RubyGems - claws-scan - Versions diffs - 0.7.3 - Mend

claws-scan 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

checksums.yaml +7 -0
data/.rspec +3 -0
data/.rubocop.yml +31 -0
data/.ruby-version +1 -0
data/Gemfile +17 -0
data/Gemfile.lock +99 -0
data/README.md +557 -0
data/Rakefile +12 -0
data/bin/analyze +62 -0
data/config.yml +16 -0
data/corpus/automerge_via_action.yml +28 -0
data/corpus/automerge_via_cli.yml +14 -0
data/corpus/build-docker-image-run-drc-for-cell-gds-using-magic.yml +170 -0
data/corpus/cmd.yml +14 -0
data/corpus/container.yml +19 -0
data/corpus/container_docker.yml +9 -0
data/corpus/dispatch_command_injection.yml +17 -0
data/corpus/inherit_secrets.yml +20 -0
data/corpus/nameless.yml +11 -0
data/corpus/permissions.yml +19 -0
data/corpus/ruby.yml +12 -0
data/corpus/shellcheck.yml +12 -0
data/corpus/unsafe_checkout_code_execution.yml +21 -0
data/corpus/unsafe_checkout_token_leak.yml +33 -0
data/corpus/unscoped_secrets.yml +16 -0
data/github_action.yml +36 -0
data/lib/claws/application.rb +237 -0
data/lib/claws/base_rule.rb +94 -0
data/lib/claws/cli/color.rb +30 -0
data/lib/claws/cli/yaml_with_lines.rb +124 -0
data/lib/claws/engine.rb +25 -0
data/lib/claws/formatter/github.rb +17 -0
data/lib/claws/formatter/stdout.rb +13 -0
data/lib/claws/formatters.rb +4 -0
data/lib/claws/rule/automatic_merge.rb +49 -0
data/lib/claws/rule/bulk_permissions.rb +20 -0
data/lib/claws/rule/command_injection.rb +14 -0
data/lib/claws/rule/empty_name.rb +14 -0
data/lib/claws/rule/inherited_secrets.rb +17 -0
data/lib/claws/rule/no_containers.rb +28 -0
data/lib/claws/rule/risky_triggers.rb +32 -0
data/lib/claws/rule/shellcheck.rb +109 -0
data/lib/claws/rule/special_permissions.rb +37 -0
data/lib/claws/rule/unapproved_runners.rb +31 -0
data/lib/claws/rule/unpinned_action.rb +30 -0
data/lib/claws/rule/unsafe_checkout.rb +36 -0
data/lib/claws/rule.rb +13 -0
data/lib/claws/version.rb +5 -0
data/lib/claws/violation.rb +11 -0
data/lib/claws/workflow.rb +221 -0
data/lib/claws.rb +6 -0
metadata +151 -0

data/lib/claws/rule/unpinned_action.rb ADDED Viewed

@@ -0,0 +1,30 @@
+module Claws
+  module Rule
+    class UnpinnedAction < BaseRule
+      description <<~DESC
+        All reusable actions must be pinned to a full sha1 commit hash.
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#unpinnedaction
+      DESC
+      on_step %(
+        $step.meta.action != null &&
+        (
+          $step.meta.action.version == null ||
+          contains(["main", "master"], $step.meta.action.version) ||
+          !($step.meta.action.version =~ "^[a-fA-F0-9]{40}$")
+        ) &&
+        !contains($data.trusted_authors, $step.meta.action.author) &&
+        !$step.meta.action.local
+      ), highlight: "uses"
+      def data
+        {
+          "trusted_authors": configuration.fetch("trusted_authors", []),
+          "loose": configuration.fetch("loose_validation", false)
+        }
+      end
+    end
+  end
+end

data/lib/claws/rule/unsafe_checkout.rb ADDED Viewed

@@ -0,0 +1,36 @@
+module Claws
+  module Rule
+    class UnsafeCheckout < BaseRule
+      description <<~DESC
+        This workflow checks out a user supplied branch, which could be risky if any code is executed using it.
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#unsafecheckout
+      DESC
+      on_step %(
+        contains_any($workflow.meta.triggers, $data.risky_events) &&
+        $step.meta.action.name == "actions/checkout" &&
+        (
+          contains($step.with.ref, "github.event") ||
+          contains($step.with.ref, "inputs.")
+        )
+      ), highlight: "with.ref"
+      def data
+        {
+          "risky_events": risky_events
+        }
+      end
+      private
+      def risky_events
+        configuration.fetch(
+          "risky_events",
+          %w[pull_request_target workflow_dispatch]
+        )
+      end
+    end
+  end
+end

data/lib/claws/rule.rb ADDED Viewed

@@ -0,0 +1,13 @@
+require "claws/base_rule"
+require "claws/rule/no_containers"
+require "claws/rule/special_permissions"
+require "claws/rule/empty_name"
+require "claws/rule/risky_triggers"
+require "claws/rule/unapproved_runners"
+require "claws/rule/automatic_merge"
+require "claws/rule/unpinned_action"
+require "claws/rule/unsafe_checkout"
+require "claws/rule/inherited_secrets"
+require "claws/rule/command_injection"
+require "claws/rule/bulk_permissions"
+require "claws/rule/shellcheck"

data/lib/claws/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Claws
+  VERSION = "0.7.3"
+end

data/lib/claws/violation.rb ADDED Viewed

@@ -0,0 +1,11 @@
+class Violation
+  attr_accessor :file, :name, :line, :snippet, :description
+  def initialize(line:, description:, file: nil, name: nil, snippet: nil)
+    @file = file
+    @name = name
+    @line = line
+    @snippet = snippet
+    @description = description
+  end
+end

data/lib/claws/workflow.rb ADDED Viewed

@@ -0,0 +1,221 @@
+require "forwardable"
+require "claws/cli/yaml_with_lines"
+class Workflow
+  extend Forwardable
+  attr_accessor :data, :on, :jobs, :name, :meta, :permissions
+  def_delegators :@workflow, :get_line, :include?, :keys
+  def initialize(raw_yaml)
+    @workflow = YAMLWithLines.load(raw_yaml)
+    # enriched metadata about the workflow as a whole
+    @meta = {}
+    normalize_dashes(@workflow)
+    extract_normalized_on(@workflow)
+    extract_normalized_jobs(@workflow)
+    extract_normalized_name(@workflow)
+    extract_permissions(@workflow)
+    @raw_yaml = raw_yaml
+  end
+  def self.load(blob)
+    Workflow.new(blob)
+  end
+  def line
+    @workflow.line
+  end
+  def [](key)
+    return @on if key.to_s == "on"
+    return @jobs if key.to_s == "jobs"
+    return @name if key.to_s == "name"
+  end
+  def get_snippet(line, context: 3)
+    buffer = ""
+    (([0, line - context].max)..(line + context)).each do |i|
+      next if @raw_yaml.lines[i].nil?
+      buffer += if i + 1 == line
+                  ">>> #{@raw_yaml.lines[i]}"
+                else
+                  @raw_yaml.lines[i]
+                end
+    end
+    buffer
+  end
+  def ignores
+    ignores = {}
+    @raw_yaml.lines.each_with_index do |line, i|
+      i += 1 # line numbers are one indexed
+      matches = line.match(/^\s*#.*ignore: (.*)/)
+      next if matches.nil?
+      matches = matches[1].split(",").map(&:strip)
+      ignores[i] = matches
+    end
+    ignores
+  end
+  private
+  def normalize_dashes(input)
+    return input unless input.is_a? Hash
+    input.clone.each do |old_key, v|
+      new_key = old_key.to_s.gsub(/-/, "_")
+      if old_key != new_key
+        copy_key_with_line(input, old_key, new_key)
+        input.delete(old_key)
+      end
+      normalize_dashes(v)
+    end
+    input
+  end
+  def extract_permissions(input)
+    @permissions = input["permissions"]
+    @meta["permissions"] = normalize_permissions(input["permissions"])
+  end
+  def normalize_permissions(input) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    permissions = {
+      read: [],
+      write: [],
+      none: [],
+      read_all: false,
+      write_all: false
+    }
+    return permissions if input.nil?
+    if input.is_a? String
+      permissions[:read_all] = true if input == "read-all"
+      permissions[:write_all] = true if input == "write-all"
+      return permissions
+    end
+    return unless input.is_a? Hash
+    input.each do |k, v|
+      permissions[:read] << k if v == "read"
+      permissions[:write] << k if v == "write"
+      permissions[:none] << k if v == "none"
+    end
+    permissions
+  end
+  def extract_normalized_on(workflow)
+    if workflow["on"].is_a? String
+      line_number = workflow.keys.first { |k| k == "on" }.line
+      @on = workflow["on"] = [workflow["on"]]
+      set_attr_line_number(:@on, line_number)
+    else
+      @on = workflow["on"]
+    end
+    @meta["triggers"] = @on
+    @meta["triggers"] = @on.keys if @on.is_a? Hash
+  end
+  def extract_normalized_jobs(workflow)
+    @jobs = workflow["jobs"]
+    @jobs.each do |job_name, job|
+      @jobs[job_name] = job
+      job["meta"] = {
+        container: extract_container_info_from_job(job),
+        permissions: normalize_permissions(job["permissions"])
+      }
+      job.fetch("steps", []).each do |step|
+        step["meta"] = {
+          secrets: extract_used_secrets(step["env"]),
+          action: extract_action_data(step["uses"])
+        }
+      end
+    end
+  end
+  def extract_used_secrets(env)
+    return [] if env.nil?
+    secrets = []
+    env.each do |_k, v|
+      next unless v.is_a? String
+      secrets += v.scan(/secrets\.([a-zA-Z0-9_]+)/).flatten
+    end
+    secrets
+  end
+  def extract_action_data(action)
+    return nil if action.nil?
+    return extract_container_info_from_action(action) if action.start_with? "docker://"
+    name, version = action.split("@", 2)
+    author = name.split("/", 2)[0]
+    local = author == "."
+    { type: "action", name: name, author: author, version: version, local: local }
+  end
+  def extract_container_info_from_job(job)
+    return nil if job["container"].nil?
+    image = if job["container"].is_a? Hash
+              job["container"]["image"]
+            else
+              job["container"]
+            end
+    extract_container_info_from_action(image)
+  end
+  def extract_container_info_from_action(action)
+    return nil if action.nil?
+    image, version = action.split("docker://").last.split(":", 2)
+    {
+      type: "container",
+      image: image,
+      version: version,
+      full: "#{image}:#{version}"
+    }
+  end
+  def extract_normalized_name(workflow)
+    @name = workflow["name"]
+    set_attr_line_number(:@name, 0)
+  end
+  def set_attr_line_number(key, line)
+    instance_variable_get(key).instance_eval { |_x| define_singleton_method(:line, -> { line }) }
+  end
+  def copy_key_with_line(blob, src, dst)
+    line = blob.keys.first { |k| k.to_sym == src.to_sym }.line
+    new_key = String.new(dst).tap { |x| x.instance_eval { |_x| define_singleton_method(:line, -> { line }) } }
+    # freezing it keeps ruby from making a copy w/o `line`
+    new_key.freeze
+    blob[new_key] = blob[src]
+  end
+end

data/lib/claws.rb ADDED Viewed

@@ -0,0 +1,6 @@
+require "claws/application"
+require "claws/engine"
+require "claws/formatters"
+require "claws/rule"
+require "claws/violation"
+require "claws/workflow"

metadata ADDED Viewed

@@ -0,0 +1,151 @@
+--- !ruby/object:Gem::Specification
+name: claws-scan
+version: !ruby/object:Gem::Version
+  version: 0.7.3
+platform: ruby
+authors:
+- Omar
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-04-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: equation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: slop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.9'
+- !ruby/object:Gem::Dependency
+  name: treetop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Analyzes your Github Actions
+email:
+- omar@betterment.com
+executables:
+- analyze
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/analyze
+- config.yml
+- corpus/automerge_via_action.yml
+- corpus/automerge_via_cli.yml
+- corpus/build-docker-image-run-drc-for-cell-gds-using-magic.yml
+- corpus/cmd.yml
+- corpus/container.yml
+- corpus/container_docker.yml
+- corpus/dispatch_command_injection.yml
+- corpus/inherit_secrets.yml
+- corpus/nameless.yml
+- corpus/permissions.yml
+- corpus/ruby.yml
+- corpus/shellcheck.yml
+- corpus/unsafe_checkout_code_execution.yml
+- corpus/unsafe_checkout_token_leak.yml
+- corpus/unscoped_secrets.yml
+- github_action.yml
+- lib/claws.rb
+- lib/claws/application.rb
+- lib/claws/base_rule.rb
+- lib/claws/cli/color.rb
+- lib/claws/cli/yaml_with_lines.rb
+- lib/claws/engine.rb
+- lib/claws/formatter/github.rb
+- lib/claws/formatter/stdout.rb
+- lib/claws/formatters.rb
+- lib/claws/rule.rb
+- lib/claws/rule/automatic_merge.rb
+- lib/claws/rule/bulk_permissions.rb
+- lib/claws/rule/command_injection.rb
+- lib/claws/rule/empty_name.rb
+- lib/claws/rule/inherited_secrets.rb
+- lib/claws/rule/no_containers.rb
+- lib/claws/rule/risky_triggers.rb
+- lib/claws/rule/shellcheck.rb
+- lib/claws/rule/special_permissions.rb
+- lib/claws/rule/unapproved_runners.rb
+- lib/claws/rule/unpinned_action.rb
+- lib/claws/rule/unsafe_checkout.rb
+- lib/claws/version.rb
+- lib/claws/violation.rb
+- lib/claws/workflow.rb
+homepage: https://github.com/Betterment/claws
+licenses: []
+metadata:
+  homepage_uri: https://github.com/Betterment/claws
+  source_code_uri: https://github.com/Betterment/claws
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.19
+signing_key:
+specification_version: 4
+summary: Analyzes your Github Actions
+test_files: []