claws-scan 0.7.3 → 0.7.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f15bd23a5e2ccdc04f377f54a4677eb06544c37eb1dd9f42e92f839e253c03a0
-  data.tar.gz: 6e353d3efc9cd6df847ca00115e4825db51849e93dc67ef3bd9ebb929d87b8ac
+  metadata.gz: e35f096c235fba21325d4385fd83ac9c7ca2466ca1e82e72311f3079dcd02276
+  data.tar.gz: c5a5f8206a0f047bf0b49b31ba9976a8c41ad5c3476c8167683140298efcc4a6
 SHA512:
-  metadata.gz: 74852855d340e5de4e3fe8ea435e53206483ff21b3b52a19ecb97855646e2d9012ab6b410a173be63b022da292506235b8e2f346dc2e1ce44436d8688317350a
-  data.tar.gz: 1a88c82829b81082cef734cd46b101f1c207daeffebe5b4862322536127eebd67526f6a31fc7844587092e579b06fb175e62438c02b0fb072d4bfd6db0fe1f10
+  metadata.gz: 8f58f8c09db0ccb0b3c1df00f09710bad07bcc691cb4b41681d5d6e2ff62e157c45742505aa9469d2e6b81d35b6a8ce020863019be057f7b36a780ddf314e65a
+  data.tar.gz: 0161dad252e79ee9e79d85eb7af21d2eccf1ce5ae6b82d415fcd4a6d060989e5245c57593ca82ad2b7401716ecf5edbd89b3cb9d02bde036e72dcec3d5339ee7

data/.policy.yml

@@ -0,0 +1,3 @@
+remote: Betterment/policy-bot-config
+path: security-policy.yml
+ref: main

data/CONTRIBUTING.md

@@ -0,0 +1,40 @@
+# Contributing to Claws
+
+Thank you for your interest in contributing to this project! We welcome contributions of all kinds: issues, bug reports, new rules, and pull requests. For just about everything, opening an issue is fine. Opening a pull request would be even better.
+
+## 🔮 Before You Start
+
+Please [search existing issues](https://github.com/betterment/claws/issues) before opening a new one. This helps avoid duplicates and ensures discussions stay organized.
+
+## 🐛 Reporting Bugs
+
+If you encounter a bug, please [open an issue](https://github.com/betterment/claws/issues) and include:
+
+- A clear description of the problem
+- Steps to reproduce the bug
+- Your configuration file (if applicable)
+- A **minimal reproducible example**
+
+## 💡 Suggesting or Adding a New Rule
+
+Have an idea for a new rule? Great! You can:
+
+- [Open an issue](https://github.com/betterment/claws/issues) to discuss it, or
+- Jump straight in with a [pull request](https://github.com/betterment/claws/pulls)
+
+Please explain the motivation behind the rule, its intended use cases, and provide examples if possible.
+
+## 🚀 Submitting Pull Requests
+
+We love pull requests!! Before submitting:
+
+1. Ensure your code follows the existing style and passes all tests.
+2. Include tests for any new features or rules. Every rule requires a test.
+3. Update documentation if needed.
+4. Link the related issue in the PR description (if applicable).
+
+Thank you for helping make this project better!
+
+## 🔐 Reporting Security Issues
+
+If you discover a security vulnerability, **please do not open a public issue**. Instead, refer to our [responsible disclosure guidelines](https://www.betterment.com/legal/security#disclosure) for how to report it.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    claws-scan (0.7.3)
+    claws-scan (0.7.6)
       equation (~> 0.6)
       pry
       slop (~> 4.9)

data/README.md

@@ -488,7 +488,7 @@ Tips:
 * eval a test expression: e 'expression'
 * ^D to exit
 
-From: /Users/omar/src/unbungle/lib/application.rb:194 Application#enter_debug:
+From: /Users/omar/src/claws/lib/application.rb:194 Application#enter_debug:
 
     184: def enter_debug(result:, expression:, values:)
     185:   @debug_values = values
@@ -553,5 +553,8 @@ Since this rule is functioning as desired, we don't need to dig any further. But
 
 ## Writing Tests
 
-Rules should have corresponding specs that contain sample Workflows that exercise all the different ways to trigger their expressions. See [specs](./specs/rules/) for more info. More docs on the topic TBD :~)
+Rules should have corresponding specs that contain sample Workflows that exercise all the different ways to trigger their expressions. See [specs](./specs/rules/) for more info.
 
+## Contributing
+
+Check [CONTRIBUTING.md](CONTRIBUTING.md)

data/lib/claws/rule/unpinned_action.rb

@@ -12,7 +12,6 @@ module Claws
         $step.meta.action != null &&
         (
           $step.meta.action.version == null ||
-          contains(["main", "master"], $step.meta.action.version) ||
           !($step.meta.action.version =~ "^[a-fA-F0-9]{40}$")
         ) &&
         !contains($data.trusted_authors, $step.meta.action.author) &&
@@ -21,8 +20,7 @@ module Claws
 
       def data
         {
-          "trusted_authors": configuration.fetch("trusted_authors", []),
-          "loose": configuration.fetch("loose_validation", false)
+          "trusted_authors": configuration.fetch("trusted_authors", [])
         }
       end
     end

data/lib/claws/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Claws
-  VERSION = "0.7.3"
+  VERSION = "0.7.6"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: claws-scan
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.7.6
 platform: ruby
 authors:
 - Omar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-30 00:00:00.000000000 Z
+date: 2025-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: equation
@@ -74,30 +74,17 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".policy.yml"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-version"
+- CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - README.md
 - Rakefile
 - bin/analyze
 - config.yml
-- corpus/automerge_via_action.yml
-- corpus/automerge_via_cli.yml
-- corpus/build-docker-image-run-drc-for-cell-gds-using-magic.yml
-- corpus/cmd.yml
-- corpus/container.yml
-- corpus/container_docker.yml
-- corpus/dispatch_command_injection.yml
-- corpus/inherit_secrets.yml
-- corpus/nameless.yml
-- corpus/permissions.yml
-- corpus/ruby.yml
-- corpus/shellcheck.yml
-- corpus/unsafe_checkout_code_execution.yml
-- corpus/unsafe_checkout_token_leak.yml
-- corpus/unscoped_secrets.yml
 - github_action.yml
 - lib/claws.rb
 - lib/claws/application.rb
@@ -144,7 +131,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.4.20
 signing_key:
 specification_version: 4
 summary: Analyzes your Github Actions

data/corpus/automerge_via_action.yml

@@ -1,28 +0,0 @@
-name: Automerge via Github Action
-
-on:
-  pull_request:
-    types:
-      - labeled
-      - unlabeled
-      - synchronize
-      - opened
-      - edited
-      - ready_for_review
-      - reopened
-      - unlocked
-  pull_request_review:
-    types:
-      - submitted
-  check_suite:
-    types:
-      - completed
-  status: {}
-
-jobs:
-  automerge:
-    runs-on: ubuntu-latest
-    steps:
-      - id: automerge
-        name: automerge
-        uses: "pascalgn/automerge-action@v0.15.5"

data/corpus/automerge_via_cli.yml

@@ -1,14 +0,0 @@
-name: Automerge Non-code Changes
-on:
-  push:
-    paths: ['**.txt']
-
-permissions:
-  contents: read
-
-jobs:
-  merge:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Merge pull request
-        run: gh pr merge ${{ steps.create_pull_request.outputs.pull-request-number }} --squash --auto --delete-branch

data/corpus/build-docker-image-run-drc-for-cell-gds-using-magic.yml

@@ -1,170 +0,0 @@
-# Copyright 2021 SkyWater PDK Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache 2.0
-
-name: Build Docker Image for Run DRC for cell GDS (using Magic) Action
-
-on:
-  workflow_dispatch:
-  push:
-  pull_request_target:
-
-
-permissions:
-  contents: read
-
-
-jobs:
-
-  # FIXME: Remove once GitHub Container Registry is working.
-  # docker.pkg.github.com doesn't support buildx built packages, use
-  # docker/build-push-action instead.
-  build-github-package:
-    name: "Building Docker GitHub Package."
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      packages: write # ${{ github.event_name == "push" || github.event_name == "workflow_dispatch" }}
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v2
-      with:
-        # Always clone the full depth so git-describe works.
-        fetch-depth: 0
-        submodules: true
-
-    - name: Set Action Name
-      run: echo "ACTION_NAME=run-drc-for-cell-gds-using-magic" >> $GITHUB_ENV
-
-    - name: Build container image
-      uses: docker/build-push-action@v1
-      with:
-        registry: docker.pkg.github.com
-        username: ${{ github.repository_owner }}
-        password: ${{ github.token }}
-        repository: ${{ github.repository }}/${{ env.ACTION_NAME }}
-        path: ${{ env.ACTION_NAME }}
-        tag_with_ref: true
-        tag_with_sha: true
-        add_git_labels: true
-        push: ${{ startsWith(github.ref, 'refs/heads/') }}
-
-
-  build-docker-image:
-    name: "Building image."
-
-    runs-on: ubuntu-latest
-
-    # Run a local registry
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-
-    steps:
-
-    - name: Dump context
-      uses: crazy-max/ghaction-dump-context@v1
-
-    - name: Checkout code
-      uses: actions/checkout@v2
-      with:
-        # Always clone the full depth so git-describe works.
-        fetch-depth: 0
-        submodules: true
-
-    - name: Set Action Name
-      run: echo "ACTION_NAME=run-drc-for-cell-gds-using-magic" >> $GITHUB_ENV
-
-    - name: Detect Push To Config
-      id: push_to
-      shell: python
-      env:
-        HAS_GCR_JSON_KEY: ${{ !!(secrets.GCR_JSON_KEY) }}
-      run: |
-        import os
-        gh_event = os.environ['GITHUB_EVENT_NAME']
-
-        i = []
-        print("Adding local service.")
-        i.append("localhost:5000/${{ env.ACTION_NAME }}")
-
-        if "${{ env.HAS_GCR_JSON_KEY }}":
-            print("Adding Google Container Repository (gcr.io)")
-            i.append("gcr.io/skywater-pdk/actions/${{ env.ACTION_NAME }}")
-
-        #print("Adding GitHub Container Repository (ghcr.io)")
-        #i.append("ghcr.io/${{ github.repository }}/${{ env.ACTION_NAME }}")
-
-        l = ",".join(i)
-        print("Final locations:", repr(l))
-        print("::set-output name=images::{}".format(l))
-
-    - name: Docker meta
-      id: docker_meta
-      uses: docker/metadata-action@v3
-      with:
-        images: ${{ steps.push_to.outputs.images }}
-        tags: |
-          type=ref,event=tag
-          type=ref,event=pr
-          type=ref,event=branch
-          type=sha
-          type=sha,format=long
-
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-      with:
-        driver-opts: network=host
-
-    - name: Login to Google Container Registry
-      if: ${{ contains(steps.push_to.outputs.images, 'gcr.io') }}
-      uses: docker/login-action@v1
-      with:
-        registry: gcr.io
-        username: _json_key
-        password: ${{ secrets.GCR_JSON_KEY }}
-
-    - name: Login to GitHub Container Registry
-      if: ${{ contains(steps.push_to.outputs.images, 'ghcr.io') }}
-      uses: docker/login-action@v1
-      with:
-        username: ${{ github.repository_owner }}
-        password: ${{ github.token }}
-        registry: ghcr.io
-
-    - name: Build and push
-      uses: docker/build-push-action@v2
-      id: docker_build
-      with:
-        context: ${{ env.ACTION_NAME }}
-        file: ${{ env.ACTION_NAME }}/Dockerfile
-        push: true
-        tags: |
-          ${{ steps.docker_meta.outputs.tags }}
-          localhost:5000/${{ env.ACTION_NAME }}:latest
-        labels: ${{ steps.docker_meta.outputs.labels }}
-
-    - name: Inspect
-      run: docker buildx imagetools inspect localhost:5000/${{ env.ACTION_NAME }}:latest
-
-    - name: Image digest
-      run: echo ${{ steps.docker_build.outputs.digest }}

data/corpus/cmd.yml

@@ -1,14 +0,0 @@
-# INSECURE
-
-on: issue_comment
-name: IssueOps - Demo
-jobs:
-  act-on-issue:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Reset demo if a demo or reset issue was opened
-        run: ./scripts/reset-demo.sh "${{ github.event.issue.body }}" "${{ github.event.issue.number }}"
-        env:
-          GITHUB_COM_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/corpus/container.yml

@@ -1,19 +0,0 @@
-name: CI
-on:
-  push:
-    branches: [ main ]
-jobs:
-  container-test-job:
-    runs-on: ubuntu-latest
-    container:
-      image: node:14.16
-      env:
-        NODE_ENV: development
-      ports:
-        - 80
-      volumes:
-        - my_docker_volume:/volume_mount
-      options: --cpus 1
-    steps:
-      - name: Check for dockerenv file
-        run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)

data/corpus/container_docker.yml

@@ -1,9 +0,0 @@
-name: CI
-on:
-  push:
-    branches: [ main ]
-jobs:
-  use_image:
-    steps:
-      - name: My first step
-        uses: docker://alpine:3.8

data/corpus/dispatch_command_injection.yml

@@ -1,17 +0,0 @@
-name: Dispatch Me
-on:
-  workflow_dispatch:
-    inputs:
-      name:
-        description: 'Who I should say hello to'
-        required: true
-
-jobs:
-  greet:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Reset demo if a demo or reset issue was opened
-        run: ./scripts/greet.sh "${{ github.event.inputs.name }}"
-

data/corpus/inherit_secrets.yml

@@ -1,20 +0,0 @@
-on: [workflow_call]
-name: yea
-jobs:
-  rake:
-    runs-on: ubuntu-latest
-    secrets: inherit
-    steps:
-      - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      # ignore: CommandInjection
-      - name: test
-        run: /bin/ls ${{ github.event.test }}
-      - name: Build
-        run: rake
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          YOINK: ${{ secrets.FLAG }}
-

data/corpus/nameless.yml

@@ -1,11 +0,0 @@
-on: [push, pull_request, pull_request_target]
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: '3.0' # Not needed with a .ruby-version file
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - run: bundle exec rake

data/corpus/permissions.yml

@@ -1,19 +0,0 @@
-name: Deploy
-
-on:
-  push:
-    branches:
-    - main
-
-permissions:
-  packages: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-    steps:
-      - uses: action/checkout@v3
-      - name: push
-        run: rake release

data/corpus/ruby.yml

@@ -1,12 +0,0 @@
-name: My workflow
-on: [push, pull_request, pull_request_target]
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: '3.0' # Not needed with a .ruby-version file
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - run: bundle exec rake

data/corpus/shellcheck.yml

@@ -1,12 +0,0 @@
-on: [push, pull_request, pull_request_target]
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
-    - run: |
-        x=$(ls -lah)
-        if [[ $x == 2 ]]; then
-          echo $x
-        fi

data/corpus/unsafe_checkout_code_execution.yml

@@ -1,21 +0,0 @@
-name: Unsafe Checkout that Leads to RCE
-
-on: [pull_request_target]
-
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-    # check out the attacker controlled branch with their code
-    - uses: actions/checkout@v2
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
-
-    # set up the environment and run specs
-    # because Rakefile comes from the attacker's branch
-    # we end up executing their code, even though they don't
-    # control the command here
-    - run: |
-        rake setup
-        rake spec

data/corpus/unsafe_checkout_token_leak.yml

@@ -1,33 +0,0 @@
-name: Unsafe Checkout that can Leak Tokens
-
-on: pull_request_target
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-    # check out the attacker controlled branch
-    - name: Checkout (depth 0)
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
-
-    # grab the version number from the VERSION file
-    # however... because we're getting the contents of the file
-    # from the attacker's branch, and because git allows symlinks
-    # the attacker can symlink VERSION to any other file on the system
-    # to leak its contents.
-    - name: Get PR Version
-      id: version_number
-      run: echo "::set-output name=version::$(cat VERSION)"
-
-    # Dump the version number into a Github comment for everyone to see
-    - name: Comment the new version
-      uses: peter-evans/create-or-update-comment@v2
-      with:
-        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: 'github-actions[bot]'
-        body: |
-          Version was updated to
-          ```${{ steps.version_number.outputs.version }}```
-          bye now...

data/corpus/unscoped_secrets.yml

@@ -1,16 +0,0 @@
-on: [pull_request]
-name: yea
-jobs:
-  rake:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Build
-        run: rake
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          YOINK: ${{ secrets.API_KEY }}
-