Merge branch 'int' of https://github.com/vamshi-stepsecurity/secure-repo into bug/wild-card-for-action

Author: Balijepalli Vamshi Krishna

knowledge-base/actions/pullreminders/slack-action/action-security.yml

@@ -51,7 +51,10 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
 	}
 
 	if updated && pinActions {
-		out, _ = pin.PinAction(action, out, nil, pinToImmutable)
+		out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil)
+		if err != nil {
+			return out, updated, err
+		}
 	}
 
 	return out, updated, nil

remediation/workflow/hardenrunner/addaction.go

@@ -25,6 +25,7 @@ type SecureWorkflowReponse struct {
 	WorkflowFetchError     bool
 	JobErrors              []JobError
 	MissingActions         []string
+	UsingSecureRepoPAT     bool
 }
 
 type JobError struct {

remediation/workflow/permissions/permissions.go

@@ -3,6 +3,7 @@ package pin
 import (
 	"context"
 	"fmt"
+	"log"
 	"os"
 	"regexp"
 	"strings"
@@ -13,7 +14,7 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool, error) {
+func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
@@ -28,7 +29,10 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated = PinAction(step.Uses, out, exemptedActions, pinToImmutable)
+				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
+				if err != nil {
+					return out, updated, err
+				}
 				updated = updated || localUpdated
 			}
 		}
@@ -37,29 +41,36 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool) {
-
+func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
 	updated := false
+
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
-		return inputYaml, updated // Cannot pin local actions and docker actions
+		return inputYaml, updated, nil // Cannot pin local actions and docker actions
 	}
 
 	if isAbsolute(action) || (pinToImmutable && IsImmutableAction(action)) {
-		return inputYaml, updated
+		return inputYaml, updated, nil
 	}
 	leftOfAt := strings.Split(action, "@")
 	tagOrBranch := leftOfAt[1]
 
 	// skip pinning for exempted actions
 	if ActionExists(leftOfAt[0], exemptedActions) {
-		return inputYaml, updated
+		return inputYaml, updated, nil
 	}
 
 	splitOnSlash := strings.Split(leftOfAt[0], "/")
 	owner := splitOnSlash[0]
 	repo := splitOnSlash[1]
 
-	PAT := os.Getenv("PAT")
+	// use secure repo token
+	PAT := os.Getenv("SECURE_REPO_PAT")
+	if PAT == "" {
+		PAT = os.Getenv("PAT")
+		log.Println("SECURE_REPO_PAT is not set, using PAT")
+	} else {
+		log.Println("SECURE_REPO_PAT is set")
+	}
 
 	ctx := context.Background()
 	ts := oauth2.StaticTokenSource(
@@ -68,15 +79,36 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	tc := oauth2.NewClient(ctx, ts)
 
 	client := github.NewClient(tc)
-
-	commitSHA, _, err := client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
-	if err != nil {
-		return inputYaml, updated
+	var commitSHA string
+	var err error
+
+	if actionCommitMap != nil {
+		// Check case-insensitively by iterating through the map
+		for mapAction, actionWithCommit := range actionCommitMap {
+			if strings.EqualFold(action, mapAction) && actionWithCommit != "" {
+				commitSHA = actionWithCommit
+
+				if !semanticTagRegex.MatchString(tagOrBranch) {
+					tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
+					if err != nil {
+						return inputYaml, updated, err
+					}
+				}
+				break
+			}
+		}
 	}
 
-	tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
-	if err != nil {
-		return inputYaml, updated
+	if commitSHA == "" {
+		commitSHA, _, err = client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
+		if err != nil {
+			return inputYaml, updated, err
+		}
+		tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
+		if err != nil {
+			return inputYaml, updated, err
+		}
+
 	}
 
 	// pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
@@ -108,7 +140,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 		inputYaml = actionRegex.ReplaceAllString(inputYaml, pinnedActionWithVersion+"$2")
 
 		inputYaml, _ = removePreviousActionComments(pinnedActionWithVersion, inputYaml)
-		return inputYaml, !strings.EqualFold(action, pinnedActionWithVersion)
+		return inputYaml, !strings.EqualFold(action, pinnedActionWithVersion), nil
 	}
 
 	updated = !strings.EqualFold(action, fullPinned)
@@ -140,7 +172,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	)
 	inputYaml, _ = removePreviousActionComments(fullPinned, inputYaml)
 
-	return inputYaml, updated
+	return inputYaml, updated, nil
 }
 
 // It may be that there was already a comment next to the action
@@ -248,3 +280,7 @@ func ActionExists(actionName string, patterns []string) bool {
 	}
 	return false
 }
+
+func UsingSecureRepoPAT() bool {
+	return os.Getenv("SECURE_REPO_PAT") != ""
+}

remediation/workflow/pin/pinactions.go

@@ -254,6 +254,21 @@ func TestPinActions(t *testing.T) {
 			}
 		})
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans-test/close-issue/commits/v1",
+		httpmock.NewStringResponder(200, `a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans-test/close-issue/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v1.0.4",
+					"object": {
+					"sha": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam",
+					"type": "commit"
+					}
+				}
+			]`))
+
 	// Mock manifest endpoints for specific versions and commit hashes
 	manifestResponders := []string{
 		// the following list will contain the list of actions with versions
@@ -311,15 +326,29 @@ func TestPinActions(t *testing.T) {
 		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*", "starc/*"}, pinToImmutable: true},
 		{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},
 		{fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},
+		{fileName: "pinusingmap.yml", wantUpdated: true, pinToImmutable: true},
 	}
 	for _, tt := range tests {
+
+		var output string
+		var gotUpdated bool
+		var err error
+		var actionCommitMap map[string]string
+
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))
 
 		if err != nil {
 			log.Fatal(err)
 		}
 
-		output, gotUpdated, err := PinActions(string(input), tt.exemptedActions, tt.pinToImmutable)
+		if tt.fileName == "pinusingmap.yml" {
+			actionCommitMap = map[string]string{
+				"peter-evans-test/close-issue@v1": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam",
+				"peter-check/[email protected]":  "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53tom",
+			}
+		}
+
+		output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap)
 		if tt.wantUpdated != gotUpdated {
 			t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)
 		}

remediation/workflow/pin/pinactions_test.go

@@ -24,7 +24,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	enableLogging := false
 	addEmptyTopLevelPermissions := false
 	skipHardenRunnerForContainers := false
-	exemptedActions, pinToImmutable, maintainedActionsMap := []string{}, false, map[string]string{}
+	exemptedActions, pinToImmutable, maintainedActionsMap, actionCommitMap := []string{}, false, map[string]string{}, map[string]string{}
 
 	if len(params) > 0 {
 		if v, ok := params[0].([]string); ok {
@@ -41,6 +41,11 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			maintainedActionsMap = v
 		}
 	}
+	if len(params) > 3 {
+		if v, ok := params[3].(map[string]string); ok {
+			actionCommitMap = v
+		}
+	}
 
 	if queryStringParams["pinActions"] == "false" {
 		pinActions = false
@@ -143,7 +148,13 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			log.Printf("Pinning GitHub Actions")
 		}
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
+		secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, actionCommitMap)
+		if err != nil {
+			if enableLogging {
+				log.Printf("Error pinning actions: %v", err)
+			}
+			return secureWorkflowReponse, err
+		}
 		secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
 		pinnedActions = pinnedAction || pinnedDocker
 		if enableLogging {
@@ -174,13 +185,16 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
 	secureWorkflowReponse.AddedPermissions = addedPermissions
 	secureWorkflowReponse.AddedMaintainedActions = replacedMaintainedActions
+	secureWorkflowReponse.UsingSecureRepoPAT = pin.UsingSecureRepoPAT()
 
 	if enableLogging {
-		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, HasErrors: %v",
+		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, HasErrors: %v, UsingSecureRepoPAT: %v",
 			secureWorkflowReponse.PinnedActions,
 			secureWorkflowReponse.AddedHardenRunner,
 			secureWorkflowReponse.AddedPermissions,
-			secureWorkflowReponse.HasErrors)
+			secureWorkflowReponse.AddedMaintainedActions,
+			secureWorkflowReponse.HasErrors,
+			secureWorkflowReponse.UsingSecureRepoPAT)
 	}
 
 	return secureWorkflowReponse, nil

remediation/workflow/secureworkflow.go

@@ -214,16 +214,17 @@ func TestSecureWorkflow(t *testing.T) {
 		wantAddedHardenRunner      bool
 		wantAddedPermissions       bool
 		wantAddedMaintainedActions bool
+		wantError                  bool
 	}{
-		{fileName: "replaceactions.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: false, wantAddedMaintainedActions: true},
-		{fileName: "allscenarios.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: true},
-		{fileName: "missingaction.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: false},
-		{fileName: "nohardenrunner.yml", wantPinnedActions: true, wantAddedHardenRunner: false, wantAddedPermissions: true},
-		{fileName: "noperms.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: false},
-		{fileName: "nopin.yml", wantPinnedActions: false, wantAddedHardenRunner: true, wantAddedPermissions: true},
-		{fileName: "allperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true},
-		{fileName: "multiplejobperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true},
-		{fileName: "error.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: false},
+		{fileName: "oneJob.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: false, wantAddedMaintainedActions: true, wantError: false},
+		{fileName: "allscenarios.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: true, wantError: false},
+		{fileName: "nohardenrunner.yml", wantPinnedActions: true, wantAddedHardenRunner: false, wantAddedPermissions: true, wantError: false},
+		{fileName: "noperms.yml", wantPinnedActions: true, wantAddedHardenRunner: true, wantAddedPermissions: false, wantError: false},
+		{fileName: "nopin.yml", wantPinnedActions: false, wantAddedHardenRunner: true, wantAddedPermissions: true, wantError: false},
+		{fileName: "allperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true, wantError: false},
+		{fileName: "multiplejobperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true, wantError: false},
+		{fileName: "error.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: false, wantError: false},
+		{fileName: "missingaction.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: false, wantError: true},
 	}
 	for _, test := range tests {
 		var err error
@@ -250,7 +251,7 @@ func TestSecureWorkflow(t *testing.T) {
 		case "multiplejobperms.yml":
 			queryParams["addHardenRunner"] = "false"
 			queryParams["pinActions"] = "false"
-		case "replaceactions.yml":
+		case "oneJob.yml":
 			queryParams["addMaintainedActions"] = "true"
 			queryParams["addHardenRunner"] = "true"
 			queryParams["pinActions"] = "true"
@@ -260,17 +261,26 @@ func TestSecureWorkflow(t *testing.T) {
 
 		var output *permissions.SecureWorkflowReponse
 		var actionMap map[string]string
-		if test.fileName == "replaceactions.yml" {
+		if test.fileName == "oneJob.yml" {
 			actionMap, err = maintainedactions.LoadMaintainedActions("maintainedactions/maintainedActions.json")
 			if err != nil {
 				t.Errorf("unable to load the file %s", err)
 			}
-			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, []string{}, false, actionMap)
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, []string{"actions/*"}, false, actionMap)
 		} else {
 			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
 		}
 
+		if test.wantError {
+			if err == nil {
+				t.Errorf("test failed %s expected an error but got none", test.fileName)
+			}
+			// Skip further validation if we expected an error
+			continue
+		}
+
 		if err != nil {
+			t.Log(err)
 			t.Errorf("Error not expected")
 		}
 

remediation/workflow/secureworkflow_test.go

@@ -0,0 +1,28 @@
+name: "close issue"
+
+on:
+  push:
+  
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Close Issue
+      uses: peter-evans-test/close-issue@v1
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+
+    - name: Close Issue
+      uses: peter-evans/close-issue@v1
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+
+    - name: Close Issue
+      uses: peter-check/[email protected]
+      with:
+       issue-number: 1
+       comment: Auto-closing issue

testfiles/pinactions/input/pinusingmap.yml

@@ -0,0 +1,28 @@
+name: "close issue"
+
+on:
+  push:
+  
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Close Issue
+      uses: peter-evans-test/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam # v1.0.4
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+
+    - name: Close Issue
+      uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+
+    - name: Close Issue
+      uses: peter-check/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53tom # v1.2.3
+      with:
+       issue-number: 1
+       comment: Auto-closing issue