Comfy-Org/ComfyUI_frontend
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI_frontend.git synced 2026-04-22 23:39:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7d08a05bdacceda86ec8a2ca4b5deb63265f034
ComfyUI_frontend/.agents/checks/dep-secrets-scan.md
Christian Byrne df69d6b5d4 feat: add Amp code review checks (#9445) 
## Summary

Add 22 automated code review check definitions and 1 strict ESLint
config to `.agents/checks/` for Amp-powered code review.

## Changes

- **What**: 23 files in `.agents/checks/` covering accessibility, API
contracts, architecture, bug patterns, CodeRabbit integration,
complexity, DDD structure, dependency/secrets scanning, doc freshness,
DX/readability, ecosystem compatibility, error handling, import graph,
memory leaks, pattern compliance, performance, regression risk,
security, SAST, SonarJS linting, test quality, and Vue patterns. Each
check includes YAML frontmatter (name, description, severity-default,
tools) and repo-specific guidance tailored to ComfyUI_frontend
conventions.

## Review Focus

- Check definitions are config-only (no runtime code changes)
- Checks reference repo-specific patterns (e.g., `useErrorHandling`
composable, `useToastStore`, `es-toolkit`, Tailwind 4, Vue Composition
API)

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-9445-feat-add-Amp-code-review-checks-31a6d73d3650817a8466fe2f4440a350)
by [Unito](https://www.unito.io)

---------

Co-authored-by: GitHub Action <action@github.com>
2026-03-05 15:29:30 -08:00

2.1 KiB
Raw Blame History

name, description, severity-default, tools
name description severity-default tools
dep-secrets-scan Runs dependency vulnerability audit and secrets detection critical
Bash
Read

Run dependency audit and secrets scan to detect known CVEs in dependencies and leaked secrets in code.

Steps

  1. Check which tools are available:

    pnpm --version
gitleaks version
    • If neither is installed, skip this check and report: "Skipped: neither pnpm nor gitleaks installed. Install pnpm: npm i -g pnpm. Install gitleaks: brew install gitleaks or see https://github.com/gitleaks/gitleaks#installing"
    • If only one is available, run that one and note the other was skipped.

  2. Dependency audit (if pnpm is available):

    pnpm audit --json 2>/dev/null || true

    Parse the JSON output. Map advisory severity:

    • critical advisory → critical
    • high advisory → major
    • moderate advisory → minor
    • low advisory → nitpick

    Report each finding with: package name, version, advisory title, CVE, and suggested patched version.

  3. Secrets detection (if gitleaks is available):

    gitleaks detect --no-banner --report-format json --source . 2>/dev/null || true

    Parse the JSON output. All secret findings are critical severity.

    Report each finding with: file and line, rule description, and a redacted match. Always suggest removing the secret and rotating credentials.

What This Catches

Dependency Audit

  • Known CVEs in direct and transitive dependencies
  • Vulnerable packages from the npm advisory database

Secrets Detection

  • API keys and tokens in code
  • AWS credentials, GCP service account keys
  • Database connection strings with passwords
  • Private keys and certificates
  • Generic high-entropy secrets

Error Handling

  • If pnpm audit fails, log the error and continue with gitleaks.
  • If gitleaks fails, log the error and continue with audit results.
  • If JSON parsing fails for either tool, include raw output with a warning.
  • If both tools produce no findings, report "No issues found."
Reference in New Issue View Git Blame Copy Permalink