Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions remediation/workflow/secureworkflow.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
package workflow

import (
"encoding/json"
"log"

"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbiface"
"github.com/step-security/secure-repo/remediation/workflow/hardenrunner"
"github.com/step-security/secure-repo/remediation/workflow/permissions"
Expand All @@ -17,6 +20,7 @@
pinActions, addHardenRunner, addPermissions, addProjectComment := true, true, true, true
pinnedActions, addedHardenRunner, addedPermissions := false, false, false
ignoreMissingKBs := false
enableLogging := false
exemptedActions, pinToImmutable := []string{}, false
if len(params) > 0 {
if v, ok := params[0].([]string); ok {
Expand Down Expand Up @@ -49,17 +53,42 @@
addProjectComment = false
}

if queryStringParams["enableLogging"] == "true" {
enableLogging = true
}

Check warning on line 58 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L57-L58

Added lines #L57 - L58 were not covered by tests

if enableLogging {
// Log query parameters
paramsJSON, _ := json.MarshalIndent(queryStringParams, "", " ")
log.Printf("SecureWorkflow called with query parameters: %s", paramsJSON)

// Log input YAML (complete)
log.Printf("Input YAML: %s", inputYaml)
}

Check warning on line 67 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L61-L67

Added lines #L61 - L67 were not covered by tests

secureWorkflowReponse := &permissions.SecureWorkflowReponse{FinalOutput: inputYaml, OriginalInput: inputYaml}
var err error
if addPermissions {
if enableLogging {
log.Printf("Adding job level permissions")
}

Check warning on line 74 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L73-L74

Added lines #L73 - L74 were not covered by tests
secureWorkflowReponse, err = permissions.AddJobLevelPermissions(secureWorkflowReponse.FinalOutput)
secureWorkflowReponse.OriginalInput = inputYaml
if err != nil {
if enableLogging {
log.Printf("Error adding job level permissions: %v", err)
}

Check warning on line 80 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L78-L80

Added lines #L78 - L80 were not covered by tests
return nil, err
} else {
if !secureWorkflowReponse.HasErrors || permissions.ShouldAddWorkflowLevelPermissions(secureWorkflowReponse.JobErrors) {
if enableLogging {
log.Printf("Adding workflow level permissions")
}

Check warning on line 86 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L85-L86

Added lines #L85 - L86 were not covered by tests
secureWorkflowReponse.FinalOutput, err = permissions.AddWorkflowLevelPermissions(secureWorkflowReponse.FinalOutput, addProjectComment)
if err != nil {
if enableLogging {
log.Printf("Error adding workflow level permissions: %v", err)
}

Check warning on line 91 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L90-L91

Added lines #L90 - L91 were not covered by tests
secureWorkflowReponse.HasErrors = true
} else {
// reset the error
Expand All @@ -69,6 +98,9 @@
}
}
if len(secureWorkflowReponse.MissingActions) > 0 && !ignoreMissingKBs {
if enableLogging {
log.Printf("Storing missing actions: %v", secureWorkflowReponse.MissingActions)
}

Check warning on line 103 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L102-L103

Added lines #L102 - L103 were not covered by tests
StoreMissingActions(secureWorkflowReponse.MissingActions, svc)
}
}
Expand All @@ -78,24 +110,48 @@
}

if pinActions {
if enableLogging {
log.Printf("Pinning GitHub Actions")
}

Check warning on line 115 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L114-L115

Added lines #L114 - L115 were not covered by tests
pinnedAction, pinnedDocker := false, false
secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
pinnedActions = pinnedAction || pinnedDocker
if enableLogging {
log.Printf("Pinned actions: %v, Pinned docker: %v", pinnedAction, pinnedDocker)
}

Check warning on line 122 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L121-L122

Added lines #L121 - L122 were not covered by tests
}

if addHardenRunner {
if enableLogging {
log.Printf("Adding harden runner action")
}

Check warning on line 128 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L127-L128

Added lines #L127 - L128 were not covered by tests
// Always pin harden-runner unless exempted
pinHardenRunner := true
if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {
pinHardenRunner = false
if enableLogging {
log.Printf("Harden runner action is exempted from pinning")
}

Check warning on line 135 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L133-L135

Added lines #L133 - L135 were not covered by tests
}
secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinHardenRunner, pinToImmutable)
if enableLogging {
log.Printf("Added harden runner: %v", addedHardenRunner)
}

Check warning on line 140 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L139-L140

Added lines #L139 - L140 were not covered by tests
}

// Setting appropriate flags
secureWorkflowReponse.PinnedActions = pinnedActions
secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
secureWorkflowReponse.AddedPermissions = addedPermissions

if enableLogging {
log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, HasErrors: %v",
secureWorkflowReponse.PinnedActions,
secureWorkflowReponse.AddedHardenRunner,
secureWorkflowReponse.AddedPermissions,
secureWorkflowReponse.HasErrors)
}

Check warning on line 154 in remediation/workflow/secureworkflow.go

View check run for this annotation

Codecov / codecov/patch

remediation/workflow/secureworkflow.go#L149-L154

Added lines #L149 - L154 were not covered by tests

return secureWorkflowReponse, nil
}
Loading