feat: initial version

Author: sdn4z

.github/release.yml

@@ -0,0 +1,19 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors:
+      - octocat
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - breaking
+    - title: New Features 🎉
+      labels:
+        - feature
+    - title: Fixes 🔧
+      labels:
+        - fix
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/bump-version.yml

@@ -0,0 +1,29 @@
+name: Bump version
+
+on:
+  workflow_dispatch:
+jobs:
+  bump_version:
+    if: "!startsWith(github.event.head_commit.message, 'bump:') && github.ref == 'refs/heads/main'"
+    runs-on: ubuntu-latest
+    name: "Bump version and create changelog with commitizen"
+    steps:
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: ${{ vars.ELEMENTSINTERACTIVE_BOT_APP_ID }}
+          private-key: ${{ secrets.ELEMENTSINTERACTIVE_BOT_PRIVATE_KEY }}
+      - uses: actions/checkout@@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+          ref: ${{ github.head_ref }}
+          # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
+          persist-credentials: false
+      - id: cz
+        name: Create bump and changelog
+        uses: commitizen-tools/commitizen-action@5b0848cd060263e24602d1eba03710e056ef7711 # v0.24.0
+        with:
+          github_token: ${{ steps.app-token.outputs.token }}
+      - name: Print Version
+        run: echo "Bumped to version ${{ steps.cz.outputs.version }}"

.github/workflows/conventional-label.yaml

@@ -0,0 +1,12 @@
+on:
+  pull_request_target:
+    branches: ["main"]
+
+name: conventional-release-labels
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 #v1.3.1
+        with:
+          type_labels: '{"feat": "feature", "fix": "fix", "BREAKING CHANGE": "breaking", "ci": "CI", "build": "build", "refactor": "refactor", "test": "test"}'

.github/workflows/lint.yml

@@ -0,0 +1,23 @@
+# This workflow will check our code for having a proper format, as well as the commit message to meet the expected ones
+
+name: Lint
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  lint-commit:
+    runs-on: ubuntu-latest
+    name: "Lint commit message"
+    container:
+      image: commitizen/commitizen:4.8.3@sha256:08a078c52b368f85f34257a66e10645ee74d8cbe9b471930b80b2b4e95a9bd4a
+    steps:
+      - name: Check out
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Check commit message
+        run: |
+          git config --global --add safe.directory . 
+          cz check --rev-range HEAD

.github/workflows/publish.yml

@@ -0,0 +1,22 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Release
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        with:
+          generate_release_notes: true
+          make_latest: true
+          token: "${{ secrets.GITHUB_TOKEN }}"

CODEOWNERS

@@ -0,0 +1 @@
+@sdn4z @scastlara

action.yml

@@ -0,0 +1,233 @@
+name: "Twyn action"
+description: "Security tool against dependency typosquatting attacks"
+author: "Elements Interactive"
+
+branding:
+  icon: "search"
+  color: "blue"
+
+inputs:
+  github-token:
+    description: "Token needed to publish results to the PR."
+    required: false
+
+  config:
+    description: "Path to the config file"
+    required: false
+
+  dependency-file:
+    description: "Dependency file(s) to analyze. Comma-separated if multiple. By default, twyn will search in the current directory for supported files, but this option will override that behavior."
+    required: false
+
+  selector-method:
+    description: "Which method twyn should use to select possible typosquats. 'first-letter' only compares dependencies that share the first letter, 'nearby-letter' compares against dependencies whose first letter is nearby in an English keyboard. 'all' compares the given dependencies against all of those in the reference."
+    required: false
+
+  no-track:
+    description: "Do not show the progress bar while processing packages"
+    required: false
+    default: "false"
+
+  json:
+    description: "Display the results in json format. It implies no-track. Mutually exclusive with --table."
+    required: false
+    default: "false"
+
+  table:
+    description: "Display the results in a table format. It implies no-track. Mutually exclusive with --json."
+    required: false
+    default: "false"
+
+  recursive:
+    description: "Recursively look for files when trying to locate them automatically. Ignored if dependency-file is given."
+    required: false
+    default: "false"
+
+  pypi-source:
+    description: "Alternative PyPI source URL to use for fetching trusted packages"
+    required: false
+
+  npm-source:
+    description: "Alternative npm source URL to use for fetching trusted packages"
+    required: false
+
+  v:
+    description: "Enable verbose output (-v)"
+    required: false
+    default: "false"
+
+  vv:
+    description: "Enable extra verbose output (-vv)"
+    required: false
+    default: "false"
+
+  version:
+    description: "Twyn version (latest, v1.0.0, etc.)"
+    required: false
+    default: "latest"
+
+  publish:
+    description: "Whether to publish the twyn results as PR comments (requires table format)"
+    required: false
+    default: "false"
+
+outputs:
+  results:
+    description: "Raw output from twyn scan"
+    value: ${{ steps.twyn-scan.outputs.results }}
+  exit-code:
+    description: "Exit code from twyn scan (0=no issues, 1=issues found, >1=error)"
+    value: ${{ steps.twyn-scan.outputs.exit-code }}
+  has-findings:
+    description: "Boolean indicating if twyn found any issues (true/false)"
+    value: ${{ steps.twyn-scan.outputs.has-findings }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run Twyn Security Check
+      id: twyn-scan
+      shell: bash
+      run: |
+        # Validate input combinations
+        if [ "${{ inputs.publish }}" = "true" ] && [ "${{ inputs.json }}" = "true" ]; then
+          echo "❌ Error: 'publish' and 'json' cannot be used together."
+          echo "   Publishing requires table format, but JSON format was requested."
+          echo "   Please use either 'publish: true' with 'table: true' or use 'json: true' without publishing."
+          exit 1
+        fi
+
+        if [ "${{ inputs.json }}" = "true" ] && [ "${{ inputs.table }}" = "true" ]; then
+          echo "❌ Error: 'json' and 'table' are mutually exclusive."
+          echo "   Please choose either JSON or table format, not both."
+          exit 1
+        fi
+
+        # Build arguments as an array for safety (avoids word-splitting issues)
+        ARGS=()
+
+        # Optional config file
+        if [ -n "${{ inputs.config }}" ]; then
+          ARGS+=(--config "${{ inputs.config }}")
+        fi
+
+        # Dependency files (multiple allowed)
+        if [ -n "${{ inputs.dependency-file }}" ]; then
+          IFS=',' read -ra DEPENDENCY_FILES <<< "${{ inputs.dependency-file }}"
+          for file in "${DEPENDENCY_FILES[@]}"; do
+            if [ -n "$file" ]; then
+              ARGS+=(--dependency-file "$file")
+            fi
+          done
+        fi
+
+        # Selector method
+        if [ -n "${{ inputs.selector-method }}" ]; then
+          ARGS+=(--selector-method "${{ inputs.selector-method }}")
+        fi
+
+        # Boolean flags
+
+        if [ "${{ inputs.no-track }}" = "true" ]; then
+          ARGS+=(--no-track)
+        fi
+
+        if [ "${{ inputs.json }}" = "true" ]; then
+          ARGS+=(--json)
+        fi
+
+        # Force table format when publishing
+        if [ "${{ inputs.publish }}" = "true" ] || [ "${{ inputs.table }}" = "true" ]; then
+          ARGS+=(--table)
+        fi
+
+        if [ "${{ inputs.recursive }}" = "true" ]; then
+          ARGS+=(--recursive)
+        fi
+
+        # Source URLs
+        if [ -n "${{ inputs.pypi-source }}" ]; then
+          ARGS+=(--pypi-source "${{ inputs.pypi-source }}")
+        fi
+
+        if [ -n "${{ inputs.npm-source }}" ]; then
+          ARGS+=(--npm-source "${{ inputs.npm-source }}")
+        fi
+
+        # Verbose mode
+        if [ "${{ inputs.vv }}" = "true" ]; then
+          ARGS+=(-vv)
+        elif [ "${{ inputs.v }}" = "true" ]; then
+          ARGS+=(-v)
+        fi
+
+
+        # Run twyn using Docker and capture output and exit code
+        # Use 'set +e' to prevent script from exiting on non-zero exit codes
+        set +e
+        TWYN_OUTPUT=$(docker run --rm \
+          -v "${{ github.workspace }}:/workspace" \
+          -w /workspace \
+          elementsinteractive/twyn:${{ inputs.version }} run \
+          "${ARGS[@]}" 2>/dev/null)
+        TWYN_EXIT_CODE=$?
+        set -e
+
+        # Display output in action logs
+        echo "$TWYN_OUTPUT"
+
+        # Set action outputs
+        echo "results<<EOF" >> $GITHUB_OUTPUT
+        echo "$TWYN_OUTPUT" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+        echo "exit-code=$TWYN_EXIT_CODE" >> $GITHUB_OUTPUT
+
+        # Set has-findings based on exit code
+        if [ $TWYN_EXIT_CODE -eq 1 ]; then
+          echo "has-findings=true" >> $GITHUB_OUTPUT
+        else
+          echo "has-findings=false" >> $GITHUB_OUTPUT
+        fi
+
+        # Create PR comment with twyn results
+        if [ "${{ inputs.publish }}" = "true" ]; then
+          # Check if github-token is provided
+          if [ -z "${{ inputs.github-token }}" ]; then
+            echo "❌ Error: github-token is required when publish is enabled. Skipping..."
+            exit $TWYN_EXIT_CODE
+          else
+            
+            # Create comment content with proper formatting
+            echo "## 🛡️ Twyn Security Check Results" > comment.md
+            echo "" >> comment.md
+            echo '```' >> comment.md
+            # Process the output to handle escape sequences properly
+            echo "$TWYN_OUTPUT" | sed 's/\\n/\n/g' >> comment.md
+            echo '```' >> comment.md
+              
+            curl -X POST \
+              -H "Authorization: token ${{ inputs.github-token}}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              -d "$(cat comment.md | jq -Rs '{"body": .}')" \
+              "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments"
+            
+            if [ $? -eq 0 ]; then
+              echo "✅ Successfully posted comment to PR"
+            else
+              echo "❌ Failed to post comment to PR"
+            fi
+          fi
+
+        else
+          echo "ℹ️ Publish to PR is disabled (publish: ${{ inputs.publish }})"
+        fi
+
+        # Set final exit code for the action
+        # Exit with 0 if we're just reporting findings (exit code 1)
+        # Exit with the actual code for real errors (exit codes > 1)
+        if [ $TWYN_EXIT_CODE -gt 1 ]; then
+          exit $TWYN_EXIT_CODE
+        else
+          exit 0
+        fi

requirements.txt

@@ -0,0 +1,9 @@
+# Test files for Twyn Action
+
+# Python requirements with potential typosquats
+requests==2.28.0
+nmupy==1.24.0  # typo: numpy
+pandsa==1.5.0  # typo: pandas
+falsk==2.2.0   # typo: flask
+djagno==4.1.0  # typo: django
+beatifulsoup4==4.11.0  # typo: beautifulsoup4