mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 11:34:00 +00:00
Ismo Vuorinen
9aa16a8164
* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
117 lines
3.5 KiB
Bash
Executable File
117 lines
3.5 KiB
Bash
Executable File
#!/usr/bin/env shellspec
|
|
# Unit tests for security-scan action validation and logic
|
|
# Framework is automatically loaded via spec_helper.sh
|
|
|
|
Describe "security-scan action"
|
|
ACTION_DIR="security-scan"
|
|
ACTION_FILE="$ACTION_DIR/action.yml"
|
|
|
|
Context "when validating token input"
|
|
It "accepts valid GitHub token"
|
|
When call validate_input_python "security-scan" "token" "ghp_123456789012345678901234567890123456"
|
|
The status should be success
|
|
End
|
|
|
|
It "rejects injection in token"
|
|
When call validate_input_python "security-scan" "token" "token; rm -rf /"
|
|
The status should be failure
|
|
End
|
|
|
|
It "accepts empty token (optional)"
|
|
When call validate_input_python "security-scan" "token" ""
|
|
The status should be success
|
|
End
|
|
End
|
|
|
|
Context "when validating actionlint-enabled input"
|
|
It "accepts true value"
|
|
When call validate_input_python "security-scan" "actionlint-enabled" "true"
|
|
The status should be success
|
|
End
|
|
|
|
It "accepts false value"
|
|
When call validate_input_python "security-scan" "actionlint-enabled" "false"
|
|
The status should be success
|
|
End
|
|
|
|
It "rejects non-boolean value"
|
|
When call validate_input_python "security-scan" "actionlint-enabled" "maybe"
|
|
The status should be failure
|
|
End
|
|
End
|
|
|
|
Context "when checking action.yml structure"
|
|
It "has valid YAML syntax"
|
|
When call validate_action_yml_quiet "$ACTION_FILE"
|
|
The status should be success
|
|
End
|
|
|
|
It "has correct action name"
|
|
name=$(get_action_name "$ACTION_FILE")
|
|
When call echo "$name"
|
|
The output should equal "Security Scan"
|
|
End
|
|
|
|
It "defines all expected inputs"
|
|
inputs=$(get_action_inputs "$ACTION_FILE")
|
|
When call echo "$inputs"
|
|
The output should include "gitleaks-license"
|
|
The output should include "gitleaks-config"
|
|
The output should include "trivy-severity"
|
|
The output should include "trivy-scanners"
|
|
The output should include "trivy-timeout"
|
|
The output should include "actionlint-enabled"
|
|
The output should include "token"
|
|
End
|
|
|
|
It "defines all expected outputs"
|
|
outputs=$(get_action_outputs "$ACTION_FILE")
|
|
When call echo "$outputs"
|
|
The output should include "has_trivy_results"
|
|
The output should include "has_gitleaks_results"
|
|
The output should include "total_issues"
|
|
The output should include "critical_issues"
|
|
End
|
|
|
|
It "uses composite run type"
|
|
run_type=$(get_action_runs_using "$ACTION_FILE")
|
|
When call echo "$run_type"
|
|
The output should equal "composite"
|
|
End
|
|
End
|
|
|
|
Context "when validating inputs per conventions"
|
|
It "validates token against github_token convention"
|
|
When call validate_input_python "security-scan" "token" "ghp_123456789012345678901234567890123456"
|
|
The status should be success
|
|
End
|
|
|
|
It "validates actionlint-enabled as boolean"
|
|
When call validate_input_python "security-scan" "actionlint-enabled" "true"
|
|
The status should be success
|
|
End
|
|
|
|
It "rejects invalid boolean for actionlint-enabled"
|
|
When call validate_input_python "security-scan" "actionlint-enabled" "1"
|
|
The status should be failure
|
|
End
|
|
End
|
|
|
|
Context "when testing optional inputs"
|
|
It "accepts empty gitleaks-license"
|
|
When call validate_input_python "security-scan" "gitleaks-license" ""
|
|
The status should be success
|
|
End
|
|
|
|
It "accepts empty token"
|
|
When call validate_input_python "security-scan" "token" ""
|
|
The status should be success
|
|
End
|
|
|
|
It "accepts valid gitleaks-license value"
|
|
When call validate_input_python "security-scan" "gitleaks-license" "license-key-123"
|
|
The status should be success
|
|
End
|
|
End
|
|
End
|