Add npx rule for YAML files

NicholasEllul · NicholasEllul · commit 0c98acf3a935 · 2026-01-06T14:54:37.000-05:00
diff --git a/rules/src/generic/npx-usage/npx-usage-yml.yml b/rules/src/generic/npx-usage/npx-usage-yml.yml
@@ -0,0 +1,43 @@
+rules:
+  - id: npx-usage-yml
+    languages:
+      - yaml
+    severity: WARNING
+    metadata:
+      tags: [security]
+      shortDescription: "npx usage introduces supply chain security risks"
+      confidence: HIGH
+      help: |
+        Using npx to install and run packages introduces significant supply chain security risks for the following reasons:
+
+        1. **Unpinned by default**: Running `npx <package>` fetches the latest release outside of your lockfile. If a malicious version of a package is published ([example])(https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack), `npx` will install and execute it the next time it is run.
+
+        2. **Bypasses lockfile guarantees**: Packages executed with npx are not added to your project's package.json or lockfile. As a result, their versions and lockfile integrity hashes are not captured for reproducibility, making builds non-deterministic and harder to audit
+
+        ### Recommended practice
+        - Add packages as dependencies or devDependencies in `package.json`.
+        - Use your package manager to install and execute them (e.g., `yarn add <package> --dev` followed by `yarn <package> <command>`).
+
+        **Bad example (using npx):**
+        ```yaml
+        - name: Run tests
+          run: npx jest --coverage
+        ```
+
+        **Good example (proper dependency):**
+        ```yaml
+        - name: Run tests
+          run: yarn jest --coverage
+        ```
+
+    message: >-
+      Avoid using 'npx' to run packages due to supply chain security risks. Instead, install the package
+      as a dependency / devDependency and invoke it using your package manager to ensure version pinning
+      and reproducibility.
+    patterns:
+      - pattern: |
+          run: $CMD
+      - metavariable-pattern:
+          metavariable: $CMD
+          language: sh
+          pattern: npx ...
diff --git a/rules/test/generic/npx-usage/npx-usage-yml.test.yml b/rules/test/generic/npx-usage/npx-usage-yml.test.yml
@@ -0,0 +1,87 @@
+name: Test Workflow
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Test basic npx usage in GitHub Actions - should be flagged
+      - name: Run tests
+        # ruleid: npx-usage-yml
+        run: npx jest --coverage
+
+      - name: Lint code
+        # ruleid: npx-usage-yml
+        run: npx eslint src/
+
+      - name: Format code
+        # ruleid: npx-usage-yml
+        run: npx prettier --write .
+
+      - name: Create app
+        # ruleid: npx-usage-yml
+        run: npx create-react-app my-app
+
+      - name: Setup tool with flag
+        # ruleid: npx-usage-yml
+        run: npx --yes setup-tool --config config.json
+
+      - name: Run with env vars
+        # ruleid: npx-usage-yml
+        run: npx jest ${GITHUB_WORKSPACE} --coverage
+
+      # Test scoped package with output redirection - should be flagged
+      - name: Generate fingerprint
+        # ruleid: npx-usage-yml
+        run: npx @expo/fingerprint ./ > fingerprint-pr.json
+
+      - name: Another scoped package
+        # ruleid: npx-usage-yml
+        run: npx @typescript-eslint/parser --version
+
+      # Test npx in middle of command strings - should be flagged
+      - name: Install and test
+        # ruleid: npx-usage-yml
+        run: yarn install && npx jest --coverage
+
+      - name: Setup and lint
+        # ruleid: npx-usage-yml
+        run: echo "Setting up" && npx eslint src/
+
+      - name: Build and format
+        # ruleid: npx-usage-yml
+        run: npm run build && npx prettier --write .
+
+      # Test good alternatives - should not be flagged
+      - name: Run tests with yarn
+        # ok: npx-usage-yml
+        run: yarn jest --coverage
+
+      - name: Lint code with yarn
+        # ok: npx-usage-yml
+        run: yarn eslint src/
+
+      - name: Format code with yarn
+        # ok: npx-usage-yml
+        run: yarn prettier --write .
+
+      - name: Create app with yarn dlx
+        # ok: npx-usage-yml
+        run: yarn dlx create-react-app my-app
+
+      - name: Build with npm script
+        # ok: npx-usage-yml
+        run: npm run build
+
+      - name: Description mentions npx but doesn't use it
+        # ok: npx-usage-yml
+        run: echo "This workflow mentions npx but doesn't execute it"
+
+      - name: Just npm (not npx)
+        # ok: npx-usage-yml
+        run: npm install
