Skip to content

Add Aikido Safe Chain for malware protection in CI/CD #1479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 12, 2025
Merged

Add Aikido Safe Chain for malware protection in CI/CD #1479

merged 2 commits into from
Oct 12, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Oct 6, 2025
edited
Loading

🔒 Security Enhancement: Aikido Safe Chain Integration

This PR adds Aikido Safe Chain to our GitHub Actions workflows to protect against malicious packages during dependency installation.

What is Aikido Safe Chain?

Aikido Safe Chain is a free security tool that prevents developers from installing malware through package managers. It wraps around package manager commands and verifies packages against Aikido Intel - Open Source Threat Intelligence before installation.

Key Features

  • Free to use - No tokens or authentication required
  • 🛡️ Malware detection - Blocks malicious packages before installation
  • 🔍 Threat intelligence - Uses open source threat data to identify risks
  • 📦 Multi-package manager support - npm, pnpm, yarn, npx, pnpx
  • 🚀 Node.js 18+ compatible

Implementation

Created a new workflow .github/workflows/safe-chain.yml that:

  1. Sets up the environment - Node.js 18 and pnpm 8 (consistent with existing workflows)
  2. Installs Aikido Safe Chain - Globally via npm install -g @aikidosec/safe-chain
  3. Configures CI protection - Runs safe-chain setup-ci to wrap package manager commands
  4. Protects dependency installation - pnpm install runs with malware scanning enabled

The workflow follows the same structure as existing workflows (test.yml, build.yml, lint.yml) and runs on:

  • Push to main branch
  • Pull requests to main branch

Note on pnpm Support

Currently, Aikido Safe Chain offers limited scanning for pnpm (scans install command arguments). Full dependency tree scanning for pnpm is coming soon according to the official roadmap.

References

Testing

The workflow will run automatically on this PR to verify the integration works correctly.

Original prompt

This section details on the original issue you should resolve

<issue_title>Add Aikido Safe Chain for malware protection in CI/CD</issue_title>
<issue_description># Overview
Please apply the following PR changes to this project as part of the security measures against npm malware.

🔒 Security Enhancement: Aikido Safe Chain Integration

This PR adds Aikido Safe Chain to our GitHub Actions workflows to protect against malicious packages during dependency installation.

What is Aikido Safe Chain?

Aikido Safe Chain is a free security tool that prevents developers from installing malware through package managers. It wraps around package manager commands and verifies packages against Aikido Intel - Open Sources Threat Intelligence before installation.

Key Features

  • Free to use - No tokens or authentication required
  • 🛡️ Malware detection - Blocks malicious packages before installation
  • 🔍 Threat intelligence - Uses open source threat data to identify risks
  • 📦 Multi-package manager support - npm, pnpm, yarn, npx, pnpx
  • 🚀 Node.js 18+ compatible

Current Implementation

  • Created new workflow: .github/workflows/safe-chain.yml
  • Installs @aikidosec/safe-chain globally in CI environment
  • Runs safe-chain setup-ci before dependency installation
  • Protects pnpm install commands from malicious packages

Note on pnpm Support

Currently, Aikido Safe Chain offers limited scanning for pnpm (scans install command arguments). Full dependency tree scanning for pnpm is coming soon according to the official roadmap.

References

Testing

The workflow will run automatically on this PR to verify the integration works correctly.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #1478

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Copilot Copilot AI changed the title [WIP] Add Aikido Safe Chain for malware protection in CI/CD Add Aikido Safe Chain for malware protection in CI/CD Oct 6, 2025
@Copilot Copilot AI requested a review from ryota-murakami October 6, 2025 05:38
Copilot finished work on behalf of ryota-murakami October 6, 2025 05:38
@ryota-murakami ryota-murakami marked this pull request as ready for review October 12, 2025 00:34
@ryota-murakami ryota-murakami merged commit 44d3d99 into main Oct 12, 2025
12 of 14 checks passed
@ryota-murakami ryota-murakami deleted the copilot/fix-25fed603-9781-45c2-a8df-20fa9f9722ea branch October 12, 2025 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryota-murakami ryota-murakami Awaiting requested review from ryota-murakami

Assignees

@ryota-murakami ryota-murakami

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Aikido Safe Chain for malware protection in CI/CD

2 participants

@Copilot @ryota-murakami