Implement EdgeScan local integration script for macOS developers in package.json#155
Draft
Implement EdgeScan local integration script for macOS developers in package.json#155
Conversation
…ackage.json Fixes #154
Contributor
Reviewer's GuideAdds a macOS-focused local EdgeScan DAST workflow, introduces separate npm scripts for CI/agent vs local scanning, documents the setup, and aligns React Router DOM versions and script formatting across UI packages. Sequence diagram for pnpm edgescan:dev local DAST workflow on macOSsequenceDiagram
actor Developer
participant Terminal
participant pnpm
participant AppleNativeContainers
participant EdgeScanContainer
participant EdgeScanAPI
Developer->>Terminal: pnpm run edgescan:dev
Terminal->>pnpm: Execute edgescan:dev script
pnpm->>AppleNativeContainers: container run --tty --rm --platform linux/amd64 edgescan/cicd-integration:latest
AppleNativeContainers->>EdgeScanContainer: Start container with ES_API_TOKEN and asset id 74096
EdgeScanContainer->>EdgeScanAPI: Authenticate using ES_API_TOKEN
EdgeScanContainer->>EdgeScanAPI: Start scan for asset 74096 with max risk threshold 3
EdgeScanAPI-->>EdgeScanContainer: Scan progress and results
EdgeScanContainer-->>AppleNativeContainers: Exit with scan status and colorized output
AppleNativeContainers-->>pnpm: Return container exit code and logs
pnpm-->>Terminal: Print scan results
Terminal-->>Developer: Display DAST findings and status
File-Level Changes
Assessment against linked issues
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
…lity and adjust knip.json to ignore additional binaries
…ged as potential security risk by sourcery
Member
Author
|
@sourcery-ai review |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've found 1 security issue, and left some high level feedback:
Security issues:
- Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
General comments:
- In the
edgescan:devscript, consider using the$ES_ASSET_IDenvironment variable (as inedgescan:agent) instead of hardcoding74096to avoid accidental misuse against the wrong asset and keep configuration consistent.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the `edgescan:dev` script, consider using the `$ES_ASSET_ID` environment variable (as in `edgescan:agent`) instead of hardcoding `74096` to avoid accidental misuse against the wrong asset and keep configuration consistent.
## Individual Comments
### Comment 1
<location> `apps/docs/docs/intro.md:129` </location>
<code_context>
420be748f18afc685d11987ac5118c928e174c19
</code_context>
<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
*Source: gitleaks*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds EdgeScan security scanning integration for local macOS development by introducing Apple Native Containers support, alongside dependency updates for react-router-dom.
Changes:
- Added
edgescan:devscript for macOS developers using Apple Native Containers and renamed existing Docker-based script toedgescan:agent - Added Apple Native Containers setup documentation to enable local EdgeScan scanning
- Updated react-router-dom from 7.0.2/7.8.2 to 7.12.0 across UI packages
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Added edgescan:dev script for Apple Native Containers and renamed edgescan:run to edgescan:agent |
| knip.json | Added "container" binary to ignored binaries list for the Apple Native Containers CLI |
| apps/docs/docs/intro.md | Added Apple Native Containers one-time setup instructions for macOS developers |
| apps/ui-community/package.json | Updated react-router-dom to 7.12.0 and reformatted script indentation |
| packages/ocom/ui-components/package.json | Updated react-router-dom to 7.12.0 |
| pnpm-lock.yaml | Updated dependency lockfile for react-router-dom 7.12.0 and transitive @babel/runtime update |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Member
Author
|
@sourcery-ai review |
Contributor
There was a problem hiding this comment.
Hey - I've found 1 security issue, 2 other issues, and left some high level feedback:
Security issues:
- Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
General comments:
- The
edgescan:devscript hardcodes--asset-id 74096; consider sourcing this from an environment variable (likeES_ASSET_ID_DEV) or a config file so it’s not tied to a specific asset in code. - Since
edgescan:devdepends on Apple Native Containers and is macOS-specific, consider adding a small platform check or a clear runtime error message in the script to avoid confusing failures on non-macOS environments.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `edgescan:dev` script hardcodes `--asset-id 74096`; consider sourcing this from an environment variable (like `ES_ASSET_ID_DEV`) or a config file so it’s not tied to a specific asset in code.
- Since `edgescan:dev` depends on Apple Native Containers and is macOS-specific, consider adding a small platform check or a clear runtime error message in the script to avoid confusing failures on non-macOS environments.
## Individual Comments
### Comment 1
<location> `apps/docs/docs/intro.md:109` </location>
<code_context>
+## Local EdgeScan Setup
+
+EdgeScan is a **Dynamic Application Security Testing (DAST)** platform. Unlike Snyk or SonarCloud which analyze source code, EdgeScan scans **live, running applications** to provide deep security intelligence and continuous vulnerability profiling for our serverless architecture.
+
+**How to use:**
</code_context>
<issue_to_address>
**nitpick (typo):** Consider adding a comma after "SonarCloud" to improve grammatical clarity.
Rephrasing to “Unlike Snyk or SonarCloud, which analyze source code, EdgeScan scans live, running applications…” clearly marks “which analyze source code” as a non‑restrictive clause and improves readability.
```suggestion
EdgeScan is a **Dynamic Application Security Testing (DAST)** platform. Unlike Snyk or SonarCloud, which analyze source code, EdgeScan scans **live, running applications** to provide deep security intelligence and continuous vulnerability profiling for our serverless architecture.
```
</issue_to_address>
### Comment 2
<location> `apps/docs/docs/intro.md:143` </location>
<code_context>
+
+### 2. EdgeScan API Token
+
+1. Login to [intealth.edgescan.com](https://intealth.edgescan.com).
+2. Go to your **Profile Settings** and generate an API token for your account.
+3. Export the token in your terminal (consider adding this to your `~/.zshrc` or `~/.bashrc`):
</code_context>
<issue_to_address>
**issue (typo):** Use "Log in" (verb) instead of "Login" (noun) in this step.
Consider changing the text to: "Log in to [intealth.edgescan.com](https://intealth.edgescan.com)."
```suggestion
1. Log in to [intealth.edgescan.com](https://intealth.edgescan.com).
```
</issue_to_address>
### Comment 3
<location> `apps/docs/docs/intro.md:129` </location>
<code_context>
420be748f18afc685d11987ac5118c928e174c19
</code_context>
<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
*Source: gitleaks*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
…r grammatical errors
Member
Author
|
@sourcery-ai review |
Contributor
There was a problem hiding this comment.
Hey - I've found 1 security issue, and left some high level feedback:
Security issues:
- Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
General comments:
- The
edgescan:devscript hard-codes--asset-id 74096; consider reading this from an environment variable (with a sensible default if needed) so different developers or environments can target their own asset IDs without modifyingpackage.json. - Since
edgescan:agentis intended for CI/agents only, you might add a brief inline comment inpackage.jsonnear the script definition to reinforce that it’s not for local use and relies onES_ASSET_IDbeing set in the environment.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `edgescan:dev` script hard-codes `--asset-id 74096`; consider reading this from an environment variable (with a sensible default if needed) so different developers or environments can target their own asset IDs without modifying `package.json`.
- Since `edgescan:agent` is intended for CI/agents only, you might add a brief inline comment in `package.json` near the script definition to reinforce that it’s not for local use and relies on `ES_ASSET_ID` being set in the environment.
## Individual Comments
### Comment 1
<location> `apps/docs/docs/intro.md:129` </location>
<code_context>
420be748f18afc685d11987ac5118c928e174c19
</code_context>
<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
*Source: gitleaks*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| ```bash | ||
| container system start | ||
| ``` | ||
| Input `Y` when prompted. |
Contributor
There was a problem hiding this comment.
security (generic-api-key): Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Source: gitleaks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #154
Summary by Sourcery
Add local EdgeScan integration support for macOS developers and align dependencies for shared routing packages.
New Features:
Enhancements:
Documentation: