Security workflows: fix DevSkim, replace defunct Xanitizer with Gitleaks#2
Merged
Conversation
RIGS-IT/xanitizer-action@v1 uses Node.js 20; as of 2026-06-16 GitHub Actions runners default to Node.js 24, causing an SSL handshake failure when the action connects to the Xanitizer license server. Set ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true at the job level as a temporary workaround until an updated action version is available. https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX
DevSkim-Action@v1 runs in a Docker container where the workspace is
mounted at /github/workspace. Passing output-directory: ${{ github.workspace }}
(the runner's absolute path) causes the entrypoint to construct an invalid
path: /github/workspace + /home/runner/work/... = bad nested path. Using
output-directory: '.' resolves to /github/workspace/devskim-results.sarif
inside the container, which maps correctly to $GITHUB_WORKSPACE on the runner.
Also sets ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true for Node.js 20 compat
on checkout@v4 and upload-sarif@v3 following the 2026-06-16 runner cutover.
https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
The RIGS-IT/xanitizer-action (last released Jan 2021) downloads the standalone Xanitizer tool from RIGS IT's distribution endpoint before any license check. That endpoint now fails the TLS handshake (SSL alert 40) because Xanitizer was acquired by WhiteSource (Feb 2022) and folded into the Mend.io platform — the standalone product and its download/license infrastructure no longer exist. No YAML edit or license can make this run. Xanitizer is also a SAST tool for Java/JS application source code, which this Markdown documentation repository does not contain. Removing it and adding Gitleaks, which scans the full git history for committed secrets and complements the DevSkim workflow. No GITLEAKS_LICENSE is required for personal-account repositories. https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX
CGFixIT
changed the title
Owner
Author
|
finally |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR gets the repository's security scanning workflows into a working state. Follow-up to #1 (which fixed the initial expression/glob errors but whose CI run then surfaced two deeper failures).
1. DevSkim — fixed ✅ (now passing)
microsoft/DevSkim-Action@v1runs in a Docker container with the workspace mounted at/github/workspace. Passingoutput-directory: ${{ github.workspace }}(the runner's absolute path) made the entrypoint construct an invalid nested path:Changed to
output-directory: '.', which resolves to/github/workspace/devskim-results.sarifinside the container and maps to$GITHUB_WORKSPACEon the runner whereupload-sariffinds it. DevSkim now uploads findings to the Security → Code Scanning tab.2. Xanitizer — removed (unfixable) ❌ → 🗑️
RIGS-IT/xanitizer-action(last released Jan 2021) downloads the standalone Xanitizer tool before any license check. That download now fails the TLS handshake (SSL alert number 40) because WhiteSource acquired Xanitizer in Feb 2022 and folded it into the Mend.io platform — the standalone product and its download/license servers no longer exist. No YAML change or license can make this complete.Xanitizer is also a SAST tool for Java/JS application source code, which this Markdown documentation repository doesn't contain — it was never the right fit.
3. Gitleaks — added ✅ (replacement)
Added
gitleaks/gitleaks-action@v2to scan the full git history for committed secrets — appropriate for a docs repo and complementary to DevSkim. NoGITLEAKS_LICENSEis required for personal-account repositories (only GitHub Organizations).Resulting workflows
devskim.ymlgitleaks.ymlxanitizer.ymlXanitizerNote on branch protection
If
xanitizerwas configured as a required status check, it should be removed from branch protection now that the workflow is gone, otherwise PRs may wait on a check that never runs.Test plan
devskimcompletes and uploads SARIFgitleakscompletes (no secrets expected in this docs repo → green)https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX