libverify_core/controls/
actions_pinned_dependencies.rs1use crate::control::{Control, ControlFinding, ControlId, builtin};
2use crate::evidence::EvidenceBundle;
3
4pub struct ActionsPinnedDependenciesControl;
14
15impl Control for ActionsPinnedDependenciesControl {
16 fn id(&self) -> ControlId {
17 builtin::id(builtin::ACTIONS_PINNED_DEPENDENCIES)
18 }
19
20 fn description(&self) -> &'static str {
21 "GitHub Actions must pin action references to commit SHAs to prevent supply-chain attacks"
22 }
23
24 fn evaluate(&self, evidence: &EvidenceBundle) -> Vec<ControlFinding> {
25 let posture = match ControlFinding::extract_posture(self.id(), evidence) {
26 Ok(p) => p,
27 Err(findings) => return findings,
28 };
29
30 if posture.unpinned_action_refs.is_empty() {
31 return vec![ControlFinding::satisfied(
32 self.id(),
33 "All GitHub Actions references are pinned to commit SHAs",
34 vec!["repository:actions:pinned".to_string()],
35 )];
36 }
37
38 let subjects: Vec<String> = posture
39 .unpinned_action_refs
40 .iter()
41 .map(|r| format!("{}:{}", r.workflow_file, r.action_ref))
42 .collect();
43
44 let count = posture.unpinned_action_refs.len();
45 vec![ControlFinding::violated(
46 self.id(),
47 format!(
48 "{count} unpinned action reference(s) found — \
49 pin to commit SHAs to prevent supply-chain attacks"
50 ),
51 subjects,
52 )]
53 }
54}
55
56#[cfg(test)]
57mod tests {
58 use super::*;
59 use crate::control::ControlStatus;
60 use crate::evidence::{EvidenceGap, EvidenceState, RepositoryPosture, UnpinnedActionRef};
61
62 fn posture(unpinned: Vec<UnpinnedActionRef>) -> RepositoryPosture {
63 RepositoryPosture {
64 unpinned_action_refs: unpinned,
65 ..Default::default()
66 }
67 }
68
69 fn bundle(state: EvidenceState<RepositoryPosture>) -> EvidenceBundle {
70 EvidenceBundle {
71 repository_posture: state,
72 ..Default::default()
73 }
74 }
75
76 #[test]
77 fn not_applicable_when_posture_not_applicable() {
78 let findings =
79 ActionsPinnedDependenciesControl.evaluate(&bundle(EvidenceState::not_applicable()));
80 assert_eq!(findings[0].status, ControlStatus::NotApplicable);
81 }
82
83 #[test]
84 fn indeterminate_when_posture_missing() {
85 let findings =
86 ActionsPinnedDependenciesControl.evaluate(&bundle(EvidenceState::missing(vec![
87 EvidenceGap::CollectionFailed {
88 source: "github".to_string(),
89 subject: "posture".to_string(),
90 detail: "API error".to_string(),
91 },
92 ])));
93 assert_eq!(findings[0].status, ControlStatus::Indeterminate);
94 }
95
96 #[test]
97 fn satisfied_when_all_pinned() {
98 let findings = ActionsPinnedDependenciesControl
99 .evaluate(&bundle(EvidenceState::complete(posture(vec![]))));
100 assert_eq!(findings[0].status, ControlStatus::Satisfied);
101 assert!(findings[0].rationale.contains("pinned"));
102 }
103
104 #[test]
105 fn violated_when_unpinned_refs_exist() {
106 let unpinned = vec![
107 UnpinnedActionRef {
108 workflow_file: ".github/workflows/ci.yml".to_string(),
109 action_ref: "actions/checkout@v4".to_string(),
110 },
111 UnpinnedActionRef {
112 workflow_file: ".github/workflows/release.yml".to_string(),
113 action_ref: "actions/setup-node@v3".to_string(),
114 },
115 ];
116 let findings = ActionsPinnedDependenciesControl
117 .evaluate(&bundle(EvidenceState::complete(posture(unpinned))));
118 assert_eq!(findings[0].status, ControlStatus::Violated);
119 assert!(findings[0].rationale.contains("2 unpinned"));
120 assert_eq!(findings[0].subjects.len(), 2);
121 assert!(findings[0].subjects[0].contains("ci.yml"));
122 }
123}