feat: use our own actions in our workflows (#377)

* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
2026-01-26 03:23:59 +00:00 · 2025-11-25 23:51:03 +02:00
parent e58465e5d3
commit 9aa16a8164
32 changed files with 2823 additions and 523 deletions
--- a/security-scan/README.md
+++ b/security-scan/README.md
@@ -0,0 +1,82 @@
+# ivuorinen/actions/security-scan
+
+## Security Scan
+
+### Description
+
+Comprehensive security scanning for GitHub Actions including actionlint,
+Gitleaks (optional), and Trivy vulnerability scanning. Requires
+'security-events: write' and 'contents: read' permissions in the workflow.
+
+### Inputs
+
+| name                 | description                                                  | required | default              |
+|----------------------|--------------------------------------------------------------|----------|----------------------|
+| `gitleaks-license`   | <p>Gitleaks license key (required for Gitleaks scanning)</p> | `false`  | `""`                 |
+| `gitleaks-config`    | <p>Path to Gitleaks config file</p>                          | `false`  | `.gitleaks.toml`     |
+| `trivy-severity`     | <p>Severity levels to scan for (comma-separated)</p>         | `false`  | `CRITICAL,HIGH`      |
+| `trivy-scanners`     | <p>Types of scanners to run (comma-separated)</p>            | `false`  | `vuln,config,secret` |
+| `trivy-timeout`      | <p>Timeout for Trivy scan</p>                                | `false`  | `10m`                |
+| `actionlint-enabled` | <p>Enable actionlint scanning</p>                            | `false`  | `true`               |
+| `token`              | <p>GitHub token for authentication</p>                       | `false`  | `""`                 |
+
+### Outputs
+
+| name                   | description                                         |
+|------------------------|-----------------------------------------------------|
+| `has_trivy_results`    | <p>Whether Trivy scan produced valid results</p>    |
+| `has_gitleaks_results` | <p>Whether Gitleaks scan produced valid results</p> |
+| `total_issues`         | <p>Total number of security issues found</p>        |
+| `critical_issues`      | <p>Number of critical security issues found</p>     |
+
+### Runs
+
+This action is a `composite` action.
+
+### Usage
+
+```yaml
+- uses: ivuorinen/actions/security-scan@main
+  with:
+    gitleaks-license:
+    # Gitleaks license key (required for Gitleaks scanning)
+    #
+    # Required: false
+    # Default: ""
+
+    gitleaks-config:
+    # Path to Gitleaks config file
+    #
+    # Required: false
+    # Default: .gitleaks.toml
+
+    trivy-severity:
+    # Severity levels to scan for (comma-separated)
+    #
+    # Required: false
+    # Default: CRITICAL,HIGH
+
+    trivy-scanners:
+    # Types of scanners to run (comma-separated)
+    #
+    # Required: false
+    # Default: vuln,config,secret
+
+    trivy-timeout:
+    # Timeout for Trivy scan
+    #
+    # Required: false
+    # Default: 10m
+
+    actionlint-enabled:
+    # Enable actionlint scanning
+    #
+    # Required: false
+    # Default: true
+
+    token:
+    # GitHub token for authentication
+    #
+    # Required: false
+    # Default: ""
+```