feat(scripts): add workflow npm command scanning to dependency pinning (#837)

WilliamBerryiii · Bill Berry · web-flow · commit 6b5ae0678c3a · 2026-03-02T12:54:31.000-08:00
This PR adds **workflow npm command scanning** to the dependency pinning security scanner. The new `workflow-npm-commands` pattern type detects `npm install`, `npm update`, `npm i`, and `npm install-test` commands inside GitHub Actions workflow `run:` blocks, reporting each as a Medium-severity dependency pinning violation. These commands are security-relevant because they resolve unpinned versions at install time, unlike `npm ci` which reads from a lockfile. ## Description Three new functions were added to *Test-DependencyPinning.ps1* to implement the scanning capability: - **`Get-WorkflowNpmCommandViolations`** parses workflow YAML files using an indentation-aware state machine that tracks `run:` block boundaries, distinguishes inline versus multi-line (pipe/folded) blocks, and correctly skips comment lines. - **`Test-NpmCommandLine`** applies two regex patterns to each line: `'\bnpm\s+(install-test|install|update)\b'` for full command names and `'\bnpm\s+i\b(?!nstall|nit)'` for the short alias with a defensive negative lookahead. - **`New-NpmCommandViolation`** constructs `DependencyViolation` objects with all required fields, using Medium severity and actionable remediation messages matching existing conventions. The `workflow-npm-commands` entry was added to the `$DependencyPatterns` hashtable, and `$IncludeTypes` defaults were updated in both the script-level parameter block and the `Invoke-DependencyPinningAnalysis` function parameter block. Seven Pester test cases were added to *Test-DependencyPinning.Tests.ps1* covering violation detection (4 expected hits), safe command exclusion, commented code handling, mixed blocks, and nonexistent file error paths. Two fixture files provide realistic GitHub Actions workflow structures for testing. ## Related Issue(s) Related to #525 ## Type of Change Select all that apply: **Code & Documentation:** * [ ] Bug fix (non-breaking change fixing an issue) * [x] New feature (non-breaking change adding functionality) * [ ] Breaking change (fix or feature causing existing functionality to change) * [ ] Documentation update **Infrastructure & Configuration:** * [ ] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [ ] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **AI Artifacts:** * [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback * [ ] Copilot instructions (`.github/instructions/*.instructions.md`) * [ ] Copilot prompt (`.github/prompts/*.prompt.md`) * [ ] Copilot agent (`.github/agents/*.agent.md`) * [ ] Copilot skill (`.github/skills/*/SKILL.md`) **Other:** * [x] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Testing - 81/81 Pester tests pass, including 7 new test cases in the `Get-WorkflowNpmCommandViolations` Describe block. - 0 PSScriptAnalyzer issues across 69 files. - Test cases cover nominal detection (4 violations from *workflow-npm-install.yml*), negative testing (0 violations from *workflow-npm-ci-only.yml*), commented `npm install` lines, mixed safe/unsafe blocks, and nonexistent file handling. ## Checklist ### Required Checks * [ ] Documentation is updated (if applicable) * [x] Files follow existing naming conventions * [x] Changes are backwards compatible (if applicable) * [x] Tests added for new functionality (if applicable) ### Required Automated Checks The following validation commands must pass before merging: * [x] Markdown linting: `npm run lint:md` * [x] Spell checking: `npm run spell-check` * [x] Frontmatter validation: `npm run lint:frontmatter` * [x] Skill structure validation: `npm run validate:skills` * [x] Link validation: `npm run lint:md-links` * [x] PowerShell analysis: `npm run lint:ps` Co-authored-by: Bill Berry <wbery@microsoft.com>
diff --git a/scripts/security/Test-DependencyPinning.ps1 b/scripts/security/Test-DependencyPinning.ps1
@@ -109,7 +109,7 @@ param(
     [string]$ExcludePaths = "",
 
     [Parameter(Mandatory = $false)]
-    [string]$IncludeTypes = "github-actions,npm,pip,shell-downloads",
+    [string]$IncludeTypes = "github-actions,npm,pip,shell-downloads,workflow-npm-commands",
 
     [Parameter(Mandatory = $false)]
     [ValidateRange(0, 100)]
@@ -165,12 +165,169 @@ $DependencyPatterns = @{
         ValidationFunc = 'Test-ShellDownloadSecurity'
         Description    = 'Shell script downloads must include checksum verification'
     }
+
+    'workflow-npm-commands' = @{
+        FilePatterns   = @('**/.github/workflows/*.yml', '**/.github/workflows/*.yaml')
+        ValidationFunc = 'Get-WorkflowNpmCommandViolations'
+        Description    = 'Workflow npm install/update commands should use npm ci'
+    }
 }
 
 # DependencyViolation and ComplianceReport classes moved to ./Modules/SecurityClasses.psm1
 
 #region Functions
 
+function Test-NpmCommandLine {
+    <#
+    .SYNOPSIS
+        Tests whether a line contains an unpinned npm command.
+    .DESCRIPTION
+        Matches npm install, npm i, npm update, and npm install-test commands.
+        Does not match npm ci, npm run, npm test, npm audit, or npx.
+    .PARAMETER Line
+        The text line to test for npm commands.
+    .OUTPUTS
+        System.String or $null
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string]$Line
+    )
+
+    if ($Line -match '\bnpm\s+(install-test|install|update)\b') {
+        return $Matches[0]
+    }
+    if ($Line -match '\bnpm\s+i\b(?!nstall|nit)') {
+        return $Matches[0]
+    }
+
+    return $null
+}
+
+function New-NpmCommandViolation {
+    <#
+    .SYNOPSIS
+        Creates a DependencyViolation for an unpinned npm command.
+    .DESCRIPTION
+        Constructs a DependencyViolation object with standard fields for
+        npm command violations detected in workflow run: steps.
+    .PARAMETER FileInfo
+        Hashtable with Path, Type, and RelativePath keys.
+    .PARAMETER LineNumber
+        1-based line number of the violation.
+    .PARAMETER Line
+        The source line containing the npm command.
+    .PARAMETER Command
+        The matched npm command string.
+    .OUTPUTS
+        DependencyViolation
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [hashtable]$FileInfo,
+        [Parameter(Mandatory)]
+        [int]$LineNumber,
+        [Parameter(Mandatory)]
+        [string]$Line,
+        [Parameter(Mandatory)]
+        [string]$Command
+    )
+
+    $violation = [DependencyViolation]::new(
+        $FileInfo.RelativePath,
+        $LineNumber,
+        'workflow-npm-commands',
+        $Command,
+        'Medium',
+        "Unpinned npm command detected: '$Command'. Use 'npm ci' for deterministic installs from lockfile."
+    )
+    $violation.ViolationType = 'Unpinned'
+    $violation.CurrentRef = $Line.Trim()
+    $violation.Remediation = "Replace '$Command' with 'npm ci' for reproducible builds."
+    return $violation
+}
+
+function Get-WorkflowNpmCommandViolations {
+    <#
+    .SYNOPSIS
+        Detects unpinned npm install commands in GitHub Actions workflow run: steps.
+    .DESCRIPTION
+        Scans workflow YAML files for run: blocks and detects npm commands that
+        modify the dependency tree (install, i, update, install-test). Commands
+        that use the lockfile deterministically (ci) or do not install packages
+        (run, test, audit) are not flagged.
+
+        Uses indentation-aware parsing to confine detection to actual run: block
+        content, reducing false positives from YAML comments or unrelated keys.
+    .PARAMETER FileInfo
+        Hashtable with Path, Type, and RelativePath keys identifying the file to scan.
+    .OUTPUTS
+        DependencyViolation[]
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [hashtable]$FileInfo
+    )
+
+    $violations = @()
+    $filePath = $FileInfo.Path
+
+    if (-not (Test-Path -LiteralPath $filePath)) {
+        return $violations
+    }
+
+    $lines = Get-Content -LiteralPath $filePath
+    $inRunBlock = $false
+    $runBlockIndent = 0
+
+    for ($i = 0; $i -lt $lines.Count; $i++) {
+        $line = $lines[$i]
+        $trimmed = $line.TrimStart()
+
+        if ($trimmed -eq '' -or $trimmed.StartsWith('#')) {
+            continue
+        }
+
+        $currentIndent = $line.Length - $line.TrimStart().Length
+
+        if ($trimmed -match '^run:\s*(.*)$') {
+            $runContent = $Matches[1].Trim()
+            $runBlockIndent = $currentIndent
+
+            if ($runContent -and $runContent -notmatch '^[|>]') {
+                $npmMatch = Test-NpmCommandLine -Line $runContent
+                if ($npmMatch) {
+                    $violations += New-NpmCommandViolation -FileInfo $FileInfo -LineNumber ($i + 1) -Line $runContent -Command $npmMatch
+                }
+                $inRunBlock = $false
+            } else {
+                $inRunBlock = $true
+            }
+            continue
+        }
+
+        if ($inRunBlock) {
+            if ($currentIndent -le $runBlockIndent) {
+                $inRunBlock = $false
+                if ($trimmed -match '^run:\s*(.*)$') {
+                    $i--
+                    continue
+                }
+            } else {
+                if ($trimmed.StartsWith('#')) {
+                    continue
+                }
+                $npmMatch = Test-NpmCommandLine -Line $trimmed
+                if ($npmMatch) {
+                    $violations += New-NpmCommandViolation -FileInfo $FileInfo -LineNumber ($i + 1) -Line $trimmed -Command $npmMatch
+                }
+            }
+        }
+    }
+
+    return $violations
+}
+
 function Test-ShellDownloadSecurity {
     <#
     .SYNOPSIS
@@ -795,7 +952,7 @@ function Invoke-DependencyPinningAnalysis {
         [switch]$Recursive,
 
         [Parameter()]
-        [string]$IncludeTypes = "github-actions,npm,pip,shell-downloads",
+        [string]$IncludeTypes = "github-actions,npm,pip,shell-downloads,workflow-npm-commands",
 
         [Parameter()]
         [string]$ExcludePaths = "",
diff --git a/scripts/tests/Fixtures/Workflows/workflow-npm-ci-only.yml b/scripts/tests/Fixtures/Workflows/workflow-npm-ci-only.yml
@@ -0,0 +1,22 @@
+name: test-npm-ci-only
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install from lockfile
+        run: npm ci
+      - name: Run linting
+        run: npm run lint
+      - name: Run tests
+        run: npm test
+      - name: Security audit
+        run: npm audit --audit-level=moderate
+      - name: Check version
+        run: npm --version
+      - name: Multi-step clean
+        run: |
+          npm ci
+          npm run build
+          npm run test
diff --git a/scripts/tests/Fixtures/Workflows/workflow-npm-install.yml b/scripts/tests/Fixtures/Workflows/workflow-npm-install.yml
@@ -0,0 +1,17 @@
+name: test-npm-install
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: npm install
+      - name: Update packages
+        run: |
+          npm update
+          npm run build
+      - name: Install and test
+        run: npm install-test
+      - name: Short alias install
+        run: npm i --save-dev some-package
diff --git a/scripts/tests/security/Test-DependencyPinning.Tests.ps1 b/scripts/tests/security/Test-DependencyPinning.Tests.ps1
@@ -1171,3 +1171,126 @@ Describe 'Invoke-DependencyPinningAnalysis' -Tag 'Unit' {
         }
     }
 }
+
+Describe 'Get-WorkflowNpmCommandViolations' -Tag 'Unit' {
+    BeforeAll {
+        # Source the script to get functions
+        . $PSScriptRoot/../../security/Test-DependencyPinning.ps1
+
+        $script:fixtureDir = Join-Path $PSScriptRoot '../Fixtures/Workflows'
+    }
+
+    Context 'when workflow contains npm install commands' {
+        It 'should detect npm install in single-line run step' {
+            $fileInfo = @{
+                Path         = Join-Path $script:fixtureDir 'workflow-npm-install.yml'
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'workflow-npm-install.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | Should -HaveCount 4
+        }
+
+        It 'should return DependencyViolation objects' {
+            $fileInfo = @{
+                Path         = Join-Path $script:fixtureDir 'workflow-npm-install.yml'
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'workflow-npm-install.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | ForEach-Object {
+                $_.GetType().Name | Should -Be 'DependencyViolation'
+                $_.Type | Should -Be 'workflow-npm-commands'
+                $_.Severity | Should -Be 'Medium'
+                $_.ViolationType | Should -Be 'Unpinned'
+            }
+        }
+
+        It 'should report accurate line numbers' {
+            $fileInfo = @{
+                Path         = Join-Path $script:fixtureDir 'workflow-npm-install.yml'
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'workflow-npm-install.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | ForEach-Object {
+                $_.Line | Should -BeGreaterThan 0
+            }
+        }
+    }
+
+    Context 'when workflow contains only safe npm commands' {
+        It 'should return no violations for npm ci and npm run' {
+            $fileInfo = @{
+                Path         = Join-Path $script:fixtureDir 'workflow-npm-ci-only.yml'
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'workflow-npm-ci-only.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | Should -HaveCount 0
+        }
+    }
+
+    Context 'when file does not exist' {
+        It 'should return empty array' {
+            $fileInfo = @{
+                Path         = '/tmp/nonexistent-workflow.yml'
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'nonexistent.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | Should -HaveCount 0
+        }
+    }
+
+    Context 'edge cases with inline test data' {
+        It 'should not flag commented-out npm install' {
+            $yaml = @'
+name: test
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build
+        run: |
+          # npm install
+          npm ci
+'@
+            $tempFile = Join-Path $TestDrive 'commented-npm.yml'
+            Set-Content -Path $tempFile -Value $yaml
+            $fileInfo = @{
+                Path         = $tempFile
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'commented-npm.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | Should -HaveCount 0
+        }
+
+        It 'should detect npm install in multi-line block alongside safe commands' {
+            $yaml = @'
+name: test
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup
+        run: |
+          npm install
+          npm run build
+'@
+            $tempFile = Join-Path $TestDrive 'mixed-npm.yml'
+            Set-Content -Path $tempFile -Value $yaml
+            $fileInfo = @{
+                Path         = $tempFile
+                Type         = 'workflow-npm-commands'
+                RelativePath = 'mixed-npm.yml'
+            }
+            $violations = Get-WorkflowNpmCommandViolations -FileInfo $fileInfo
+            $violations | Should -HaveCount 1
+            $violations[0].Name | Should -BeLike 'npm install*'
+        }
+    }
+}
