comment-shield

A live, public scanner that finds which public GitHub repositories are exposed to the "Comment and Control" prompt-injection attack — the April 2026 disclosure that lets a single PR title, issue body, or HTML comment hijack Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent and exfiltrate CI/CD secrets through ordinary GitHub events.

Live URL: https://holyai.me/comment-shield/

What it does

1. Discovers public GitHub repos whose workflows import any of the three affected actions (Claude Code, Gemini CLI, Copilot Coding Agent) via the GitHub Code Search API.
2. Fetches each matching workflow YAML at runtime and grades it against the Comment-and-Control conditions from the disclosure:
3. - Trigger is pull_request_target, issue_comment, or issues with opened/edited
4. - The affected action is invoked in that job
5. - The job has write permissions (contents, pull-requests, id-token)
6. - The action's with: block forwards ${{ github.event.*.body }} or .title or .comment.body
7. - Secrets are referenced in the same job
8. Produces a letter grade (A–F) with the matched signal list and a recommended diff.
9. Exposes a public dashboard, a per-repo share card, and a public scan endpoint so any maintainer can audit a repo in under 30 seconds.

Sources of real data

| Source | Endpoint | Auth | Refresh |
|---|---|---|---|
| GitHub Code Search | /search/code | GITHUB_TOKEN required | every 6h |
| GitHub Contents | /repos/:o/:r/contents/... | same token | on demand |
| GitHub Repos | /repos/:o/:r | same token | on demand, cached 24h |
| oddguan.com blog feed | /blog/feed.xml | none | daily 03:15 UTC |
| CSA labs research | /research/ (HTML) | none | daily |
| NVD CVE 2.0 | /rest/json/cves/2.0?keywordSearch=... | none | daily |

No seed data, no synthetic grades, no Math.random() jitter. If a source is down, the row stays stale and request_log records the failure.

Running locally

cp .env.example .env
# Fill in GITHUB_TOKEN with a read-only public-repo token
npm install
npm start

The server boots on :4862, mounted under /comment-shield.

• Dashboard: http://localhost:4862/comment-shield/
• Health: http://localhost:4862/comment-shield/health
• API: http://localhost:4862/comment-shield/api/stats

Cron schedule

• 0 /6 — discoverRepos runs all Code Search queries
• /1 * — drains up to 5 repos from the scan queue
• 15 3 * — refreshes disclosure feeds (oddguan, CSA, NVD)
• 0 4 0 — weekly rescan of repos with last_scanned_at older than 7 days

Endpoints

| Method | Path | Notes |
|---|---|---|
| GET | /comment-shield/ | SPA dashboard |
| GET | /comment-shield/health | liveness |
| GET | /comment-shield/api/stats | aggregate by vendor + grade |
| GET | /comment-shield/api/repos?grade=F&vendor=anthropic&q=&page=1&limit=50 | paginated repo list |
| GET | /comment-shield/api/repo/:owner/:repo | per-repo detail + recommendations |
| GET | /comment-shield/api/disclosures | public disclosure timeline |
| POST | /comment-shield/api/scan body { "url": "https://github.com/o/r" } | enqueue an immediate scan |
| GET | /comment-shield/api/scan/:id | poll a submitted scan |
| POST | /comment-shield/api/scan/refresh | trigger a global refresh (rate-limited to 1/min) |
| GET | /comment-shield/share/:owner/:repo | shareable HTML card |

All endpoints are public. No basic auth, no API key, no admin password. Audit any repo at any time.

Tech

• Node.js 20+, Express, helmet, compression
• better-sqlite3 in WAL mode
• node-cron for scheduling
• js-yaml for workflow parsing
• Vanilla JS SPA frontend, dark theme, English UI

License

MIT