feat: initial version

sdn4z · sdn4z · commit aeac8e65c307 · 2025-11-07T15:41:11.000+01:00
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,23 @@
+# This workflow will check our code for having a proper format, as well as the commit message to meet the expected ones
+
+name: Lint
+
+on:
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+
+jobs:
+    lint-commit:
+        runs-on: ubuntu-latest
+        name: "Lint commit message"
+        container:
+            image: commitizen/commitizen:4.8.3@sha256:08a078c52b368f85f34257a66e10645ee74d8cbe9b471930b80b2b4e95a9bd4a
+        steps:
+            - name: Check out
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+            - name: Check commit message
+              run: |
+                  git config --global --add safe.directory . 
+                  cz check --rev-range HEAD
diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
@@ -0,0 +1,23 @@
+name: Test Twyn Action
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test-action:
+    runs-on: ubuntu-latest
+    name: Test GH action
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Test Twyn Action
+        uses: ./
+        with:
+          vv: true
+          publish: "true"
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/action.yml b/action.yml
@@ -0,0 +1,181 @@
+name: "Twyn action"
+description: "Security tool against dependency typosquatting attacks"
+author: "Elements Interactive"
+
+branding:
+  icon: "search"
+  color: "blue"
+
+inputs:
+  github-token:
+    description: "Token needed to publish results to the PR."
+    required: false
+
+  config:
+    description: "Path to the config file"
+    required: false
+
+  dependency-file:
+    description: "Dependency file(s) to analyze. Comma-separated if multiple. By default, twyn will search in the current directory for supported files, but this option will override that behavior."
+    required: false
+
+  selector-method:
+    description: "Which method twyn should use to select possible typosquats. 'first-letter' only compares dependencies that share the first letter, 'nearby-letter' compares against dependencies whose first letter is nearby in an English keyboard. 'all' compares the given dependencies against all of those in the reference."
+    required: false
+
+  no-track:
+    description: "Do not show the progress bar while processing packages"
+    required: false
+    default: "false"
+
+  json:
+    description: "Display the results in json format. It implies no-track."
+    required: false
+    default: "false"
+
+  table:
+    description: "Display the results in a table format. It implies no-track."
+    required: false
+    default: "false"
+
+  recursive:
+    description: "Recursively look for files when trying to locate them automatically. Ignored if dependency-file is given."
+    required: false
+    default: "false"
+
+  pypi-source:
+    description: "Alternative PyPI source URL to use for fetching trusted packages"
+    required: false
+
+  npm-source:
+    description: "Alternative npm source URL to use for fetching trusted packages"
+    required: false
+
+  v:
+    description: "Enable verbose output (-v)"
+    required: false
+    default: "false"
+
+  vv:
+    description: "Enable extra verbose output (-vv)"
+    required: false
+    default: "false"
+
+  version:
+    description: "Twyn version (latest, v1.0.0, etc.)"
+    required: false
+    default: "latest"
+
+  publish:
+    description: "Whether to publish the twyn results as PR comments (requires table format)"
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run Twyn Security Check
+      shell: bash
+      run: |
+        # Build arguments as an array for safety (avoids word-splitting issues)
+        ARGS=()
+
+        # Optional config file
+        if [ -n "${{ inputs.config }}" ]; then
+          ARGS+=(--config "${{ inputs.config }}")
+        fi
+
+        # Dependency files (multiple allowed)
+        if [ -n "${{ inputs.dependency-file }}" ]; then
+          IFS=',' read -ra DEPENDENCY_FILES <<< "${{ inputs.dependency-file }}"
+          for file in "${DEPENDENCY_FILES[@]}"; do
+            if [ -n "$file" ]; then
+              ARGS+=(--dependency-file "$file")
+            fi
+          done
+        fi
+
+        # Selector method
+        if [ -n "${{ inputs.selector-method }}" ]; then
+          ARGS+=(--selector-method "${{ inputs.selector-method }}")
+        fi
+
+        # Boolean flags
+
+        if [ "${{ inputs.no-track }}" = "true" ]; then
+          ARGS+=(--no-track)
+        fi
+
+        if [ "${{ inputs.json }}" = "true" ]; then
+          ARGS+=(--json)
+        fi
+
+        # Force table format when publishing
+        if [ "${{ inputs.publish }}" = "true" ] || [ "${{ inputs.table }}" = "true" ]; then
+          ARGS+=(--table)
+        fi
+
+        if [ "${{ inputs.recursive }}" = "true" ]; then
+          ARGS+=(--recursive)
+        fi
+
+        # Source URLs
+        if [ -n "${{ inputs.pypi-source }}" ]; then
+          ARGS+=(--pypi-source "${{ inputs.pypi-source }}")
+        fi
+
+        if [ -n "${{ inputs.npm-source }}" ]; then
+          ARGS+=(--npm-source "${{ inputs.npm-source }}")
+        fi
+
+
+        # Run twyn using Docker and capture output and exit code
+        # Use 'set +e' to prevent script from exiting on non-zero exit codes
+        set +e
+        TWYN_OUTPUT=$(docker run --rm \
+          -v "${{ github.workspace }}:/workspace" \
+          -w /workspace \
+          elementsinteractive/twyn:${{ inputs.version }} run \
+          "${ARGS[@]}" 2>/dev/null)
+        TWYN_EXIT_CODE=$?
+        set -e
+
+        # Display output in action logs
+        echo "$TWYN_OUTPUT"
+
+        # Create PR comment with twyn results
+        if [ "${{ inputs.publish }}" = "true" ]; then
+          # Check if github-token is provided
+          if [ -z "${{ inputs.github-token }}" ]; then
+            echo "❌ Error: github-token is required when publish is enabled. Skipping..."
+          else
+            echo "Publishing"
+            
+            # Create comment content
+            echo "$TWYN_OUTPUT" >> comment.md
+              
+            curl -X POST \
+              -H "Authorization: token ${{ inputs.github-token}}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              -d "$(cat comment.md | jq -Rs '{"body": .}')" \
+              "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments"
+            
+            if [ $? -eq 0 ]; then
+              echo "✅ Successfully posted comment to PR"
+            else
+              echo "❌ Failed to post comment to PR"
+            fi
+          fi
+
+        else
+          echo "ℹ️ Publish to PR is disabled (publish: ${{ inputs.publish }})"
+        fi
+
+        # Set final exit code for the action
+        # Exit with 0 if we're just reporting findings (exit code 1)
+        # Exit with the actual code for real errors (exit codes > 1)
+        if [ $TWYN_EXIT_CODE -gt 1 ]; then
+          exit $TWYN_EXIT_CODE
+        else
+          exit 0
+        fi
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,9 @@
+# Test files for Twyn Action
+
+# Python requirements with potential typosquats
+requests==2.28.0
+nmupy==1.24.0  # typo: numpy
+pandsa==1.5.0  # typo: pandas
+falsk==2.2.0   # typo: flask
+djagno==4.1.0  # typo: django
+beatifulsoup4==4.11.0  # typo: beautifulsoup4
