Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/workflows/supply-chain-guard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Supply Chain Package Guard

on:
pull_request:
paths:
- '**/requirements*.txt'
- '**/pyproject.toml'
- '**/poetry.lock'
- '**/Pipfile.lock'
- '**/uv.lock'
- '**/setup.py'
- '**/setup.cfg'

jobs:
check-blocked-packages:
runs-on: ubuntu-latest
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Check for compromised package versions
run: |
BLOCKED=0

echo "=== Checking for compromised litellm versions ==="

CHANGED_FILES=$(git diff --name-only "$BASE_SHA"..HEAD -- \
'**requirements*.txt' '**pyproject.toml' '**poetry.lock' \
'**Pipfile.lock' '**uv.lock' '**setup.py' '**setup.cfg' 2>/dev/null || true)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Git diff failure silently bypasses entire security guard

High Severity

The 2>/dev/null || true on the git diff command means any failure (invalid BASE_SHA, corrupt ref, race condition) is silently swallowed. Since GitHub Actions runs with bash -e by default, the || true prevents the step from exiting — but CHANGED_FILES ends up empty, no files are scanned, and the workflow reports "All dependency files clean." This is a fail-open design in a security guard, allowing compromised packages through whenever the diff command fails.

Fix in Cursor Fix in Web


for f in $CHANGED_FILES; do
[ -f "$f" ] || continue

if grep -qiE 'litellm[>=!~]' "$f"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bare litellm dependency bypasses the security guard

High Severity

The regex litellm[>=!~] on the first grep requires a version operator character immediately after litellm. A bare litellm entry in requirements.txt (no version specifier) silently passes the guard, yet pip install litellm would resolve to the latest—potentially compromised—version. The character class also omits < and doesn't account for whitespace before operators, so specs like litellm<2.0 or litellm >=1.80 also bypass detection entirely.

Fix in Cursor Fix in Web

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python extras syntax bypasses litellm dependency detection

High Severity

The regex litellm[>=!~] doesn't match Python extras syntax like litellm[proxy]>=1.82.0, because the [ character after litellm isn't in the character class [>=!~]. Since litellm officially supports pip install litellm[proxy], this is a realistic and common dependency format that completely bypasses the security guard while still installing the compromised package version.

Fix in Cursor Fix in Web

if grep -qE 'litellm==1\.78\.2' "$f"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment containing safe version defeats the guard check

Medium Severity

The safe-version check grep -qE 'litellm==1\.78\.2' searches the entire file, not just active dependency lines. A file containing a comment like # pin litellm==1.78.2 later alongside an actual unsafe dependency like litellm>=1.82.0 would pass the guard, since the grep finds the safe version string in the comment and reports "OK" without verifying the actual dependency line.

Fix in Cursor Fix in Web

echo "OK: $f has litellm pinned to safe version 1.78.2"
else
echo "BLOCKED: $f contains litellm dependency NOT pinned to ==1.78.2"
echo " litellm 1.82.7/1.82.8 are compromised (TeamPCP, Mar 2026)"
echo " Pin to litellm==1.78.2 or remove the dependency"
grep -n 'litellm' "$f" || true
BLOCKED=1
fi
fi
done

if [ "$BLOCKED" -eq 1 ]; then
echo ""
echo "================================================================"
echo "SUPPLY CHAIN GUARD: PR blocked due to compromised package risk"
echo "================================================================"
exit 1
fi

echo "All dependency files clean."
Loading