Release v1.3.2 (#2095)

.github/workflows/codeql.yml

@@ -43,7 +43,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

.github/workflows/kbanalysis.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
         with:

remediation/workflow/hardenrunner/addaction.go

@@ -83,7 +83,7 @@ func addAction(inputYaml, jobName, action string) (string, error) {
 	output = append(output, spaces+fmt.Sprintf("- name: %s", HardenRunnerActionName))
 	output = append(output, spaces+fmt.Sprintf("  uses: %s", action))
 	output = append(output, spaces+"  with:")
-	output = append(output, spaces+"    egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs")
+	output = append(output, spaces+"    egress-policy: audit")
 	output = append(output, "")
 
 	for i := jobNode.Line - 1; i < len(inputLines); i++ {

remediation/workflow/permissions/permissions.go

@@ -101,6 +101,9 @@ func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (stri
 	line := 0
 	column := 0
 	topNode := t.Content
+	if len(topNode) == 0 {
+		return inputYaml, fmt.Errorf("Workflow file provided is Empty")
+	}
 	for _, n := range topNode[0].Content {
 		if n.Value == "jobs" && n.Tag == "!!str" {
 			line = n.Line

remediation/workflow/pin/pinactions.go

@@ -76,6 +76,34 @@ func PinAction(action, inputYaml string) (string, bool) {
 	pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
 	updated = !strings.EqualFold(action, pinnedAction)
 	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
+	yamlWithPreviousActionCommentsRemoved, wasModified := removePreviousActionComments(pinnedAction, inputYaml)
+	if wasModified {
+		return yamlWithPreviousActionCommentsRemoved, updated
+	}
+	return inputYaml, updated
+}
+
+// It may be that there was already a comment next to the action
+// In this case we want to remove the earlier comment
+// we add a comment with the Action version so dependabot/ renovatebot can update it
+// if there was no comment next to any action, updated will be false
+func removePreviousActionComments(pinnedAction, inputYaml string) (string, bool) {
+	updated := false
+	stringParts := strings.Split(inputYaml, pinnedAction)
+	if len(stringParts) > 1 {
+		inputYaml = ""
+		inputYaml = stringParts[0]
+		for idx := 1; idx < len(stringParts); idx++ {
+			trimmedString := strings.SplitN(stringParts[idx], "\n", 2)
+			if len(trimmedString) > 1 {
+				if strings.Contains(trimmedString[0], "#") {
+					updated = true
+				}
+				inputYaml = inputYaml + pinnedAction + "\n" + trimmedString[1]
+			}
+		}
+	}
+
 	return inputYaml, updated
 }
 

remediation/workflow/pin/pinactions_test.go

@@ -182,6 +182,8 @@ func TestPinActions(t *testing.T) {
 		{fileName: "basic.yml", wantUpdated: true},
 		{fileName: "dockeraction.yml", wantUpdated: true},
 		{fileName: "multipleactions.yml", wantUpdated: true},
+		{fileName: "actionwithcomment.yml", wantUpdated: true},
+		{fileName: "repeatedactionwithcomment.yml", wantUpdated: true},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))

remediation/workflow/secureworkflow_test.go

@@ -120,6 +120,7 @@ func TestSecureWorkflow(t *testing.T) {
 		{fileName: "nopin.yml", wantPinnedActions: false, wantAddedHardenRunner: true, wantAddedPermissions: true},
 		{fileName: "allperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true},
 		{fileName: "multiplejobperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true},
+		{fileName: "error.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: false},
 	}
 	for _, test := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, test.fileName))

testfiles/addaction/input/alreadypresent_2.yml

@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R

testfiles/addaction/output/2jobs.yml

@@ -8,7 +8,7 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R
   list-directory1:
@@ -17,6 +17,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R

testfiles/addaction/output/action-issues.yml

@@ -12,7 +12,7 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@v2
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: audit
 
     - name: Close Issue
       uses: peter-evans/close-issue@v1

testfiles/addaction/output/alreadypresent.yml

@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R

testfiles/addaction/output/alreadypresent_2.yml

@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R

testfiles/pinactions/input/actionwithcomment.yml

@@ -0,0 +1,28 @@
+name: "close issue"
+
+on:
+  push:
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Close Issue
+        uses: peter-evans/close-issue@v1 #Mock comment to remove
+        with:
+          issue-number: 1
+          comment: Auto-closing issue
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1 #Mock Comment
+      - uses: actions/setup-node@v1 #Mock Comment
+        with:
+          node-version: 10
+      - run: npm install
+      - run: npm test
+      - uses: JS-DevTools/npm-publish@v1 #Mock Comment
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          registry: https://npm.pkg.github.com

testfiles/pinactions/input/repeatedactionwithcomment.yml

@@ -0,0 +1,33 @@
+name: "close issue"
+
+on:
+  push:
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Close Issue
+        uses: peter-evans/close-issue@v1 #Mock comment to remove
+        with:
+          issue-number: 1
+          comment: Auto-closing issue
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1 #Mock Comment
+      - uses: actions/setup-node@v1 #Mock Comment
+        with:
+          node-version: 10
+      - run: npm install
+      - run: npm test
+      - uses: JS-DevTools/npm-publish@v1 #Mock Comment
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          registry: https://npm.pkg.github.com
+      - name: Close Issue
+        uses: peter-evans/close-issue@v1 #Mock comment to remove
+        with:
+        issue-number: 1
+        comment: Auto-closing issue

testfiles/pinactions/output/actionwithcomment.yml

@@ -0,0 +1,28 @@
+name: "close issue"
+
+on:
+  push:
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Close Issue
+        uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+        with:
+          issue-number: 1
+          comment: Auto-closing issue
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
+        with:
+          node-version: 10
+      - run: npm install
+      - run: npm test
+      - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1.4.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          registry: https://npm.pkg.github.com

testfiles/pinactions/output/repeatedactionwithcomment.yml

@@ -0,0 +1,33 @@
+name: "close issue"
+
+on:
+  push:
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Close Issue
+        uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+        with:
+          issue-number: 1
+          comment: Auto-closing issue
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
+        with:
+          node-version: 10
+      - run: npm install
+      - run: npm test
+      - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1.4.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          registry: https://npm.pkg.github.com
+      - name: Close Issue
+        uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+        with:
+        issue-number: 1
+        comment: Auto-closing issue

testfiles/secureworkflow/output/allscenarios.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

testfiles/secureworkflow/output/missingaction.yml

@@ -11,7 +11,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - uses: actions/missingaction@v2
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

testfiles/secureworkflow/output/noperms.yml

@@ -11,7 +11,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

testfiles/secureworkflow/output/nopin.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@v2
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - uses: actions/checkout@v1
       - uses: github/super-linter@v3