Skip to content

Commit fe21a5b

Browse files
varunsh-codervarunsh-coder
committed
feat: add logging capability to SecureWorkflow
- Add enableLogging query parameter (off by default) - Log input YAML and query parameters when enabled - Log processing steps and errors when enabled - Add final result logging
1 parent d346d34 commit fe21a5b

File tree

1 file changed

+56
-0
lines changed

1 file changed

+56
-0
lines changed

remediation/workflow/secureworkflow.go

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
package workflow
22

33
import (
4+
"encoding/json"
5+
"log"
6+
47
"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbiface"
58
"github.com/step-security/secure-repo/remediation/workflow/hardenrunner"
69
"github.com/step-security/secure-repo/remediation/workflow/permissions"
@@ -17,6 +20,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
1720
pinActions, addHardenRunner, addPermissions, addProjectComment := true, true, true, true
1821
pinnedActions, addedHardenRunner, addedPermissions := false, false, false
1922
ignoreMissingKBs := false
23+
enableLogging := false
2024
exemptedActions, pinToImmutable := []string{}, false
2125
if len(params) > 0 {
2226
if v, ok := params[0].([]string); ok {
@@ -49,17 +53,42 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
4953
addProjectComment = false
5054
}
5155

56+
if queryStringParams["enableLogging"] == "true" {
57+
enableLogging = true
58+
}
59+
60+
if enableLogging {
61+
// Log query parameters
62+
paramsJSON, _ := json.MarshalIndent(queryStringParams, "", " ")
63+
log.Printf("SecureWorkflow called with query parameters: %s", paramsJSON)
64+
65+
// Log input YAML (complete)
66+
log.Printf("Input YAML: %s", inputYaml)
67+
}
68+
5269
secureWorkflowReponse := &permissions.SecureWorkflowReponse{FinalOutput: inputYaml, OriginalInput: inputYaml}
5370
var err error
5471
if addPermissions {
72+
if enableLogging {
73+
log.Printf("Adding job level permissions")
74+
}
5575
secureWorkflowReponse, err = permissions.AddJobLevelPermissions(secureWorkflowReponse.FinalOutput)
5676
secureWorkflowReponse.OriginalInput = inputYaml
5777
if err != nil {
78+
if enableLogging {
79+
log.Printf("Error adding job level permissions: %v", err)
80+
}
5881
return nil, err
5982
} else {
6083
if !secureWorkflowReponse.HasErrors || permissions.ShouldAddWorkflowLevelPermissions(secureWorkflowReponse.JobErrors) {
84+
if enableLogging {
85+
log.Printf("Adding workflow level permissions")
86+
}
6187
secureWorkflowReponse.FinalOutput, err = permissions.AddWorkflowLevelPermissions(secureWorkflowReponse.FinalOutput, addProjectComment)
6288
if err != nil {
89+
if enableLogging {
90+
log.Printf("Error adding workflow level permissions: %v", err)
91+
}
6392
secureWorkflowReponse.HasErrors = true
6493
} else {
6594
// reset the error
@@ -69,6 +98,9 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
6998
}
7099
}
71100
if len(secureWorkflowReponse.MissingActions) > 0 && !ignoreMissingKBs {
101+
if enableLogging {
102+
log.Printf("Storing missing actions: %v", secureWorkflowReponse.MissingActions)
103+
}
72104
StoreMissingActions(secureWorkflowReponse.MissingActions, svc)
73105
}
74106
}
@@ -78,24 +110,48 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
78110
}
79111

80112
if pinActions {
113+
if enableLogging {
114+
log.Printf("Pinning GitHub Actions")
115+
}
81116
pinnedAction, pinnedDocker := false, false
82117
secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
83118
secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
84119
pinnedActions = pinnedAction || pinnedDocker
120+
if enableLogging {
121+
log.Printf("Pinned actions: %v, Pinned docker: %v", pinnedAction, pinnedDocker)
122+
}
85123
}
86124

87125
if addHardenRunner {
126+
if enableLogging {
127+
log.Printf("Adding harden runner action")
128+
}
88129
// Always pin harden-runner unless exempted
89130
pinHardenRunner := true
90131
if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {
91132
pinHardenRunner = false
133+
if enableLogging {
134+
log.Printf("Harden runner action is exempted from pinning")
135+
}
92136
}
93137
secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinHardenRunner, pinToImmutable)
138+
if enableLogging {
139+
log.Printf("Added harden runner: %v", addedHardenRunner)
140+
}
94141
}
95142

96143
// Setting appropriate flags
97144
secureWorkflowReponse.PinnedActions = pinnedActions
98145
secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
99146
secureWorkflowReponse.AddedPermissions = addedPermissions
147+
148+
if enableLogging {
149+
log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, HasErrors: %v",
150+
secureWorkflowReponse.PinnedActions,
151+
secureWorkflowReponse.AddedHardenRunner,
152+
secureWorkflowReponse.AddedPermissions,
153+
secureWorkflowReponse.HasErrors)
154+
}
155+
100156
return secureWorkflowReponse, nil
101157
}

0 commit comments

Comments
 (0)