feat: initial version

sdn4z · sdn4z · commit ebb38d244cb4 · 2025-11-07T16:07:11.000+01:00
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,23 @@
+# This workflow will check our code for having a proper format, as well as the commit message to meet the expected ones
+
+name: Lint
+
+on:
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+
+jobs:
+    lint-commit:
+        runs-on: ubuntu-latest
+        name: "Lint commit message"
+        container:
+            image: commitizen/commitizen:4.8.3@sha256:08a078c52b368f85f34257a66e10645ee74d8cbe9b471930b80b2b4e95a9bd4a
+        steps:
+            - name: Check out
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+            - name: Check commit message
+              run: |
+                  git config --global --add safe.directory . 
+                  cz check --rev-range HEAD
diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
@@ -0,0 +1,45 @@
+name: Test Twyn Action
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test-action:
+    runs-on: ubuntu-latest
+    name: Test GH action
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Test Twyn Action
+        uses: ./
+        with:
+          vv: true
+          # publish: "true"
+          # github-token: ${{ secrets.GITHUB_TOKEN }}
+  security-scan:
+    runs-on: ubuntu-latest
+    outputs:
+      # Expose outputs from this job to other jobs
+      scan-results: ${{ steps.twyn.outputs.results }}
+      has-findings: ${{ steps.twyn.outputs.has-findings }}
+      exit-code: ${{ steps.twyn.outputs.exit-code }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Twyn Security Scan
+        id: twyn
+        uses: ./
+        with:
+          json: true # Get JSON output for parsing
+          dependency-file: requirements.txt
+
+      - name: Show results in this job
+        run: |
+          echo "Exit code: ${{ steps.twyn.outputs.exit-code }}"
+          echo "Has findings: ${{ steps.twyn.outputs.has-findings }}"
+          echo "Results: ${{ steps.twyn.outputs.results }}"
diff --git a/action.yml b/action.yml
@@ -0,0 +1,219 @@
+name: "Twyn action"
+description: "Security tool against dependency typosquatting attacks"
+author: "Elements Interactive"
+
+branding:
+  icon: "search"
+  color: "blue"
+
+inputs:
+  github-token:
+    description: "Token needed to publish results to the PR."
+    required: false
+
+  config:
+    description: "Path to the config file"
+    required: false
+
+  dependency-file:
+    description: "Dependency file(s) to analyze. Comma-separated if multiple. By default, twyn will search in the current directory for supported files, but this option will override that behavior."
+    required: false
+
+  selector-method:
+    description: "Which method twyn should use to select possible typosquats. 'first-letter' only compares dependencies that share the first letter, 'nearby-letter' compares against dependencies whose first letter is nearby in an English keyboard. 'all' compares the given dependencies against all of those in the reference."
+    required: false
+
+  no-track:
+    description: "Do not show the progress bar while processing packages"
+    required: false
+    default: "false"
+
+  json:
+    description: "Display the results in json format. It implies no-track."
+    required: false
+    default: "false"
+
+  table:
+    description: "Display the results in a table format. It implies no-track."
+    required: false
+    default: "false"
+
+  recursive:
+    description: "Recursively look for files when trying to locate them automatically. Ignored if dependency-file is given."
+    required: false
+    default: "false"
+
+  pypi-source:
+    description: "Alternative PyPI source URL to use for fetching trusted packages"
+    required: false
+
+  npm-source:
+    description: "Alternative npm source URL to use for fetching trusted packages"
+    required: false
+
+  v:
+    description: "Enable verbose output (-v)"
+    required: false
+    default: "false"
+
+  vv:
+    description: "Enable extra verbose output (-vv)"
+    required: false
+    default: "false"
+
+  version:
+    description: "Twyn version (latest, v1.0.0, etc.)"
+    required: false
+    default: "latest"
+
+  publish:
+    description: "Whether to publish the twyn results as PR comments (requires table format)"
+    required: false
+    default: "false"
+
+outputs:
+  results:
+    description: "Raw output from twyn scan"
+    value: ${{ steps.twyn-scan.outputs.results }}
+  exit-code:
+    description: "Exit code from twyn scan (0=no issues, 1=issues found, >1=error)"
+    value: ${{ steps.twyn-scan.outputs.exit-code }}
+  has-findings:
+    description: "Boolean indicating if twyn found any issues (true/false)"
+    value: ${{ steps.twyn-scan.outputs.has-findings }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run Twyn Security Check
+      id: twyn-scan
+      shell: bash
+      run: |
+        # Build arguments as an array for safety (avoids word-splitting issues)
+        ARGS=()
+
+        # Optional config file
+        if [ -n "${{ inputs.config }}" ]; then
+          ARGS+=(--config "${{ inputs.config }}")
+        fi
+
+        # Dependency files (multiple allowed)
+        if [ -n "${{ inputs.dependency-file }}" ]; then
+          IFS=',' read -ra DEPENDENCY_FILES <<< "${{ inputs.dependency-file }}"
+          for file in "${DEPENDENCY_FILES[@]}"; do
+            if [ -n "$file" ]; then
+              ARGS+=(--dependency-file "$file")
+            fi
+          done
+        fi
+
+        # Selector method
+        if [ -n "${{ inputs.selector-method }}" ]; then
+          ARGS+=(--selector-method "${{ inputs.selector-method }}")
+        fi
+
+        # Boolean flags
+
+        if [ "${{ inputs.no-track }}" = "true" ]; then
+          ARGS+=(--no-track)
+        fi
+
+        if [ "${{ inputs.json }}" = "true" ]; then
+          ARGS+=(--json)
+        fi
+
+        # Force table format when publishing
+        if [ "${{ inputs.publish }}" = "true" ] || [ "${{ inputs.table }}" = "true" ]; then
+          ARGS+=(--table)
+        fi
+
+        if [ "${{ inputs.recursive }}" = "true" ]; then
+          ARGS+=(--recursive)
+        fi
+
+        # Source URLs
+        if [ -n "${{ inputs.pypi-source }}" ]; then
+          ARGS+=(--pypi-source "${{ inputs.pypi-source }}")
+        fi
+
+        if [ -n "${{ inputs.npm-source }}" ]; then
+          ARGS+=(--npm-source "${{ inputs.npm-source }}")
+        fi
+
+        # Verbose mode
+        if [ "${{ inputs.vv }}" = "true" ]; then
+          ARGS+=(-vv)
+        elif [ "${{ inputs.v }}" = "true" ]; then
+          ARGS+=(-v)
+        fi
+
+
+        # Run twyn using Docker and capture output and exit code
+        # Use 'set +e' to prevent script from exiting on non-zero exit codes
+        set +e
+        TWYN_OUTPUT=$(docker run --rm \
+          -v "${{ github.workspace }}:/workspace" \
+          -w /workspace \
+          elementsinteractive/twyn:${{ inputs.version }} run \
+          "${ARGS[@]}" 2>/dev/null)
+        TWYN_EXIT_CODE=$?
+        set -e
+
+        # Display output in action logs
+        echo "$TWYN_OUTPUT"
+
+        # Set action outputs
+        echo "results<<EOF" >> $GITHUB_OUTPUT
+        echo "$TWYN_OUTPUT" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+        
+        echo "exit-code=$TWYN_EXIT_CODE" >> $GITHUB_OUTPUT
+        
+        # Set has-findings based on exit code
+        if [ $TWYN_EXIT_CODE -eq 1 ]; then
+          echo "has-findings=true" >> $GITHUB_OUTPUT
+        else
+          echo "has-findings=false" >> $GITHUB_OUTPUT
+        fi
+
+        # Create PR comment with twyn results
+        if [ "${{ inputs.publish }}" = "true" ]; then
+          # Check if github-token is provided
+          if [ -z "${{ inputs.github-token }}" ]; then
+            echo "❌ Error: github-token is required when publish is enabled. Skipping..."
+            exit $TWYN_EXIT_CODE
+          else
+            
+            # Create comment content with proper formatting
+            echo "## 🛡️ Twyn Security Check Results" > comment.md
+            echo "" >> comment.md
+            echo '```' >> comment.md
+            # Process the output to handle escape sequences properly
+            echo "$TWYN_OUTPUT" | sed 's/\\n/\n/g' >> comment.md
+            echo '```' >> comment.md
+              
+            curl -X POST \
+              -H "Authorization: token ${{ inputs.github-token}}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              -d "$(cat comment.md | jq -Rs '{"body": .}')" \
+              "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments"
+            
+            if [ $? -eq 0 ]; then
+              echo "✅ Successfully posted comment to PR"
+            else
+              echo "❌ Failed to post comment to PR"
+            fi
+          fi
+
+        else
+          echo "ℹ️ Publish to PR is disabled (publish: ${{ inputs.publish }})"
+        fi
+
+        # Set final exit code for the action
+        # Exit with 0 if we're just reporting findings (exit code 1)
+        # Exit with the actual code for real errors (exit codes > 1)
+        if [ $TWYN_EXIT_CODE -gt 1 ]; then
+          exit $TWYN_EXIT_CODE
+        else
+          exit 0
+        fi
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,9 @@
+# Test files for Twyn Action
+
+# Python requirements with potential typosquats
+requests==2.28.0
+nmupy==1.24.0  # typo: numpy
+pandsa==1.5.0  # typo: pandas
+falsk==2.2.0   # typo: flask
+djagno==4.1.0  # typo: django
+beatifulsoup4==4.11.0  # typo: beautifulsoup4
