awguard 1.6.0 → 1.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -0
- package/Dockerfile +8 -1
- package/README.md +176 -12
- package/action.yml +5 -1
- package/docs/comparison.md +161 -16
- package/docs/launch-plan.md +12 -2
- package/docs/marketplace-listing.md +19 -0
- package/docs/npm-publishing.md +68 -0
- package/docs/release-checklist.md +71 -0
- package/docs/report-gallery.md +166 -0
- package/docs/roadmap.md +32 -2
- package/docs/rule-authoring.md +99 -0
- package/docs/schemas.md +16 -0
- package/docs/setup-recipes.md +199 -0
- package/docs/site/index.html +29 -0
- package/examples/.vscode/tasks.json +17 -1
- package/examples/README.md +7 -0
- package/examples/awguard.config.example.json +8 -0
- package/examples/corpus/.cursor/rules/autonomy.mdc +3 -0
- package/examples/corpus/.github/prompts/auto-fix.prompt.md +3 -0
- package/examples/corpus/.github/workflows/agentic-pr-review.yml +20 -0
- package/examples/corpus/.github/workflows/pull-request-target-head.yml +13 -0
- package/examples/corpus/.mcp.json +15 -0
- package/examples/corpus/AGENTS.md +5 -0
- package/examples/corpus/README.md +23 -0
- package/examples/dashboard/README.md +55 -0
- package/examples/dashboard/index.html +313 -0
- package/examples/dashboard/sample-history.json +53 -0
- package/examples/lab/README.md +6 -0
- package/examples/pr-comment-bot.yml +43 -0
- package/examples/pull-request-target.yml +1 -1
- package/examples/safe-agent.yml +1 -1
- package/examples/unsafe-agent.yml +1 -1
- package/examples/vscode-extension/README.md +49 -0
- package/examples/vscode-extension/assets/problems-panel.svg +23 -0
- package/examples/vscode-extension/package.json +68 -0
- package/examples/vscode-extension/src/extension.js +116 -0
- package/package.json +2 -1
- package/schemas/awguard.badge.schema.json +25 -0
- package/schemas/awguard.baseline.schema.json +40 -0
- package/schemas/awguard.comparison.schema.json +146 -0
- package/schemas/awguard.config.schema.json +167 -0
- package/schemas/awguard.inventory.schema.json +124 -0
- package/schemas/awguard.report.schema.json +121 -0
- package/src/autofix.js +201 -0
- package/src/badges.js +63 -0
- package/src/baseline.js +77 -0
- package/src/cli.js +248 -6
- package/src/compare.js +60 -4
- package/src/config.js +31 -2
- package/src/demo.js +90 -0
- package/src/doctor.js +189 -0
- package/src/explain.js +147 -0
- package/src/init.js +4 -1
- package/src/policy-packs.js +99 -0
- package/src/policy-wizard.js +165 -0
- package/src/remediation.js +73 -1
- package/src/reporters.js +86 -3
- package/src/scanner.js +204 -5
- package/src/templates.js +132 -0
package/src/templates.js
ADDED
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
export const templateNames = ['github', 'code-scanning', 'gitlab', 'pre-commit', 'vscode'];
|
|
2
|
+
|
|
3
|
+
export function renderTemplates(name = 'all', { actionRef = 'v0' } = {}) {
|
|
4
|
+
const normalized = String(name || 'all').toLowerCase();
|
|
5
|
+
if (normalized === 'list') return renderTemplateList();
|
|
6
|
+
if (normalized === 'all') {
|
|
7
|
+
return templateNames.map((templateName) => renderOneTemplate(templateName, actionRef)).join('\n\n---\n\n');
|
|
8
|
+
}
|
|
9
|
+
if (!templateNames.includes(normalized)) {
|
|
10
|
+
throw new Error(`unknown template: ${name}. Available templates: all, ${templateNames.join(', ')}`);
|
|
11
|
+
}
|
|
12
|
+
return renderOneTemplate(normalized, actionRef);
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
function renderTemplateList() {
|
|
16
|
+
return ['Available AWGuard templates:', ...templateNames.map((name) => `- ${name}`), '- all'].join('\n');
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
function renderOneTemplate(name, actionRef) {
|
|
20
|
+
const template = buildTemplates(actionRef)[name];
|
|
21
|
+
return [`# ${template.title}`, '', template.description, '', '```' + template.fence, template.body.trim(), '```'].join('\n');
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
function buildTemplates(actionRef) {
|
|
25
|
+
return {
|
|
26
|
+
github: {
|
|
27
|
+
title: 'GitHub Actions Check',
|
|
28
|
+
description: 'Use this for fast pull request feedback with GitHub annotations and a job summary.',
|
|
29
|
+
fence: 'yaml',
|
|
30
|
+
body: `
|
|
31
|
+
name: Agentic Workflow Guard
|
|
32
|
+
|
|
33
|
+
on:
|
|
34
|
+
pull_request:
|
|
35
|
+
workflow_dispatch:
|
|
36
|
+
|
|
37
|
+
permissions:
|
|
38
|
+
contents: read
|
|
39
|
+
|
|
40
|
+
jobs:
|
|
41
|
+
awguard:
|
|
42
|
+
runs-on: ubuntu-latest
|
|
43
|
+
steps:
|
|
44
|
+
- uses: actions/checkout@v6
|
|
45
|
+
- uses: Mughal-Baig/agentic-workflow-guard@${actionRef}
|
|
46
|
+
with:
|
|
47
|
+
preset: strict
|
|
48
|
+
fail-on: high
|
|
49
|
+
`
|
|
50
|
+
},
|
|
51
|
+
'code-scanning': {
|
|
52
|
+
title: 'GitHub Code Scanning',
|
|
53
|
+
description: 'Use this when you want AWGuard findings in GitHub code scanning/SARIF.',
|
|
54
|
+
fence: 'yaml',
|
|
55
|
+
body: `
|
|
56
|
+
name: Agentic Workflow Guard Code Scanning
|
|
57
|
+
|
|
58
|
+
on:
|
|
59
|
+
push:
|
|
60
|
+
schedule:
|
|
61
|
+
- cron: '22 5 * * 1'
|
|
62
|
+
workflow_dispatch:
|
|
63
|
+
|
|
64
|
+
permissions:
|
|
65
|
+
contents: read
|
|
66
|
+
security-events: write
|
|
67
|
+
|
|
68
|
+
jobs:
|
|
69
|
+
awguard:
|
|
70
|
+
runs-on: ubuntu-latest
|
|
71
|
+
steps:
|
|
72
|
+
- uses: actions/checkout@v6
|
|
73
|
+
- uses: Mughal-Baig/agentic-workflow-guard@${actionRef}
|
|
74
|
+
with:
|
|
75
|
+
preset: strict
|
|
76
|
+
format: sarif
|
|
77
|
+
output: awguard.sarif
|
|
78
|
+
fail-on: none
|
|
79
|
+
- uses: github/codeql-action/upload-sarif@v4
|
|
80
|
+
if: always()
|
|
81
|
+
with:
|
|
82
|
+
sarif_file: awguard.sarif
|
|
83
|
+
category: agentic-workflow-guard
|
|
84
|
+
`
|
|
85
|
+
},
|
|
86
|
+
gitlab: {
|
|
87
|
+
title: 'GitLab CI',
|
|
88
|
+
description: 'Use this in GitLab projects that run Node.js jobs.',
|
|
89
|
+
fence: 'yaml',
|
|
90
|
+
body: `
|
|
91
|
+
awguard:
|
|
92
|
+
image: node:22-alpine
|
|
93
|
+
stage: test
|
|
94
|
+
script:
|
|
95
|
+
- npx awguard@latest . --preset strict --format text --fail-on high
|
|
96
|
+
`
|
|
97
|
+
},
|
|
98
|
+
'pre-commit': {
|
|
99
|
+
title: 'pre-commit Hook',
|
|
100
|
+
description: 'Use this to catch risky agent workflow changes before commit.',
|
|
101
|
+
fence: 'yaml',
|
|
102
|
+
body: `
|
|
103
|
+
repos:
|
|
104
|
+
- repo: local
|
|
105
|
+
hooks:
|
|
106
|
+
- id: awguard
|
|
107
|
+
name: Agentic Workflow Guard
|
|
108
|
+
entry: npx awguard@latest . --preset strict --fail-on high
|
|
109
|
+
language: system
|
|
110
|
+
pass_filenames: false
|
|
111
|
+
`
|
|
112
|
+
},
|
|
113
|
+
vscode: {
|
|
114
|
+
title: 'VS Code Task',
|
|
115
|
+
description: 'Use this to run AWGuard from the VS Code task picker.',
|
|
116
|
+
fence: 'json',
|
|
117
|
+
body: `
|
|
118
|
+
{
|
|
119
|
+
"version": "2.0.0",
|
|
120
|
+
"tasks": [
|
|
121
|
+
{
|
|
122
|
+
"label": "AWGuard scan",
|
|
123
|
+
"type": "shell",
|
|
124
|
+
"command": "npx awguard@latest . --preset strict --format text --fail-on none",
|
|
125
|
+
"problemMatcher": []
|
|
126
|
+
}
|
|
127
|
+
]
|
|
128
|
+
}
|
|
129
|
+
`
|
|
130
|
+
}
|
|
131
|
+
};
|
|
132
|
+
}
|