Feat/aikido version mgmt

.github/workflows/aikido-version-check.yml

@@ -0,0 +1,102 @@
+name: Check Aikido Scanner Version
+
+on:
+  schedule:
+    # Run weekly on Mondays at 9:00 UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-version:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Fetch upstream Aikido version
+        id: upstream
+        run: |
+          # Fetch the official Aikido install script
+          UPSTREAM_SCRIPT=$(curl -fsSL "https://raw.githubusercontent.com/AikidoSec/pre-commit/main/installation-samples/install-global/install-aikido-hook.sh")
+
+          # Extract VERSION from the script (format: VERSION="v1.0.116")
+          UPSTREAM_VERSION=$(echo "$UPSTREAM_SCRIPT" | grep -oP '^VERSION="\K[^"]+' | head -1)
+
+          if [ -z "$UPSTREAM_VERSION" ]; then
+            echo "Error: Could not extract version from upstream script"
+            exit 1
+          fi
+
+          echo "upstream_version=$UPSTREAM_VERSION" >> "$GITHUB_OUTPUT"
+          echo "Found upstream version: $UPSTREAM_VERSION"
+
+      - name: Get current pinned version
+        id: current
+        run: |
+          # Extract the fallback version from install.sh
+          CURRENT_VERSION=$(grep -oP 'FALLBACK_VERSION="\K[^"]+' src/aikido-precommit/install.sh | head -1)
+
+          if [ -z "$CURRENT_VERSION" ]; then
+            echo "Error: Could not extract FALLBACK_VERSION from install.sh"
+            exit 1
+          fi
+
+          echo "current_version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT"
+          echo "Current pinned version: $CURRENT_VERSION"
+
+      - name: Compare versions
+        id: compare
+        run: |
+          UPSTREAM="${{ steps.upstream.outputs.upstream_version }}"
+          CURRENT="${{ steps.current.outputs.current_version }}"
+
+          if [ "$UPSTREAM" = "$CURRENT" ]; then
+            echo "Versions match ($CURRENT), no update needed"
+            echo "needs_update=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "Version mismatch: upstream=$UPSTREAM, current=$CURRENT"
+            echo "needs_update=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update version in install.sh
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          UPSTREAM="${{ steps.upstream.outputs.upstream_version }}"
+          CURRENT="${{ steps.current.outputs.current_version }}"
+
+          # Update FALLBACK_VERSION in install.sh
+          sed -i "s/FALLBACK_VERSION=\"${CURRENT}\"/FALLBACK_VERSION=\"${UPSTREAM}\"/" src/aikido-precommit/install.sh
+
+          echo "Updated FALLBACK_VERSION from $CURRENT to $UPSTREAM"
+
+      - name: Create Pull Request
+        if: steps.compare.outputs.needs_update == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(aikido-precommit): update fallback version to ${{ steps.upstream.outputs.upstream_version }}"
+          title: "chore(aikido-precommit): update fallback version to ${{ steps.upstream.outputs.upstream_version }}"
+          body: |
+            ## Automated Version Update
+
+            This PR updates the Aikido local scanner fallback version from `${{ steps.current.outputs.current_version }}` to `${{ steps.upstream.outputs.upstream_version }}`.
+
+            ### Source
+            Version extracted from [Aikido's official install script](https://github.com/AikidoSec/pre-commit/blob/main/installation-samples/install-global/install-aikido-hook.sh).
+
+            ### Notes
+            - Users with `version: "latest"` (default) will automatically get the new version
+            - Users with explicit version pins are unaffected
+            - The fallback version is used when the upstream script cannot be fetched
+
+            ---
+            *This PR was automatically created by the [aikido-version-check](.github/workflows/aikido-version-check.yml) workflow.*
+          branch: chore/aikido-version-update
+          delete-branch: true
+          labels: |
+            dependencies
+            automated

src/aikido-precommit/README.md

@@ -12,10 +12,32 @@ Installs AikidoSec's pre-commit hook for scanning secrets, passwords, and API ke
 
 ## Options
 
-Options Id       | Description                                                      | Type    | Default Value
----------------- | ---------------------------------------------------------------- | ------- | -------------
-version          | Version of the aikido-local-scanner to install                   | string  | v1.0.116
-setupGlobalHooks | Configure git global hooks path (set to false for download-only) | boolean | true
+Options Id       | Description                                                                      | Type    | Default Value
+---------------- | -------------------------------------------------------------------------------- | ------- | -------------
+version          | Version of the aikido-local-scanner to install (use 'latest' for auto-detection) | string  | latest
+setupGlobalHooks | Configure git global hooks path (set to false for download-only)                 | boolean | true
+
+## Version Management
+
+This feature supports two version strategies:
+
+### Auto-detection (default)
+
+With `version: "latest"` (the default), the installer fetches the current version from [Aikido's official install script](https://github.com/AikidoSec/pre-commit/blob/main/installation-samples/install-global/install-aikido-hook.sh) at build time. This ensures you always get the latest scanner version without manual updates.
+
+If the upstream script is unreachable, a fallback version is used (kept up-to-date via automated PRs).
+
+### Pinned version
+
+For reproducible builds or to use a specific version, set an explicit version:
+
+```json
+"features": {
+    "ghcr.io/ProxayFox/devcontainer-features/aikido-precommit:1": {
+        "version": "v1.0.116"
+    }
+}
+```
 
 --------------------------------------------------------------------------------
 

src/aikido-precommit/devcontainer-feature.json

@@ -7,8 +7,8 @@
     "options": {
         "version": {
             "type": "string",
-            "default": "v1.0.116",
-            "description": "Version of the aikido-local-scanner to install"
+            "default": "latest",
+            "description": "Version of the aikido-local-scanner to install (use 'latest' for auto-detection)"
         },
         "setupGlobalHooks": {
             "type": "boolean",

src/aikido-precommit/install.sh

@@ -3,9 +3,47 @@
 set -e
 
 # Get options from environment (feature options are uppercase)
-VERSION="${VERSION:-"v1.0.116"}"
+VERSION="${VERSION:-"latest"}"
 SETUP_GLOBAL_HOOKS="${SETUPGLOBALHOOKS:-"true"}"
 
+# Fallback version used when "latest" cannot be fetched from upstream
+# This is automatically updated by the aikido-version-check.yml workflow
+FALLBACK_VERSION="v1.0.116"
+
+# Upstream script URL for fetching latest version
+AIKIDO_UPSTREAM_SCRIPT="https://raw.githubusercontent.com/AikidoSec/pre-commit/main/installation-samples/install-global/install-aikido-hook.sh"
+
+# Function to fetch the latest version from Aikido's upstream script
+fetch_latest_version() {
+    local upstream_script
+    local extracted_version
+
+    # Attempt to fetch the upstream install script
+    if upstream_script=$(curl -fsSL --connect-timeout 10 "$AIKIDO_UPSTREAM_SCRIPT" 2>/dev/null); then
+        # Extract VERSION="vX.X.X" from the script
+        extracted_version=$(echo "$upstream_script" | grep -oP '^VERSION="\K[^"]+' | head -1)
+
+        if [ -n "$extracted_version" ]; then
+            echo "$extracted_version"
+            return 0
+        fi
+        echo "Warning: Could not extract version from upstream script, using fallback version $FALLBACK_VERSION" >&2
+    else
+        echo "Warning: Failed to fetch upstream version (network or connection timeout), using fallback version $FALLBACK_VERSION" >&2
+    fi
+
+    # Fallback if upstream fetch fails
+    echo "$FALLBACK_VERSION"
+    return 0
+}
+
+# Resolve version
+if [ "$VERSION" = "latest" ]; then
+    echo "Fetching latest version from Aikido upstream..."
+    VERSION=$(fetch_latest_version)
+    echo "Resolved version: $VERSION"
+fi
+
 # Normalize version format (ensure it starts with 'v')
 if [[ ! "$VERSION" =~ ^v ]]; then
     VERSION="v${VERSION}"

test/aikido-precommit/pinned-version.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+echo "Testing: aikido-local-scanner pinned version installation"
+
+# Check binary exists
+if command -v aikido-local-scanner >/dev/null 2>&1; then
+    echo "✅ PASSED: aikido-local-scanner found"
+else
+    echo "❌ FAILED: aikido-local-scanner not found"
+    exit 1
+fi
+
+# The pinned version test verifies that explicit versions work
+# Note: We can't easily verify the exact version without aikido-local-scanner --version support
+# but we verify the binary was successfully downloaded and installed
+echo "✅ PASSED: Pinned version installation completed"
+
+echo ""
+echo "✅ All pinned-version tests passed!"

test/aikido-precommit/scenarios.json

@@ -0,0 +1,11 @@
+{
+    "pinned-version": {
+        "image": "ubuntu:focal",
+        "features": {
+            "aikido-precommit": {
+                "version": "v1.0.100",
+                "setupGlobalHooks": true
+            }
+        }
+    }
+}