diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bc439bda..25a92ea4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,7 +43,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout repository uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml index f8608684..d13f88de 100644 --- a/.github/workflows/kbanalysis.yml +++ b/.github/workflows/kbanalysis.yml @@ -24,7 +24,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 with: diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go index 37a671db..f3564f08 100644 --- a/remediation/workflow/hardenrunner/addaction.go +++ b/remediation/workflow/hardenrunner/addaction.go @@ -83,7 +83,7 @@ func addAction(inputYaml, jobName, action string) (string, error) { output = append(output, spaces+fmt.Sprintf("- name: %s", HardenRunnerActionName)) output = append(output, spaces+fmt.Sprintf(" uses: %s", action)) output = append(output, spaces+" with:") - output = append(output, spaces+" egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs") + output = append(output, spaces+" egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs") output = append(output, "") for i := jobNode.Line - 1; i < len(inputLines); i++ { diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go index 678b7094..cdefef8a 100644 --- a/remediation/workflow/pin/pinactions.go +++ b/remediation/workflow/pin/pinactions.go @@ -76,13 +76,6 @@ func PinAction(action, inputYaml string) (string, bool) { pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch) updated = !strings.EqualFold(action, pinnedAction) inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction) - stringParts := strings.SplitN(inputYaml, pinnedAction, 2) - if len(stringParts) > 1 { - trimmedString := strings.SplitN(stringParts[1], "\n", 2) - if len(trimmedString) > 1 { - inputYaml = stringParts[0] + pinnedAction + "\n" + trimmedString[1] - } - } return inputYaml, updated } diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index be903511..1eb15b17 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -182,7 +182,6 @@ func TestPinActions(t *testing.T) { {fileName: "basic.yml", wantUpdated: true}, {fileName: "dockeraction.yml", wantUpdated: true}, {fileName: "multipleactions.yml", wantUpdated: true}, - {fileName: "actionwithcomment.yml", wantUpdated: true}, } for _, tt := range tests { input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName)) diff --git a/testfiles/addaction/input/alreadypresent_2.yml b/testfiles/addaction/input/alreadypresent_2.yml index 659e3312..9ef1e918 100644 --- a/testfiles/addaction/input/alreadypresent_2.yml +++ b/testfiles/addaction/input/alreadypresent_2.yml @@ -13,6 +13,6 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - run: ls -R \ No newline at end of file diff --git a/testfiles/addaction/output/2jobs.yml b/testfiles/addaction/output/2jobs.yml index 7d6f8d33..1f708e4b 100644 --- a/testfiles/addaction/output/2jobs.yml +++ b/testfiles/addaction/output/2jobs.yml @@ -8,7 +8,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - run: ls -R list-directory1: @@ -17,6 +17,6 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - run: ls -R \ No newline at end of file diff --git a/testfiles/addaction/output/action-issues.yml b/testfiles/addaction/output/action-issues.yml index d323f159..d4cb09f2 100644 --- a/testfiles/addaction/output/action-issues.yml +++ b/testfiles/addaction/output/action-issues.yml @@ -12,7 +12,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Close Issue uses: peter-evans/close-issue@v1 diff --git a/testfiles/addaction/output/alreadypresent.yml b/testfiles/addaction/output/alreadypresent.yml index 659e3312..9ef1e918 100644 --- a/testfiles/addaction/output/alreadypresent.yml +++ b/testfiles/addaction/output/alreadypresent.yml @@ -13,6 +13,6 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - run: ls -R \ No newline at end of file diff --git a/testfiles/addaction/output/alreadypresent_2.yml b/testfiles/addaction/output/alreadypresent_2.yml index 659e3312..9ef1e918 100644 --- a/testfiles/addaction/output/alreadypresent_2.yml +++ b/testfiles/addaction/output/alreadypresent_2.yml @@ -13,6 +13,6 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - run: ls -R \ No newline at end of file diff --git a/testfiles/pinactions/input/actionwithcomment.yml b/testfiles/pinactions/input/actionwithcomment.yml deleted file mode 100644 index 003209f3..00000000 --- a/testfiles/pinactions/input/actionwithcomment.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "close issue" - -on: - push: - - -jobs: - closeissue: - runs-on: ubuntu-latest - - steps: - - name: Close Issue - uses: peter-evans/close-issue@v1 #Mock comment to remove - with: - issue-number: 1 - comment: Auto-closing issue - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 #Mock Comment - - uses: actions/setup-node@v1 #Mock Comment - with: - node-version: 10 - - run: npm install - - run: npm test - - uses: JS-DevTools/npm-publish@v1 #Mock Comment - with: - token: ${{ secrets.GITHUB_TOKEN }} - registry: https://npm.pkg.github.com \ No newline at end of file diff --git a/testfiles/pinactions/output/actionwithcomment.yml b/testfiles/pinactions/output/actionwithcomment.yml deleted file mode 100644 index 430890f5..00000000 --- a/testfiles/pinactions/output/actionwithcomment.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "close issue" - -on: - push: - - -jobs: - closeissue: - runs-on: ubuntu-latest - - steps: - - name: Close Issue - uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3 - with: - issue-number: 1 - comment: Auto-closing issue - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0 - - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6 - with: - node-version: 10 - - run: npm install - - run: npm test - - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1.4.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - registry: https://npm.pkg.github.com \ No newline at end of file diff --git a/testfiles/secureworkflow/output/allscenarios.yml b/testfiles/secureworkflow/output/allscenarios.yml index 0e822ae4..e2326923 100644 --- a/testfiles/secureworkflow/output/allscenarios.yml +++ b/testfiles/secureworkflow/output/allscenarios.yml @@ -17,7 +17,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0 - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1 diff --git a/testfiles/secureworkflow/output/missingaction.yml b/testfiles/secureworkflow/output/missingaction.yml index 7b5da904..2d7bffa0 100644 --- a/testfiles/secureworkflow/output/missingaction.yml +++ b/testfiles/secureworkflow/output/missingaction.yml @@ -11,7 +11,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/missingaction@v2 - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1 diff --git a/testfiles/secureworkflow/output/noperms.yml b/testfiles/secureworkflow/output/noperms.yml index 8aa4efe6..b6bf8824 100644 --- a/testfiles/secureworkflow/output/noperms.yml +++ b/testfiles/secureworkflow/output/noperms.yml @@ -11,7 +11,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0 - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1 diff --git a/testfiles/secureworkflow/output/nopin.yml b/testfiles/secureworkflow/output/nopin.yml index eb282508..ecd0d298 100644 --- a/testfiles/secureworkflow/output/nopin.yml +++ b/testfiles/secureworkflow/output/nopin.yml @@ -17,7 +17,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@v1 - uses: github/super-linter@v3