feat: use our own actions in our workflows (#377)

* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
2026-01-26 03:23:59 +00:00 · 2025-11-25 23:51:03 +02:00
parent e58465e5d3
commit 9aa16a8164
32 changed files with 2823 additions and 523 deletions
--- a/security-scan/README.md
+++ b/security-scan/README.md
@@ -0,0 +1,82 @@
+# ivuorinen/actions/security-scan
+
+## Security Scan
+
+### Description
+
+Comprehensive security scanning for GitHub Actions including actionlint,
+Gitleaks (optional), and Trivy vulnerability scanning. Requires
+'security-events: write' and 'contents: read' permissions in the workflow.
+
+### Inputs
+
+| name                 | description                                                  | required | default              |
+|----------------------|--------------------------------------------------------------|----------|----------------------|
+| `gitleaks-license`   | <p>Gitleaks license key (required for Gitleaks scanning)</p> | `false`  | `""`                 |
+| `gitleaks-config`    | <p>Path to Gitleaks config file</p>                          | `false`  | `.gitleaks.toml`     |
+| `trivy-severity`     | <p>Severity levels to scan for (comma-separated)</p>         | `false`  | `CRITICAL,HIGH`      |
+| `trivy-scanners`     | <p>Types of scanners to run (comma-separated)</p>            | `false`  | `vuln,config,secret` |
+| `trivy-timeout`      | <p>Timeout for Trivy scan</p>                                | `false`  | `10m`                |
+| `actionlint-enabled` | <p>Enable actionlint scanning</p>                            | `false`  | `true`               |
+| `token`              | <p>GitHub token for authentication</p>                       | `false`  | `""`                 |
+
+### Outputs
+
+| name                   | description                                         |
+|------------------------|-----------------------------------------------------|
+| `has_trivy_results`    | <p>Whether Trivy scan produced valid results</p>    |
+| `has_gitleaks_results` | <p>Whether Gitleaks scan produced valid results</p> |
+| `total_issues`         | <p>Total number of security issues found</p>        |
+| `critical_issues`      | <p>Number of critical security issues found</p>     |
+
+### Runs
+
+This action is a `composite` action.
+
+### Usage
+
+```yaml
+- uses: ivuorinen/actions/security-scan@main
+  with:
+    gitleaks-license:
+    # Gitleaks license key (required for Gitleaks scanning)
+    #
+    # Required: false
+    # Default: ""
+
+    gitleaks-config:
+    # Path to Gitleaks config file
+    #
+    # Required: false
+    # Default: .gitleaks.toml
+
+    trivy-severity:
+    # Severity levels to scan for (comma-separated)
+    #
+    # Required: false
+    # Default: CRITICAL,HIGH
+
+    trivy-scanners:
+    # Types of scanners to run (comma-separated)
+    #
+    # Required: false
+    # Default: vuln,config,secret
+
+    trivy-timeout:
+    # Timeout for Trivy scan
+    #
+    # Required: false
+    # Default: 10m
+
+    actionlint-enabled:
+    # Enable actionlint scanning
+    #
+    # Required: false
+    # Default: true
+
+    token:
+    # GitHub token for authentication
+    #
+    # Required: false
+    # Default: ""
+```
--- a/security-scan/action.yml
+++ b/security-scan/action.yml
@@ -0,0 +1,282 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+#
+# REQUIRED PERMISSIONS (set these in your workflow file):
+#   permissions:
+#     security-events: write  # Required for SARIF uploads
+#     contents: read          # Required for repository access
+#
+---
+name: Security Scan
+description: |
+  Comprehensive security scanning for GitHub Actions including actionlint,
+  Gitleaks (optional), and Trivy vulnerability scanning. Requires
+  'security-events: write' and 'contents: read' permissions in the workflow.
+author: Ismo Vuorinen
+branding:
+  icon: shield
+  color: red
+
+inputs:
+  gitleaks-license:
+    description: 'Gitleaks license key (required for Gitleaks scanning)'
+    required: false
+    default: ''
+  gitleaks-config:
+    description: 'Path to Gitleaks config file'
+    required: false
+    default: '.gitleaks.toml'
+  trivy-severity:
+    description: 'Severity levels to scan for (comma-separated)'
+    required: false
+    default: 'CRITICAL,HIGH'
+  trivy-scanners:
+    description: 'Types of scanners to run (comma-separated)'
+    required: false
+    default: 'vuln,config,secret'
+  trivy-timeout:
+    description: 'Timeout for Trivy scan'
+    required: false
+    default: '10m'
+  actionlint-enabled:
+    description: 'Enable actionlint scanning'
+    required: false
+    default: 'true'
+  token:
+    description: 'GitHub token for authentication'
+    required: false
+    default: ''
+
+outputs:
+  has_trivy_results:
+    description: 'Whether Trivy scan produced valid results'
+    value: ${{ steps.verify-sarif.outputs.has_trivy }}
+  has_gitleaks_results:
+    description: 'Whether Gitleaks scan produced valid results'
+    value: ${{ steps.verify-sarif.outputs.has_gitleaks }}
+  total_issues:
+    description: 'Total number of security issues found'
+    value: ${{ steps.analyze.outputs.total_issues }}
+  critical_issues:
+    description: 'Number of critical security issues found'
+    value: ${{ steps.analyze.outputs.critical_issues }}
+
+runs:
+  using: composite
+  steps:
+    - name: Validate Inputs
+      id: validate
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      with:
+        action-type: security-scan
+        gitleaks-license: ${{ inputs.gitleaks-license }}
+        gitleaks-config: ${{ inputs.gitleaks-config }}
+        trivy-severity: ${{ inputs.trivy-severity }}
+        trivy-scanners: ${{ inputs.trivy-scanners }}
+        trivy-timeout: ${{ inputs.trivy-timeout }}
+        actionlint-enabled: ${{ inputs.actionlint-enabled }}
+        token: ${{ inputs.token }}
+
+    - name: Check Required Configurations
+      id: check-configs
+      shell: sh
+      run: |
+        set -eu
+
+        # Initialize all flags as false
+        {
+          printf '%s\n' "run_gitleaks=false"
+          printf '%s\n' "run_trivy=true"
+          printf '%s\n' "run_actionlint=${{ inputs.actionlint-enabled }}"
+        } >> "$GITHUB_OUTPUT"
+
+        # Check Gitleaks configuration and license
+        if [ -f "${{ inputs.gitleaks-config }}" ] && [ -n "${{ inputs.gitleaks-license }}" ]; then
+          printf 'Gitleaks config and license found\n'
+          printf '%s\n' "run_gitleaks=true" >> "$GITHUB_OUTPUT"
+        else
+          printf '::warning::Gitleaks config or license missing - skipping Gitleaks scan\n'
+        fi
+
+    - name: Run actionlint
+      if: steps.check-configs.outputs.run_actionlint == 'true'
+      uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1
+      with:
+        cache: true
+        fail-on-error: true
+        shellcheck: false
+
+    - name: Run Gitleaks
+      if: steps.check-configs.outputs.run_gitleaks == 'true'
+      uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+      env:
+        GITHUB_TOKEN: ${{ inputs.token || github.token }}
+        GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }}
+      with:
+        config-path: ${{ inputs.gitleaks-config }}
+        report-format: sarif
+        report-path: gitleaks-report.sarif
+
+    - name: Run Trivy vulnerability scanner
+      if: steps.check-configs.outputs.run_trivy == 'true'
+      uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master
+      with:
+        scan-type: 'fs'
+        scanners: ${{ inputs.trivy-scanners }}
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: ${{ inputs.trivy-severity }}
+        timeout: ${{ inputs.trivy-timeout }}
+
+    - name: Verify SARIF files
+      id: verify-sarif
+      shell: sh
+      run: |
+        set -eu
+
+        # Initialize outputs
+        {
+          printf '%s\n' "has_trivy=false"
+          printf '%s\n' "has_gitleaks=false"
+        } >> "$GITHUB_OUTPUT"
+
+        # Check Trivy results
+        if [ -f "trivy-results.sarif" ]; then
+          if jq -e . <"trivy-results.sarif" >/dev/null 2>&1; then
+            printf '%s\n' "has_trivy=true" >> "$GITHUB_OUTPUT"
+          else
+            printf '::warning::Trivy SARIF file exists but is not valid JSON\n'
+          fi
+        fi
+
+        # Check Gitleaks results if it ran
+        if [ "${{ steps.check-configs.outputs.run_gitleaks }}" = "true" ]; then
+          if [ -f "gitleaks-report.sarif" ]; then
+            if jq -e . <"gitleaks-report.sarif" >/dev/null 2>&1; then
+              printf '%s\n' "has_gitleaks=true" >> "$GITHUB_OUTPUT"
+            else
+              printf '::warning::Gitleaks SARIF file exists but is not valid JSON\n'
+            fi
+          fi
+        fi
+
+    - name: Upload Trivy results
+      if: steps.verify-sarif.outputs.has_trivy == 'true'
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      with:
+        sarif_file: 'trivy-results.sarif'
+        category: 'trivy'
+
+    - name: Upload Gitleaks results
+      if: steps.verify-sarif.outputs.has_gitleaks == 'true'
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      with:
+        sarif_file: 'gitleaks-report.sarif'
+        category: 'gitleaks'
+
+    - name: Archive security reports
+      if: always()
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      with:
+        name: security-reports-${{ github.run_id }}
+        path: |
+          ${{ steps.verify-sarif.outputs.has_trivy == 'true' && 'trivy-results.sarif' || '' }}
+          ${{ steps.verify-sarif.outputs.has_gitleaks == 'true' && 'gitleaks-report.sarif' || '' }}
+        retention-days: 30
+
+    - name: Analyze Results
+      id: analyze
+      if: always()
+      shell: node {0}
+      run: |
+        const fs = require('fs');
+
+        try {
+          let totalIssues = 0;
+          let criticalIssues = 0;
+
+          const analyzeSarif = (file, tool) => {
+            if (!fs.existsSync(file)) {
+              console.log(`No results file found for ${tool}`);
+              return null;
+            }
+
+            try {
+              const sarif = JSON.parse(fs.readFileSync(file, 'utf8'));
+              return sarif.runs.reduce((acc, run) => {
+                if (!run.results) return acc;
+
+                const critical = run.results.filter(r =>
+                  r.level === 'error' ||
+                  r.level === 'critical' ||
+                  (r.ruleId || '').toLowerCase().includes('critical')
+                ).length;
+
+                return {
+                  total: acc.total + run.results.length,
+                  critical: acc.critical + critical
+                };
+              }, { total: 0, critical: 0 });
+            } catch (error) {
+              console.log(`Error analyzing ${tool} results: ${error.message}`);
+              return null;
+            }
+          };
+
+          // Only analyze results from tools that ran successfully
+          const results = {
+            trivy: '${{ steps.verify-sarif.outputs.has_trivy }}' === 'true' ?
+              analyzeSarif('trivy-results.sarif', 'trivy') : null,
+            gitleaks: '${{ steps.verify-sarif.outputs.has_gitleaks }}' === 'true' ?
+              analyzeSarif('gitleaks-report.sarif', 'gitleaks') : null
+          };
+
+          // Aggregate results
+          Object.entries(results).forEach(([tool, result]) => {
+            if (result) {
+              totalIssues += result.total;
+              criticalIssues += result.critical;
+              console.log(`${tool}: ${result.total} total, ${result.critical} critical issues`);
+            }
+          });
+
+          // Create summary
+          const summary = `## Security Scan Summary
+
+          - Total Issues Found: ${totalIssues}
+          - Critical Issues: ${criticalIssues}
+
+          ### Tool Breakdown
+          ${Object.entries(results)
+            .filter(([_, r]) => r)
+            .map(([tool, r]) =>
+              `- ${tool}: ${r.total} total, ${r.critical} critical`
+            ).join('\n')}
+
+          ### Tools Run Status
+          - Actionlint: ${{ steps.check-configs.outputs.run_actionlint }}
+          - Trivy: ${{ steps.verify-sarif.outputs.has_trivy }}
+          - Gitleaks: ${{ steps.check-configs.outputs.run_gitleaks }}
+          `;
+
+          // Set outputs using GITHUB_OUTPUT
+          const outputFile = process.env.GITHUB_OUTPUT;
+          if (outputFile) {
+            fs.appendFileSync(outputFile, `total_issues=${totalIssues}\n`);
+            fs.appendFileSync(outputFile, `critical_issues=${criticalIssues}\n`);
+          }
+
+          // Add job summary using GITHUB_STEP_SUMMARY
+          const summaryFile = process.env.GITHUB_STEP_SUMMARY;
+          if (summaryFile) {
+            fs.appendFileSync(summaryFile, summary + '\n');
+          }
+
+          // Fail if critical issues found
+          if (criticalIssues > 0) {
+            console.error(`Found ${criticalIssues} critical security issues`);
+            process.exit(1);
+          }
+        } catch (error) {
+          console.error(`Analysis failed: ${error.message}`);
+          process.exit(1);
+        }
--- a/security-scan/rules.yml
+++ b/security-scan/rules.yml
@@ -0,0 +1,55 @@
+---
+# Validation rules for security-scan action
+# Generated by update-validators.py v1.0.0 - DO NOT EDIT MANUALLY
+# Schema version: 1.0
+# Coverage: 86% (6/7 inputs)
+#
+# This file defines validation rules for the security-scan GitHub Action.
+# Rules are automatically applied by validate-inputs action when this
+# action is used.
+#
+
+schema_version: '1.0'
+action: security-scan
+description: |
+  Comprehensive security scanning for GitHub Actions including actionlint,
+  Gitleaks (optional), and Trivy vulnerability scanning. Requires
+  'security-events: write' and 'contents: read' permissions in the workflow.
+generator_version: 1.0.0
+required_inputs: []
+optional_inputs:
+  - actionlint-enabled
+  - gitleaks-config
+  - gitleaks-license
+  - token
+  - trivy-scanners
+  - trivy-severity
+  - trivy-timeout
+conventions:
+  actionlint-enabled: boolean
+  gitleaks-config: file_path
+  token: github_token
+  trivy-scanners: scanner_list
+  trivy-severity: severity_enum
+  trivy-timeout: timeout_with_unit
+overrides:
+  actionlint-enabled: boolean
+  gitleaks-config: file_path
+  token: github_token
+  trivy-scanners: scanner_list
+  trivy-severity: severity_enum
+  trivy-timeout: timeout_with_unit
+statistics:
+  total_inputs: 7
+  validated_inputs: 6
+  skipped_inputs: 0
+  coverage_percentage: 86
+validation_coverage: 86
+auto_detected: true
+manual_review_required: false
+quality_indicators:
+  has_required_inputs: false
+  has_token_validation: true
+  has_version_validation: false
+  has_file_validation: true
+  has_security_validation: true