into every package manager invocation. This disables SSL certificate verification for all git operations performed by the wrapped command, exposing users to man-in-the-middle attacks. Particularly concerning for a security tool — any pip install or cargo install from a git source would skip TLS verification.
Reviewed by Cursor Bugbot for commit e9a48c5. Configure here.
| if [ -n "$latest_release" ]; then | ||
| range="$latest_release..$local_sha" | ||
| else | ||
| range="$local_sha" |
There was a problem hiding this comment.
Single-SHA range breaks diff and scans all history
Medium Severity
When no remote default branch and no release tags exist, range is set to a bare $local_sha instead of a two-dot range. This causes git rev-list to enumerate the entire commit history (every ancestor), scanning all commit messages for AI attribution. It also causes git diff --name-only to compare against the working tree rather than listing changed files across commits, producing incorrect file lists for the security checks.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit e9a48c5. Configure here.
| latest_release=$(git tag --list 'v*' --sort=-version:refname --merged "$remote_sha" | head -1) | ||
| if [ -n "$latest_release" ]; then | ||
| # Only check commits after the latest release that are being pushed. | ||
| range="$latest_release..$local_sha" |
There was a problem hiding this comment.
Existing branch re-scans already-pushed commits since release
Medium Severity
For an existing branch with a release tag, range is set to $latest_release..$local_sha instead of $remote_sha..$local_sha. This includes commits that were already on the remote (between the release tag and $remote_sha), causing redundant rescanning of previously validated commits and potential false positives from old commits that cannot be fixed without rewriting public history.
Reviewed by Cursor Bugbot for commit e9a48c5. Configure here.
1 participant
What this adds
/setup-security-toolscommandOne command to download and configure all three security tools:
Prompts for a Socket API key (enterprise features), downloads binaries with SHA-256 verification, creates PATH shims (bash + Windows .cmd).
Pre-push scanning
Adds AgentShield + zizmor blocking scans to the pre-push hook. Every push is automatically checked.
Files
.claude/hooks/setup-security-tools/— setup script + README.claude/commands/setup-security-tools.md— the slash command.git-hooks/pre-push— updated with security pre-checks.claude/skills/security-scan/SKILL.md— cross-references the hook.gitignore— tracks hooks and settingsNote
Medium Risk
Medium risk because it adds a mandatory
pre-pushgate that can block developer pushes and introduces a script that downloads/executes platform binaries and installs PATH shims, which may affect local environments.Overview
Adds a new
/setup-security-toolscommand plus a.claude/hooks/setup-security-toolsNode script to bootstrap AgentShield, zizmor, and Socket Firewall locally, including SHA-verified binary downloads, caching under~/.socket/, and generation of package-manager shims (with enterprise mode enabled viaSOCKET_API_KEY).Introduces a new
.git-hooks/pre-pushhook that blocks pushes when AgentShield or zizmor detect issues and adds additional commit/file checks (AI attribution, secret patterns, and disallowed files). Updates.gitignoreto keep.claude/hooks/and.claude/settings.jsontracked.Reviewed by Cursor Bugbot for commit e9a48c5. Configure here.