sentinel-ci 1.3.2 → 1.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 05ec8a3cc855319be1e044cb67785456089df4eb8b4521b63851e632d4f6c85b
-  data.tar.gz: bbc9aeaebde81a269a86c0fb4cf79887160276be65aa19dcc8cc41c00179e73c
+  metadata.gz: ff566270daf8524c526427ffe9b01af6c6af028d03fc5fb947eeb713d51cebde
+  data.tar.gz: b823edf579875824fc46d741b762f839efa5ed62df9d711f23c0fc2753731091
 SHA512:
-  metadata.gz: c56ab53a07504a0354771338fb5ba1749e97208c54fba88409b7fd3b0736cab47531a355f13eea2977d40fb87001e2ed2d8254fccca4b8662217b0e7071bc29a
-  data.tar.gz: 6345de4a020a502b11ade9aa98042a912c8445b0d32af26c1fab6e22e0374ad3f62c41f469146262f8b7f584959fa34ce54ec686376d82a6aa1ccc47bf36b378
+  metadata.gz: 15a951ba1a71be6ac1af96d2ba68b8b69c13f25e8f321007e1ac74b038cdcfb57dc63265783417e83f329ad50d76a14bfac0b9e642ac6c1990e5c45ec98d6638
+  data.tar.gz: d53ce9300d8b0404105bfb9e548d90d898231a69d114bba8605172f28070146218550e60b2c50056160fba40564cac3bfd683d76e6e1738d64fc24f136658713

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 1.3.3 (2026-05-26)
+
+### Bug Fixes
+- build-publish-same-job: recognize `--ignore-scripts` / `--no-scripts` as a per-command mitigation (collapsing shell line continuations, stripping inline comments via a POSIX-correct helper). Reject `--ignore-scripts=false` and similar bypasses.
+- hardcoded-secrets: allowlist `actions/setup-java` env-name slots (`server-username`, `server-password`, `gpg-passphrase`, `gpg-private-key`, `keystore-password`) when the value matches an UPPER_SNAKE_CASE env var name.
+- github-script-injection: cover `${{ inputs.* }}` and `${{ github.event.inputs.* }}` references inside `actions/github-script` `script:` blocks. Remove 30-line outer and 15-line inner lookback caps so long script bodies / long `with:` / `env:` blocks no longer cause missed findings. Evaluate INPUT and DANGEROUS expression paths independently so the event guard is no longer bypassed by mixed-pattern lines and a workflow_dispatch-only trigger no longer short-circuits input checks.
+- workflow-dispatch-injection: make `in_run_block?` robust to long run blocks and uncommon step properties (STEP_KEYS-anchored backward scan, no length cap). Discriminate step-level `run:` from a `with: { run: ... }` action parameter via YAML indent, eliminating false positives on composite actions that take a command as input.
+
 ## 1.3.2 (2026-05-22)
 
 ### Bug Fixes

data/lib/rules/build_publish_same_job.rb

@@ -73,6 +73,10 @@ module Rules
             /\bbrew\s+bump-formula-pr\b/,
         )
 
+        # Match --ignore-scripts or --no-scripts as standalone flags or with =true.
+        # Reject =false or other =value suffixes (which disable the mitigation).
+        IGNORE_SCRIPTS_PATTERN = /(?:^|\s)(?:--ignore-scripts|--no-scripts)(?:=true)?(?=\s|$|[;&|\\])/
+
         PUBLISH_SECRETS = Regexp.union(
             # JavaScript
             /\bNPM_TOKEN\b/,
@@ -113,27 +117,104 @@ module Rules
 
             workflow.jobs.each do |job_id, job|
                 steps = workflow.steps(job)
-                has_install = steps.any? { |s| s["run"]&.match?(INSTALL_PATTERNS) }
+                install_steps = steps.select { |s| s["run"]&.match?(INSTALL_PATTERNS) }
                 has_publish = steps.any? { |s| s["run"]&.match?(PUBLISH_PATTERNS) }
 
-                next unless has_install && has_publish
+                next unless install_steps.any? && has_publish
 
                 job_env = job["env"]&.to_s || ""
                 step_envs = steps.map { |s| (s["env"] || {}).to_s }.join(" ")
                 all_env = job_env + step_envs
 
-                if all_env.match?(PUBLISH_SECRETS) || all_env.match?(/secrets\./)
-                    line = workflow.line_of(/#{job_id}:/)
-                    findings << finding(workflow,
-                        line: line || 0,
-                        code: "job: #{job_id}",
-                        message: "Build and publish in same job — a compromised dependency could exfiltrate publish credentials",
-                        fix: "Split into separate build (read-only) and publish (with secrets) jobs connected via artifacts"
-                    )
-                end
+                next unless all_env.match?(PUBLISH_SECRETS) || all_env.match?(/secrets\./)
+
+                # Check if all install commands across all steps use --ignore-scripts.
+                # Each step's run block may contain multiple commands; we check per
+                # install command, not per run block.
+                all_mitigated = install_steps.all? { |s| step_installs_mitigated?(s["run"]) }
+                next if all_mitigated
+
+                line = workflow.line_of(/#{job_id}:/)
+                findings << finding(workflow,
+                    line: line || 0,
+                    code: "job: #{job_id}",
+                    message: "Build and publish in same job — a compromised dependency could exfiltrate publish credentials",
+                    fix: "Split into separate build (read-only) and publish (with secrets) jobs connected via artifacts"
+                )
             end
 
             findings
         end
+
+        private
+
+        # Determine if every install command within a run block has --ignore-scripts.
+        #
+        # 1. Collapse shell line continuations (backslash-newline) into logical lines.
+        # 2. Split on newlines to get individual logical commands.
+        # 3. Strip trailing shell comments (unquoted #...) from each line before
+        #    pattern matching so that `npm install # --ignore-scripts` does not
+        #    falsely count as mitigated.
+        # 4. For each logical line, check if it contains an install command.
+        # 5. For each install command, verify --ignore-scripts is on that same line.
+        #
+        # Returns true only if EVERY install command in the block is mitigated.
+        def step_installs_mitigated?(run_str)
+            return true if run_str.nil?
+
+            # Collapse backslash-newline continuations into single logical lines
+            collapsed = run_str.gsub(/\\\s*\n\s*/, " ")
+
+            # Split into individual logical lines
+            lines = collapsed.split("\n")
+
+            install_lines = lines.select { |line|
+                stripped = line.strip
+                next false if stripped.start_with?("#")
+                strip_shell_comment(stripped).match?(INSTALL_PATTERNS)
+            }
+
+            # If no install lines found, the step is trivially mitigated
+            return true if install_lines.empty?
+
+            # Every install line must have --ignore-scripts on the code portion
+            install_lines.all? { |line| strip_shell_comment(line).match?(IGNORE_SCRIPTS_PATTERN) }
+        end
+
+        # Strip trailing shell comments from a line, respecting single and double
+        # quotes. Returns the code portion before any unquoted `#`.
+        def strip_shell_comment(line)
+            in_single = false
+            in_double = false
+            i = 0
+
+            while i < line.length
+                ch = line[i]
+
+                # Backslash escapes the next character in unquoted and double-quoted
+                # context, but NOT inside single quotes (POSIX: backslash is literal
+                # within single-quoted strings).
+                if ch == '\\' && !in_single
+                    i += 2
+                    next
+                end
+
+                case ch
+                when "'" then in_single = !in_single unless in_double
+                when '"' then in_double = !in_double unless in_single
+                when '#'
+                    unless in_single || in_double
+                        # Only treat as comment when at start of line or preceded by whitespace
+                        if i == 0 || line[i - 1] =~ /\s/
+                            return line[0...i]
+                        end
+                    end
+                end
+
+                i += 1
+            end
+
+            line
+        end
     end
 end

data/lib/rules/github_script_injection.rb

@@ -8,29 +8,51 @@ module Rules
         def description = "Attacker-controllable ${{ }} expression in actions/github-script"
         def severity = :critical
 
-        PATTERN = /\$\{\{\s*(#{DANGEROUS_CONTEXTS.map { |c| Regexp.escape(c) }.join('|')})/
+        DANGEROUS_EXPR_PATTERN = /\$\{\{\s*(#{DANGEROUS_CONTEXTS.map { |c| Regexp.escape(c) }.join('|')})/
+        INPUT_EXPR_PATTERN = /\$\{\{\s*((?:inputs|github\.event\.inputs)\.[^\s}]+)/
 
         def check(workflow)
             findings = []
-
-            return [] if safe_trigger_only?(workflow)
+            safe_triggers = safe_trigger_only?(workflow)
 
             workflow.raw_lines.each_with_index do |line, idx|
                 line_num = idx + 1
                 next if line.strip.start_with?('#')
-                next unless line.match?(PATTERN)
                 next unless in_github_script_block?(workflow, line_num)
-                next if guarded_by_safe_event?(workflow, line_num)
 
-                match = line.match(PATTERN)
-                next unless match
+                has_dangerous = line.match?(DANGEROUS_EXPR_PATTERN)
+                has_input = line.match?(INPUT_EXPR_PATTERN)
+                next unless has_dangerous || has_input
+
+                guarded = guarded_by_safe_event?(workflow, line_num)
+
+                # INPUT expressions (inputs.*) are user-controlled even on
+                # safe-trigger-only workflows, so they always fire.
+                if has_input
+                    match = line.match(INPUT_EXPR_PATTERN)
+                    if match
+                        findings << finding(workflow,
+                            line: line_num,
+                            code: line.strip,
+                            message: "Attacker-controllable expression \${{ #{match[1]} }} in actions/github-script — JavaScript injection risk",
+                            fix: "Pass input via env: block and reference as process.env.VAR"
+                        )
+                    end
+                end
 
-                findings << finding(workflow,
-                    line: line_num,
-                    code: line.strip,
-                    message: "Attacker-controllable expression ${{ #{match[1]} }} in actions/github-script — JavaScript injection risk",
-                    fix: "Use context.payload instead: context.payload.pull_request.title"
-                )
+                # DANGEROUS expressions respect both safe_trigger_only? and
+                # event guards — they are only exploitable from unsafe triggers.
+                if has_dangerous && !safe_triggers && !guarded
+                    match = line.match(DANGEROUS_EXPR_PATTERN)
+                    if match
+                        findings << finding(workflow,
+                            line: line_num,
+                            code: line.strip,
+                            message: "Attacker-controllable expression \${{ #{match[1]} }} in actions/github-script — JavaScript injection risk",
+                            fix: "Use context.payload instead: context.payload.pull_request.title"
+                        )
+                    end
+                end
             end
 
             findings
@@ -38,28 +60,41 @@ module Rules
 
         private
 
-        def in_github_script_block?(workflow, target_line)
-            in_script = false
-            script_indent = nil
+        # All valid GHA step-level properties — used as scan boundaries.
+        STEP_KEYS = /(?:id|if|name|uses|run|working-directory|shell|with|env|continue-on-error|timeout-minutes|permissions|secrets)/
 
-            (target_line - 1).downto([target_line - 30, 0].max) do |i|
+        def in_github_script_block?(workflow, target_line)
+            # Scan backward with no cap — use step keys as hard boundaries.
+            (target_line - 1).downto(0) do |i|
                 content = workflow.raw_lines[i]
                 next unless content
 
                 if content.match?(/^\s+script:\s*[\|>]?\s*$/) || content.match?(/^\s+script:\s+\S/)
-                    in_script = true
-                    script_indent = content[/^\s*/].length
-                    i.downto([i - 15, 0].max) do |j|
+                    # Found a script: key. Now scan upward from here with no cap,
+                    # looking for uses: actions/github-script. Stop at any step key
+                    # that is NOT with:, env:, or uses: (those can appear between
+                    # uses: and script:).
+                    i.downto(0) do |j|
                         step_line = workflow.raw_lines[j]
                         next unless step_line
                         return true if step_line.match?(/uses:\s*actions\/github-script/)
-                        break if step_line.match?(/^\s+-\s+(name|uses|run|if|id):/)
+                        # Step boundary: any step key other than with:/env:/uses:
+                        # on a list-item line means a different step.
+                        break if step_line.match?(/^\s+-\s+#{STEP_KEYS}:\s/)
+                        # Non-list step keys that are NOT with:/env:/uses: are boundaries
+                        if step_line.match?(/^\s+#{STEP_KEYS}:\s/) && !step_line.match?(/^\s+(with|env|uses):/)
+                            break
+                        end
                     end
                     return false
                 end
 
-                if content.match?(/^\s+(uses|run|if|id|name|env|with):/) || content.match?(/^\s+-\s+(name|uses|run):/)
-                    return false
+                # Any step-level key (other than with:/env: sub-keys) is a boundary.
+                # A list-item step key means a different step entirely.
+                break if content.match?(/^\s+-\s+#{STEP_KEYS}:\s/)
+                # A non-list step key that is NOT with:/env: is a boundary
+                if content.match?(/^\s+#{STEP_KEYS}:\s/) && !content.match?(/^\s+(with|env|script):/)
+                    break
                 end
             end
 

data/lib/rules/hardcoded_secrets.rb

@@ -19,8 +19,18 @@ module Rules
         SAFE_VALUE_PATTERN = /\$\{\{.*\}\}|\$[A-Z_]+|\A[A-Z][A-Z0-9_]+\z/
         SAFE_PASSWORDS = %w[postgres password test example changeme admin root dummy placeholder true false].freeze
 
+        # Actions whose `with:` slots accept env-var *names* (not values).
+        # When the value looks like an UPPER_SNAKE_CASE identifier it is an
+        # env-var name reference, not a hardcoded credential.
+        ENV_NAME_SLOTS = {
+            /actions\/setup-java/ => %w[server-username server-password gpg-passphrase gpg-private-key keystore-password],
+        }.freeze
+
+        ENV_VAR_NAME_PATTERN = /\A[A-Z][A-Z0-9_]*\z/
+
         def check(workflow)
             findings = []
+            allowlisted_lines = build_env_name_slot_lines(workflow)
 
             workflow.raw_lines.each_with_index do |line, idx|
                 line_num = idx + 1
@@ -46,6 +56,7 @@ module Rules
                     value = line[/password:\s*(.+)/i, 1]&.strip
                     if value && !value.match?(SAFE_VALUE_PATTERN) && !value.start_with?("#")
                         next if SAFE_PASSWORDS.include?(value.strip.downcase)
+                        next if allowlisted_lines.include?(line_num)
                         findings << finding(workflow,
                             line: line_num,
                             code: stripped,
@@ -58,5 +69,33 @@ module Rules
 
             findings
         end
+
+        private
+
+        # Build a list of line numbers where a known action's `with:` slot
+        # contains an env-var name (UPPER_SNAKE_CASE) rather than a credential.
+        def build_env_name_slot_lines(workflow)
+            lines = []
+            workflow.jobs.each do |_job_id, job_hash|
+                workflow.steps(job_hash).each do |step|
+                    next unless step["uses"]
+                    ENV_NAME_SLOTS.each do |action_pattern, slot_names|
+                        next unless step["uses"].match?(action_pattern)
+                        with_block = step["with"] || {}
+                        slot_names.each do |slot|
+                            next unless with_block[slot]
+                            value = with_block[slot].to_s.strip
+                            next unless value.match?(ENV_VAR_NAME_PATTERN)
+                            workflow.raw_lines.each_with_index do |raw_line, idx|
+                                if raw_line.match?(/\b#{Regexp.escape(slot)}:\s*#{Regexp.escape(value)}\b/)
+                                    lines << (idx + 1)
+                                end
+                            end
+                        end
+                    end
+                end
+            end
+            lines
+        end
     end
 end

data/lib/rules/workflow_dispatch_injection.rb

@@ -10,6 +10,9 @@ module Rules
 
         PATTERN = /\$\{\{\s*(?:inputs\.|github\.event\.inputs\.)/
 
+        # All valid GHA step-level properties (excluding run:, which is handled separately).
+        STEP_KEYS = /(?:id|if|name|uses|working-directory|shell|with|env|continue-on-error|timeout-minutes|permissions|secrets)/
+
         # NOTE: This rule intentionally does NOT use safe_trigger_only? because
         # dispatch inputs are user-controlled. workflow_dispatch IS in SAFE_TRIGGERS
         # for other rules, but this rule specifically targets ${{ inputs.* }} in
@@ -38,21 +41,72 @@ module Rules
 
         private
 
+        # Determines whether the line at target_line is inside a `run:` block.
+        # Scans backwards with no lookback cap to find the nearest step-level
+        # YAML property key. If that key is `run:`, the line is in a shell
+        # context. If it's any other step key (with:, uses:, env:, etc.),
+        # the line is NOT in a shell context.
+        #
+        # Uses STEP_KEYS to recognize all valid GHA step properties as
+        # boundaries, preventing false positives when a `run:` from a
+        # PREVIOUS step is encountered during backward scan.
         def in_run_block?(workflow, target_line)
             target_content = workflow.raw_lines[target_line - 1]
-            target_indent = target_content ? target_content[/^\s*/].length : 0
+            return false unless target_content
 
-            (target_line - 1).downto([target_line - 20, 0].max) do |i|
+            (target_line - 1).downto(0) do |i|
                 content = workflow.raw_lines[i]
                 next unless content
 
-                return true if content.match?(/^\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+run:\s+\S/)
-                return true if content.match?(/^\s+-\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+-\s+run:\s+\S/)
-
-                if content.match?(/^\s+(uses|with|if|id|name|env):/) || content.match?(/^\s+-\s+name:/)
-                    line_indent = content[/^\s*/].length
-                    return false if target_indent <= line_indent + 2
+                # Direct `run:` key (not on a list item line)
+                if content.match?(/^\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+run:\s+\S/)
+                    return !nested_under_with?(workflow, i)
+                end
+                # `run:` on a list item line: `- run: |`
+                if content.match?(/^\s+-\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+-\s+run:\s+\S/)
+                    return true
                 end
+
+                # Any other step-level key acts as a boundary — we're NOT in a run block.
+                # This catches with:, uses:, env:, name:, if:, id:, working-directory:,
+                # shell:, continue-on-error:, timeout-minutes:, permissions:, secrets:.
+                return false if content.match?(/^\s+#{STEP_KEYS}:\s/)
+                return false if content.match?(/^\s+-\s+#{STEP_KEYS}:\s/)
+
+                # steps: key means we've left all steps — not in a run block
+                return false if content.match?(/^\s+steps:\s*$/)
+            end
+            false
+        end
+
+        # Checks whether the `run:` key at line_index is nested inside a `with:`
+        # block (i.e. it's an action parameter named "run", not a step-level
+        # shell command). The discriminator is YAML indentation: a step-level
+        # `run:` shares indent with `with:`/`uses:`/etc., while a nested `run:`
+        # is indented deeper than its parent `with:`.
+        def nested_under_with?(workflow, line_index)
+            run_line = workflow.raw_lines[line_index]
+            run_indent = run_line[/^\s*/].length
+
+            (line_index - 1).downto(0) do |i|
+                content = workflow.raw_lines[i]
+                next unless content
+
+                line_indent = content[/^\s*/].length
+
+                # If we hit a `with:` at less indent, this run: is nested inside it.
+                return true if line_indent < run_indent && content.match?(/^\s+with:\s/)
+
+                # If we hit any step-level key at equal or less indent, this run:
+                # is at step level (not nested).
+                return false if line_indent <= run_indent && content.match?(/^\s+#{STEP_KEYS}:\s/)
+                return false if line_indent <= run_indent && content.match?(/^\s+-\s+#{STEP_KEYS}:\s/)
+
+                # Step boundary (list item start at equal or less indent) — stop.
+                return false if content.match?(/^\s+-\s/) && line_indent <= run_indent
+
+                # steps: key means we've left all steps — not nested.
+                return false if content.match?(/^\s+steps:\s*$/)
             end
             false
         end

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Sentinel
-    VERSION = "1.3.2"
+    VERSION = "1.3.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sentinel-ci
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.3.3
 platform: ruby
 authors:
 - Jordan Ritter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-24 00:00:00.000000000 Z
+date: 2026-05-26 00:00:00.000000000 Z
 dependencies: []
 description: Scan GitHub Actions workflows for 32 security vulnerabilities. SHA pinning,
   shell injection, credential exposure, dangerous triggers. Optional AI-powered remediation