support for passing logger

Balijepalli Vamshi Krishna · Balijepalli Vamshi Krishna · commit 4989623cd205 · 2025-11-04T10:59:22.000+05:30
diff --git a/main.go b/main.go
@@ -128,7 +128,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				inputYaml = httpRequest.Body
 			}
 
-			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc)
+			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc, nil)
 
 			if err != nil {
 				response = events.APIGatewayProxyResponse{
diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
 	}
 
 	if updated && pinActions {
-		out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil)
+		out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil, nil)
 		if err != nil {
 			return out, updated, err
 		}
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -3,19 +3,24 @@ package pin
 import (
 	"context"
 	"fmt"
-	"log"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 
 	"github.com/google/go-github/v40/github"
+	"github.com/sirupsen/logrus"
 	metadata "github.com/step-security/secure-repo/remediation/workflow/metadata"
 	"golang.org/x/oauth2"
 	"gopkg.in/yaml.v3"
 )
 
-func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
+type StepSecurityAppLogger struct {
+	RequestID string `json:"request_id,omitempty"`
+	*logrus.Logger
+}
+
+func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string, logger *StepSecurityAppLogger) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
@@ -30,7 +35,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
+				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap, logger)
 				if err != nil {
 					return out, updated, err
 				}
@@ -42,7 +47,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
+func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string, logger *StepSecurityAppLogger) (string, bool, error) {
 
 	updated := false
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
@@ -68,9 +73,17 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	PAT := os.Getenv("SECURE_REPO_PAT")
 	if PAT == "" {
 		PAT = os.Getenv("PAT")
-		log.Println("SECURE_REPO_PAT is not set, using PAT")
+		if logger != nil {
+			logger.Logf(logrus.InfoLevel, "SECURE_REPO_PAT is not set, using PAT")
+		} else {
+			logrus.Info("SECURE_REPO_PAT is not set, using PAT")
+		}
 	} else {
-		log.Println("SECURE_REPO_PAT is set")
+		if logger != nil {
+			logger.Logf(logrus.InfoLevel, "SECURE_REPO_PAT is set")
+		} else {
+			logrus.Info("SECURE_REPO_PAT is set")
+		}
 	}
 
 	ctx := context.Background()
diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go
@@ -333,7 +333,7 @@ func TestPinActions(t *testing.T) {
 			}
 		}
 
-		output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap)
+		output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap, nil)
 		if tt.wantUpdated != gotUpdated {
 			t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)
 		}
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -17,7 +17,7 @@ const (
 	HardenRunnerActionName        = "Harden Runner"
 )
 
-func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
+func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, logger *pin.StepSecurityAppLogger, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
 	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions := true, true, true, true, false
 	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions := false, false, false, false
 	ignoreMissingKBs := false
@@ -148,7 +148,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			log.Printf("Pinning GitHub Actions")
 		}
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, actionCommitMap)
+		secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, actionCommitMap, logger)
 		if err != nil {
 			if enableLogging {
 				log.Printf("Error pinning actions: %v", err)
diff --git a/remediation/workflow/secureworkflow_test.go b/remediation/workflow/secureworkflow_test.go
@@ -266,9 +266,9 @@ func TestSecureWorkflow(t *testing.T) {
 			if err != nil {
 				t.Errorf("unable to load the file %s", err)
 			}
-			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, []string{"actions/*"}, false, actionMap)
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil, []string{"actions/*"}, false, actionMap)
 		} else {
-			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil)
 		}
 
 		if test.wantError {
@@ -369,7 +369,7 @@ func TestSecureWorkflowContainerJob(t *testing.T) {
 	queryParams["skipHardenRunnerForContainers"] = "true"
 	queryParams["addProjectComment"] = "false"
 
-	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
+	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil)
 
 	if err != nil {
 		t.Errorf("Error not expected")
@@ -474,7 +474,7 @@ func TestSecureWorkflowEmptyPermissions(t *testing.T) {
 	queryParams["addEmptyTopLevelPermissions"] = "true"
 	queryParams["addProjectComment"] = "false"
 
-	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
+	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil)
 
 	if err != nil {
 		t.Errorf("Error not expected")

Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {`
`128`	`128`	`inputYaml = httpRequest.Body`
`129`	`129`	`}`
`130`	`130`
`131`		`- fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc)`
	`131`	`+ fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc, nil)`
`132`	`132`
`133`	`133`	`if err != nil {`
`134`	`134`	`response = events.APIGatewayProxyResponse{`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`if updated && pinActions {`
`54`		`- out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil)`
	`54`	`+ out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil, nil)`
`55`	`55`	`if err != nil {`
`56`	`56`	`return out, updated, err`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -333,7 +333,7 @@ func TestPinActions(t *testing.T) {`
`333`	`333`	`}`
`334`	`334`	`}`
`335`	`335`
`336`		`- output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap)`
	`336`	`+ output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap, nil)`
`337`	`337`	`if tt.wantUpdated != gotUpdated {`
`338`	`338`	`t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)`
`339`	`339`	`}`