mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hermes-agent/.github
History
Teknium ac5b8a478a
ci: add supply chain audit workflow for PR scanning (#2816) 
Scans every PR diff for patterns associated with supply chain attacks:

CRITICAL (blocks merge):
- .pth files (auto-execute on Python startup — litellm attack vector)
- base64 decode + exec/eval combo (obfuscated payload execution)
- subprocess with encoded/obfuscated commands

WARNING (comment only, no block):
- base64 encode/decode alone (legitimate uses: images, JWT, etc.)
- exec/eval alone
- Outbound POST/PUT requests
- setup.py/sitecustomize.py/usercustomize.py changes
- marshal.loads/pickle.loads/compile()

Posts a detailed comment on the PR with matched lines and context.
Excludes lockfiles (uv.lock, package-lock.json) from scanning.

Motivated by the litellm 1.82.7/1.82.8 credential stealer attack
(BerriAI/litellm#24512).
2026-03-24 08:56:04 -07:00
..
ISSUE_TEMPLATE feat: add issue and PR templates 2026-03-05 07:22:39 -08:00
workflows ci: add supply chain audit workflow for PR scanning (#2816) 2026-03-24 08:56:04 -07:00
PULL_REQUEST_TEMPLATE.md docs: add documentation & housekeeping checklist to PR template 2026-03-05 07:23:52 -08:00