pinprick 0.9.0

GitHub Actions supply chain security tool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

#![allow(dead_code)]

use std::fs;
use tempfile::TempDir;

/// Create a temporary repo directory with one workflow file.
pub fn repo_with_workflow(filename: &str, content: &str) -> TempDir {
    let dir = TempDir::new().unwrap();
    let workflows = dir.path().join(".github").join("workflows");
    fs::create_dir_all(&workflows).unwrap();
    fs::write(workflows.join(filename), content).unwrap();
    dir
}

/// Create a temporary repo directory with multiple workflow files.
pub fn repo_with_workflows(files: &[(&str, &str)]) -> TempDir {
    let dir = TempDir::new().unwrap();
    let workflows = dir.path().join(".github").join("workflows");
    fs::create_dir_all(&workflows).unwrap();
    for (name, content) in files {
        fs::write(workflows.join(name), content).unwrap();
    }
    dir
}

/// Create a temporary repo directory with a workflow file and a `.pinprick.toml` config.
pub fn repo_with_config(filename: &str, workflow: &str, config: &str) -> TempDir {
    let dir = repo_with_workflow(filename, workflow);
    fs::write(dir.path().join(".pinprick.toml"), config).unwrap();
    dir
}

/// Build an `assert_cmd::Command` for pinprick with token stripped, colors off,
/// and HOME pointed at a temp location to avoid global config interference.
pub fn pinprick_cmd() -> assert_cmd::Command {
    let mut cmd = assert_cmd::Command::cargo_bin("pinprick").unwrap();
    cmd.env("GITHUB_TOKEN", "");
    cmd.env("GH_TOKEN", "");
    cmd.env("HOME", "/tmp/pinprick-test-home");
    cmd.env("XDG_CONFIG_HOME", "/tmp/pinprick-test-config");
    cmd.arg("--color").arg("never");
    cmd
}

// ── Workflow fixtures ───────────────────────────────────────────────────────

/// A clean workflow: SHA-pinned action, safe run block. Expect zero findings.
pub const WORKFLOW_CLEAN: &str = "\
name: clean
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: echo \"Hello World\"
";

/// Pipe-to-shell: curl piped to bash. Expect one high-severity finding.
pub const WORKFLOW_PIPE_TO_SHELL: &str = "\
name: risky
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: curl -fsSL https://example.com/install.sh | bash
";

/// Curl with /latest/ in URL. Expect one high-severity finding.
pub const WORKFLOW_CURL_LATEST: &str = "\
name: curl-latest
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: curl -L \"https://github.com/owner/repo/releases/latest/download/tool\" -o tool
";

/// Curl with versioned URL. Expect zero findings.
pub const WORKFLOW_VERSIONED: &str = "\
name: versioned
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: curl -L \"https://github.com/owner/repo/releases/download/v1.2.3/tool\" -o tool
";

/// Curl fetching a JSON file. Expect data-format exemption (no finding).
pub const WORKFLOW_DATA_FORMAT: &str = "\
name: data
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: curl -L https://example.com/api/data.json -o data.json
";

/// Multiple finding categories in one workflow.
pub const WORKFLOW_MULTI_FINDINGS: &str = "\
name: multi
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: |
          curl -fsSL https://example.com/install.sh | bash
          go install golang.org/x/tools/gopls@latest
          pip install requests
";

/// Curl with checksum verification on the next line.
pub const WORKFLOW_CHECKSUM: &str = "\
name: checksum
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: |
          curl -L \"https://github.com/owner/repo/releases/latest/download/tool\" -o tool
          sha256sum --check tool.sha256
";

/// Curl with unversioned URL hitting a trusted host.
pub const WORKFLOW_TRUSTED_HOST: &str = "\
name: trusted
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: curl -L https://artifacts.internal.example.com/tool -o tool
";

/// Empty steps list. Expect zero findings.
pub const WORKFLOW_EMPTY: &str = "\
name: empty
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps: []
";

/// git clone without pinned ref. Expect one medium-severity finding.
pub const WORKFLOW_GIT_CLONE: &str = "\
name: git-clone
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: |
          git clone https://github.com/org/repo
          cd repo && make install
";

/// git clone with versioned --branch. Expect zero findings.
pub const WORKFLOW_GIT_CLONE_VERSIONED: &str = "\
name: git-clone-versioned
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: git clone --depth 1 --branch v1.2.3 https://github.com/org/repo
";