How does opencode handle security checks?

[qu4n]

Question

I noticed the "Security" blank for this project. So I implemented a fork to add some code scanning workflows: here. There appears to be a substantial number of vulnerabilities, some of which is critical:

Is this being worked somewhere else?

[github-actions[bot]]

This issue might be a duplicate of existing issues. Please check:

• #2887: Both issues identify missing security practices and ask if security measures are being implemented elsewhere. #2887 focuses on NPM publishing and supply chain security while this issue covers code scanning vulnerabilities.
• #2748: Addresses security vulnerabilities in the permission system where MCP tools can bypass permission controls
• #3585: Proposes security enhancements through pattern-based directory access restrictions to prevent exposure of sensitive files

Feel free to ignore if none of these address your specific case.

[rekram1-node]

I think some of these aren't actually as big a deal as they seem but there are some low hanging fruit and we shouldn't have blank security for this so I will take a look.

[qu4n]

I think some of these aren't actually as big a deal as they seem but there are some low hanging fruit and we shouldn't have blank security for this so I will take a look.

Awesome! Feel free to add these automated workflows. It would be good practice to perform these periodically to catch emerging threats/vulnerabilities.

[rekram1-node]

@qu4n I can't see what workflows you setup: https://github.com/qu4n/opencode/security/code-scanning

This appears to be private

[qu4n]

Hmmm, I didn't realize github did this. Maybe I'll try to mirror in gitlab to leverage their SAST.