mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hermes-agent/.github/workflows
History
Teknium ac5b8a478a
ci: add supply chain audit workflow for PR scanning (#2816) 
Scans every PR diff for patterns associated with supply chain attacks:

CRITICAL (blocks merge):
- .pth files (auto-execute on Python startup — litellm attack vector)
- base64 decode + exec/eval combo (obfuscated payload execution)
- subprocess with encoded/obfuscated commands

WARNING (comment only, no block):
- base64 encode/decode alone (legitimate uses: images, JWT, etc.)
- exec/eval alone
- Outbound POST/PUT requests
- setup.py/sitecustomize.py/usercustomize.py changes
- marshal.loads/pickle.loads/compile()

Posts a detailed comment on the PR with matched lines and context.
Excludes lockfiles (uv.lock, package-lock.json) from scanning.

Motivated by the litellm 1.82.7/1.82.8 credential stealer attack
(BerriAI/litellm#24512).
2026-03-24 08:56:04 -07:00
..
deploy-site.yml feat: add documentation website (Docusaurus) 2026-03-05 05:24:55 -08:00
docs-site-checks.yml docs: stabilize website diagrams 2026-03-14 22:49:57 -07:00
supply-chain-audit.yml ci: add supply chain audit workflow for PR scanning (#2816) 2026-03-24 08:56:04 -07:00
tests.yml test: parallelize test suite with pytest-xdist 2026-03-09 20:47:34 -05:00