pinprick 0.3.1

GitHub Actions supply chain security tool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

mod audit;
mod audit_patterns;
mod audited_actions;
mod auth;
mod config;
mod github;
mod output;
mod pin;
mod update;
mod workflow;

use clap::{CommandFactory, Parser, Subcommand};
use clap_complete::Shell;
use colored::control;
use std::path::PathBuf;
use std::process::ExitCode;

#[derive(Clone, Copy, PartialEq, clap::ValueEnum)]
enum ColorMode {
    Always,
    Auto,
    Never,
}

#[derive(Parser)]
#[command(
    name = "pinprick",
    about = "GitHub Actions supply chain security",
    version,
    propagate_version = true
)]
struct Cli {
    /// When to use colors: auto, always, never
    #[arg(long, default_value = "auto", global = true)]
    color: ColorMode,

    /// Output as JSON
    #[arg(long, global = true)]
    json: bool,

    #[command(subcommand)]
    command: Command,
}

#[derive(Subcommand)]
enum Command {
    /// Audit actions for runtime fetch risks
    Audit {
        /// Repository root
        #[arg(default_value = ".")]
        path: PathBuf,

        /// Show every matched outbound-call pattern, including ones that
        /// passed the version check (useful for CI audit logs)
        #[arg(short, long)]
        verbose: bool,

        /// Output findings as SARIF 2.1.0 (for github/codeql-action/upload-sarif)
        #[arg(long, conflicts_with = "json")]
        sarif: bool,
    },
    /// Generate shell completions
    Completions {
        /// Shell to generate completions for
        shell: Shell,
    },
    /// Pin action references to full SHAs
    Pin {
        /// Repository root
        #[arg(default_value = ".")]
        path: PathBuf,

        /// Preview changes without writing files. Exits 1 when there are
        /// unpinned actions — useful for CI gating.
        #[arg(long)]
        dry_run: bool,
    },
    /// Check for updates to pinned actions
    Update {
        /// Repository root
        #[arg(default_value = ".")]
        path: PathBuf,

        /// Apply updates (default is dry-run)
        #[arg(long)]
        apply: bool,

        /// Only check actions whose owner/repo contains this substring
        /// (e.g., `actions/checkout`, `actions/` for the whole org)
        #[arg(long, value_name = "PATTERN")]
        only: Option<String>,
    },
}

#[tokio::main]
async fn main() -> ExitCode {
    let cli = Cli::parse();

    match cli.color {
        ColorMode::Always => control::set_override(true),
        ColorMode::Never => control::set_override(false),
        ColorMode::Auto => {}
    }

    let result = match &cli.command {
        Command::Audit {
            path,
            verbose,
            sarif,
        } => {
            let config = config::Config::load(path);
            audit::run(path, cli.json, *sarif, *verbose, &config).await
        }
        Command::Completions { shell } => {
            clap_complete::generate(
                *shell,
                &mut Cli::command(),
                "pinprick",
                &mut std::io::stdout(),
            );
            return ExitCode::SUCCESS;
        }
        Command::Pin { path, dry_run } => pin::run(path, cli.json, *dry_run).await,
        Command::Update { path, apply, only } => {
            update::run(path, *apply, cli.json, only.as_deref()).await
        }
    };

    match result {
        Ok(code) => code,
        Err(e) => {
            if cli.json {
                let err = serde_json::json!({ "error": format!("{e:#}") });
                eprintln!("{err}");
            } else {
                eprintln!("error: {e:#}");
            }
            ExitCode::from(2)
        }
    }
}