From ed6c4a8582b556156cc1ebfc0bf48ac9d8d61457 Mon Sep 17 00:00:00 2001 From: Proxay Date: Sun, 25 Jan 2026 05:21:44 +0000 Subject: [PATCH 1/6] Update Aikido pre-commit hook to use 'latest' version by default and enhance version fetching logic --- .../devcontainer-feature.json | 4 +- src/aikido-precommit/install.sh | 37 ++++++++++++++++++- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/src/aikido-precommit/devcontainer-feature.json b/src/aikido-precommit/devcontainer-feature.json index 2df1a28..245f4fc 100644 --- a/src/aikido-precommit/devcontainer-feature.json +++ b/src/aikido-precommit/devcontainer-feature.json @@ -7,8 +7,8 @@ "options": { "version": { "type": "string", - "default": "v1.0.116", - "description": "Version of the aikido-local-scanner to install" + "default": "latest", + "description": "Version of the aikido-local-scanner to install (use 'latest' for auto-detection)" }, "setupGlobalHooks": { "type": "boolean", diff --git a/src/aikido-precommit/install.sh b/src/aikido-precommit/install.sh index 68cb062..bd5dd47 100644 --- a/src/aikido-precommit/install.sh +++ b/src/aikido-precommit/install.sh @@ -3,9 +3,44 @@ set -e # Get options from environment (feature options are uppercase) -VERSION="${VERSION:-"v1.0.116"}" +VERSION="${VERSION:-"latest"}" SETUP_GLOBAL_HOOKS="${SETUPGLOBALHOOKS:-"true"}" +# Fallback version used when "latest" cannot be fetched from upstream +# This is automatically updated by the aikido-version-check.yml workflow +FALLBACK_VERSION="v1.0.116" + +# Upstream script URL for fetching latest version +AIKIDO_UPSTREAM_SCRIPT="https://raw.githubusercontent.com/AikidoSec/pre-commit/main/installation-samples/install-global/install-aikido-hook.sh" + +# Function to fetch the latest version from Aikido's upstream script +fetch_latest_version() { + local upstream_script + local extracted_version + + # Attempt to fetch the upstream install script + if upstream_script=$(curl -fsSL --connect-timeout 10 "$AIKIDO_UPSTREAM_SCRIPT" 2>/dev/null); then + # Extract VERSION="vX.X.X" from the script + extracted_version=$(echo "$upstream_script" | grep -oP '^VERSION="\K[^"]+' | head -1) + + if [ -n "$extracted_version" ]; then + echo "$extracted_version" + return 0 + fi + fi + + # Fallback if upstream fetch fails + echo "$FALLBACK_VERSION" + return 0 +} + +# Resolve version +if [ "$VERSION" = "latest" ]; then + echo "Fetching latest version from Aikido upstream..." + VERSION=$(fetch_latest_version) + echo "Resolved version: $VERSION" +fi + # Normalize version format (ensure it starts with 'v') if [[ ! "$VERSION" =~ ^v ]]; then VERSION="v${VERSION}" From 392d8ecb8fd53969f5e082d34c9c35c5506fdebf Mon Sep 17 00:00:00 2001 From: Proxay Date: Sun, 25 Jan 2026 05:21:57 +0000 Subject: [PATCH 2/6] Add Aikido version check workflow to automate fallback version updates --- .github/workflows/aikido-version-check.yml | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 .github/workflows/aikido-version-check.yml diff --git a/.github/workflows/aikido-version-check.yml b/.github/workflows/aikido-version-check.yml new file mode 100644 index 0000000..4664e5e --- /dev/null +++ b/.github/workflows/aikido-version-check.yml @@ -0,0 +1,102 @@ +name: Check Aikido Scanner Version + +on: + schedule: + # Run weekly on Mondays at 9:00 UTC + - cron: '0 9 * * 1' + workflow_dispatch: # Allow manual trigger + +permissions: + contents: write + pull-requests: write + +jobs: + check-version: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Fetch upstream Aikido version + id: upstream + run: | + # Fetch the official Aikido install script + UPSTREAM_SCRIPT=$(curl -fsSL "https://raw.githubusercontent.com/AikidoSec/pre-commit/main/installation-samples/install-global/install-aikido-hook.sh") + + # Extract VERSION from the script (format: VERSION="v1.0.116") + UPSTREAM_VERSION=$(echo "$UPSTREAM_SCRIPT" | grep -oP '^VERSION="\K[^"]+' | head -1) + + if [ -z "$UPSTREAM_VERSION" ]; then + echo "Error: Could not extract version from upstream script" + exit 1 + fi + + echo "upstream_version=$UPSTREAM_VERSION" >> "$GITHUB_OUTPUT" + echo "Found upstream version: $UPSTREAM_VERSION" + + - name: Get current pinned version + id: current + run: | + # Extract the fallback version from install.sh + CURRENT_VERSION=$(grep -oP 'FALLBACK_VERSION="\K[^"]+' src/aikido-precommit/install.sh | head -1) + + if [ -z "$CURRENT_VERSION" ]; then + echo "Error: Could not extract FALLBACK_VERSION from install.sh" + exit 1 + fi + + echo "current_version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" + echo "Current pinned version: $CURRENT_VERSION" + + - name: Compare versions + id: compare + run: | + UPSTREAM="${{ steps.upstream.outputs.upstream_version }}" + CURRENT="${{ steps.current.outputs.current_version }}" + + if [ "$UPSTREAM" = "$CURRENT" ]; then + echo "Versions match ($CURRENT), no update needed" + echo "needs_update=false" >> "$GITHUB_OUTPUT" + else + echo "Version mismatch: upstream=$UPSTREAM, current=$CURRENT" + echo "needs_update=true" >> "$GITHUB_OUTPUT" + fi + + - name: Update version in install.sh + if: steps.compare.outputs.needs_update == 'true' + run: | + UPSTREAM="${{ steps.upstream.outputs.upstream_version }}" + CURRENT="${{ steps.current.outputs.current_version }}" + + # Update FALLBACK_VERSION in install.sh + sed -i "s/FALLBACK_VERSION=\"${CURRENT}\"/FALLBACK_VERSION=\"${UPSTREAM}\"/" src/aikido-precommit/install.sh + + echo "Updated FALLBACK_VERSION from $CURRENT to $UPSTREAM" + + - name: Create Pull Request + if: steps.compare.outputs.needs_update == 'true' + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "chore(aikido-precommit): update fallback version to ${{ steps.upstream.outputs.upstream_version }}" + title: "chore(aikido-precommit): update fallback version to ${{ steps.upstream.outputs.upstream_version }}" + body: | + ## Automated Version Update + + This PR updates the Aikido local scanner fallback version from `${{ steps.current.outputs.current_version }}` to `${{ steps.upstream.outputs.upstream_version }}`. + + ### Source + Version extracted from [Aikido's official install script](https://github.com/AikidoSec/pre-commit/blob/main/installation-samples/install-global/install-aikido-hook.sh). + + ### Notes + - Users with `version: "latest"` (default) will automatically get the new version + - Users with explicit version pins are unaffected + - The fallback version is used when the upstream script cannot be fetched + + --- + *This PR was automatically created by the [aikido-version-check](.github/workflows/aikido-version-check.yml) workflow.* + branch: chore/aikido-version-update + delete-branch: true + labels: | + dependencies + automated From 8837bcc09203750e997e0134a32b8c9263745ae4 Mon Sep 17 00:00:00 2001 From: Proxay Date: Sun, 25 Jan 2026 05:22:11 +0000 Subject: [PATCH 3/6] Add pinned version test script and scenarios configuration for aikido-local-scanner --- test/aikido-precommit/pinned-version.sh | 21 +++++++++++++++++++++ test/aikido-precommit/scenarios.json | 11 +++++++++++ 2 files changed, 32 insertions(+) create mode 100644 test/aikido-precommit/pinned-version.sh create mode 100644 test/aikido-precommit/scenarios.json diff --git a/test/aikido-precommit/pinned-version.sh b/test/aikido-precommit/pinned-version.sh new file mode 100644 index 0000000..c5c786a --- /dev/null +++ b/test/aikido-precommit/pinned-version.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +echo "Testing: aikido-local-scanner pinned version installation" + +# Check binary exists +if command -v aikido-local-scanner >/dev/null 2>&1; then + echo "✅ PASSED: aikido-local-scanner found" +else + echo "❌ FAILED: aikido-local-scanner not found" + exit 1 +fi + +# The pinned version test verifies that explicit versions work +# Note: We can't easily verify the exact version without aikido-local-scanner --version support +# but we verify the binary was successfully downloaded and installed +echo "✅ PASSED: Pinned version installation completed" + +echo "" +echo "✅ All pinned-version tests passed!" diff --git a/test/aikido-precommit/scenarios.json b/test/aikido-precommit/scenarios.json new file mode 100644 index 0000000..e7b1b88 --- /dev/null +++ b/test/aikido-precommit/scenarios.json @@ -0,0 +1,11 @@ +{ + "pinned-version": { + "image": "ubuntu:focal", + "features": { + "aikido-precommit": { + "version": "v1.0.100", + "setupGlobalHooks": true + } + } + } +} From d562de96fa505ce3cc057fe1396d83eaafbcd7e1 Mon Sep 17 00:00:00 2001 From: Proxay Date: Sun, 25 Jan 2026 05:22:16 +0000 Subject: [PATCH 4/6] Update README to clarify version management options for aikido-precommit --- src/aikido-precommit/README.md | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/src/aikido-precommit/README.md b/src/aikido-precommit/README.md index 613c088..7e0f066 100644 --- a/src/aikido-precommit/README.md +++ b/src/aikido-precommit/README.md @@ -12,10 +12,32 @@ Installs AikidoSec's pre-commit hook for scanning secrets, passwords, and API ke ## Options -Options Id | Description | Type | Default Value ----------------- | ---------------------------------------------------------------- | ------- | ------------- -version | Version of the aikido-local-scanner to install | string | v1.0.116 -setupGlobalHooks | Configure git global hooks path (set to false for download-only) | boolean | true +Options Id | Description | Type | Default Value +---------------- | -------------------------------------------------------------------------------- | ------- | ------------- +version | Version of the aikido-local-scanner to install (use 'latest' for auto-detection) | string | latest +setupGlobalHooks | Configure git global hooks path (set to false for download-only) | boolean | true + +## Version Management + +This feature supports two version strategies: + +### Auto-detection (default) + +With `version: "latest"` (the default), the installer fetches the current version from [Aikido's official install script](https://github.com/AikidoSec/pre-commit/blob/main/installation-samples/install-global/install-aikido-hook.sh) at build time. This ensures you always get the latest scanner version without manual updates. + +If the upstream script is unreachable, a fallback version is used (kept up-to-date via automated PRs). + +### Pinned version + +For reproducible builds or to use a specific version, set an explicit version: + +```json +"features": { + "ghcr.io/ProxayFox/devcontainer-features/aikido-precommit:1": { + "version": "v1.0.116" + } +} +``` -------------------------------------------------------------------------------- From 551cd18cb4bdbaddc3f6fd369a3e9aa1b166ab09 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 25 Jan 2026 05:34:40 +0000 Subject: [PATCH 5/6] Initial plan From c67affbf7c4c2f4a2cd260875d4a57f0fcb816f9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 25 Jan 2026 05:36:40 +0000 Subject: [PATCH 6/6] Add warning messages when version fetch falls back to default Co-authored-by: Datacom-Ayden <221437541+Datacom-Ayden@users.noreply.github.com> --- src/aikido-precommit/install.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/aikido-precommit/install.sh b/src/aikido-precommit/install.sh index bd5dd47..f266222 100644 --- a/src/aikido-precommit/install.sh +++ b/src/aikido-precommit/install.sh @@ -27,6 +27,9 @@ fetch_latest_version() { echo "$extracted_version" return 0 fi + echo "Warning: Could not extract version from upstream script, using fallback version $FALLBACK_VERSION" >&2 + else + echo "Warning: Failed to fetch upstream version (network or connection timeout), using fallback version $FALLBACK_VERSION" >&2 fi # Fallback if upstream fetch fails