bitwarden_workflow_linter 1.3.5__py3-none-any.whl → 1.4.0__py3-none-any.whl

bitwarden_workflow_linter/__about__.py

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "1.3.5"
+__version__ = "1.4.0"

bitwarden_workflow_linter/default_actions.json

@@ -463,5 +463,10 @@
     "name": "yogevbd/enforce-label-action",
     "sha": "a3c219da6b8fa73f6ba62b68ff09c469b3a1c024",
     "version": "2.2.2"
+  },
+  "zizmorcore/zizmor-action": {
+    "name": "zizmorcore/zizmor-action",
+    "sha": "5ca5fc7a4779c5263a3ffa0e1f693009994446d1",
+    "version": "v0.1.2"
   }
 }

bitwarden_workflow_linter/default_settings.yaml

@@ -19,6 +19,12 @@ enabled_rules:
       level: error
     - id: bitwarden_workflow_linter.rules.permissions_exist.RulePermissionsExist
       level: error
+    - id: bitwarden_workflow_linter.rules.check_blocked_domains.RuleCheckBlockedDomains
+      level: warning
 
 approved_actions_path: default_actions.json
 default_branch: main
+
+# List of domains that should trigger an error if found in workflows
+blocked_domains:
+  - ghrc.io

bitwarden_workflow_linter/rules/check_blocked_domains.py

@@ -0,0 +1,180 @@
+"""A Rule to check for blocked/malicious domains in workflow content."""
+
+import re
+from typing import List, Optional, Tuple, Union
+
+from ..models.job import Job
+from ..models.step import Step
+from ..models.workflow import Workflow
+from ..rule import Rule
+from ..utils import LintLevels, Settings
+
+
+class RuleCheckBlockedDomains(Rule):
+    """Rule to detect blocked or malicious domains in workflow content.
+    
+    This rule scans workflow content (URLs, scripts, commands) for domains
+    that have been flagged as blocked or potentially malicious. It helps
+    prevent supply chain attacks and unauthorized external dependencies.
+    """
+
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
+        """Constructor for RuleCheckBlockedDomains.
+
+        Args:
+          settings:
+            A Settings object that contains any default, overridden, or custom settings
+            required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
+        """
+        self.on_fail = lint_level
+        self.compatibility = [Workflow, Job, Step]
+        self.settings = settings
+        
+        # Get blocked domains from settings, use defaults if none provided
+        self.blocked_domains = settings.blocked_domains if settings else []
+
+    def extract_domains_from_text(self, text: str) -> List[str]:
+        """Extract domain names from text content.
+        
+        Args:
+            text: The text to scan for domains
+            
+        Returns:
+            List of domain names found in the text
+        """
+        if not text:
+            return []
+            
+        # Pattern to match domain names in various contexts
+        # Breaking down the regex:
+        # (?:https?://)?           - Optional protocol (http:// or https://)
+        # (?:www\.)?               - Optional www. prefix
+        # ([a-zA-Z0-9]             - Start of capturing group: first character (alphanumeric)
+        #   (?:[a-zA-Z0-9-]{0,61}  - Non-capturing group: 0-61 alphanumeric or hyphen chars
+        #   [a-zA-Z0-9])?          - End with alphanumeric (ensures no trailing hyphen)
+        # \.)+                     - Followed by dot, repeated (for subdomains)
+        # [a-zA-Z]{2,}             - Top-level domain (2+ letters)
+        # (?:/[^\s]*)?             - Optional path (slash followed by non-whitespace chars)
+        domain_pattern = r'(?:https?://)?(?:www\.)?([a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(?:/[^\s]*)?'
+        
+        domains = set()
+        
+        # Find all matches and extract the domain part
+        for match in re.finditer(domain_pattern, text, re.IGNORECASE):
+            full_match = match.group(0)
+            # Clean up the domain (remove protocol, www, path)
+            domain = re.sub(r'^https?://', '', full_match)
+            domain = re.sub(r'^www\.', '', domain)
+            domain = re.sub(r'/.*$', '', domain)  # Remove path
+            domain = domain.lower().strip()
+            
+            if domain and '.' in domain:
+                domains.add(domain)
+        
+        return list(domains)
+
+    def check_blocked_domains(self, text: str) -> Tuple[bool, List[str]]:
+        """Check if text contains any blocked domains.
+        
+        Args:
+            text: The text to check for blocked domains
+            
+        Returns:
+            Tuple of (is_clean, list_of_found_blocked_domains)
+        """
+        if not text:
+            return True, []
+            
+        domains = self.extract_domains_from_text(text)
+        blocked_found = []
+        
+        for domain in domains:
+            for blocked_domain in self.blocked_domains:
+                blocked_domain_lc = blocked_domain.lower().strip()
+                domain_lc = domain.lower().strip()
+                # Check for exact match or subdomain match
+                if domain_lc == blocked_domain_lc or domain_lc.endswith('.' + blocked_domain_lc):
+                    blocked_found.append(domain)
+                    
+        return len(blocked_found) == 0, blocked_found
+
+    def fn(self, obj: Union[Workflow, Job, Step]) -> Tuple[bool, str]:
+        """Check the workflow object for blocked domains.
+
+        Args:
+          obj: The workflow object (Workflow, Job, or Step) to check
+
+        Returns:
+          Tuple of (success, error_message)
+        """
+        blocked_domains_found = []
+        
+        if isinstance(obj, Workflow):
+            # Check workflow-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"workflow name", domain) for domain in domains])
+                    
+        elif isinstance(obj, Job):
+            # Check job-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"job name", domain) for domain in domains])
+                    
+            if obj.uses:
+                is_clean, domains = self.check_blocked_domains(obj.uses)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"job uses", domain) for domain in domains])
+                    
+            # Check environment variables
+            if obj.env:
+                for key, value in obj.env.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"job env '{key}'", domain) for domain in domains])
+                            
+        elif isinstance(obj, Step):
+            # Check step-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step name", domain) for domain in domains])
+                    
+            if obj.uses:
+                is_clean, domains = self.check_blocked_domains(obj.uses)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step uses", domain) for domain in domains])
+                    
+            if obj.run:
+                is_clean, domains = self.check_blocked_domains(obj.run)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step run command", domain) for domain in domains])
+                    
+            # Check environment variables
+            if obj.env:
+                for key, value in obj.env.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"step env '{key}'", domain) for domain in domains])
+                            
+            # Check step with parameters
+            if obj.uses_with:
+                for key, value in obj.uses_with.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"step with '{key}'", domain) for domain in domains])
+
+        if blocked_domains_found:
+            error_details = []
+            for location, domain in blocked_domains_found:
+                error_details.append(f"Found blocked domain '{domain}' in {location}")
+            return False, "; ".join(error_details)
+            
+        return True, ""

bitwarden_workflow_linter/utils.py

@@ -114,6 +114,7 @@ class Settings:
     approved_actions: dict[str, Action]
     actionlint_version: str
     default_branch: Optional[str]
+    blocked_domains: Optional[list[str]]
 
     def __init__(
         self,
@@ -121,6 +122,7 @@ class Settings:
         approved_actions: Optional[dict[str, dict[str, str]]] = None,
         actionlint_version: Optional[str] = None,
         default_branch: Optional[str] = None,
+        blocked_domains: Optional[list[str]] = None,
     ) -> None:
         """Settings object that can be overridden in settings.py.
 
@@ -147,6 +149,7 @@ class Settings:
             name: Action(**action) for name, action in approved_actions.items()
         }
         self.default_branch = default_branch
+        self.blocked_domains = blocked_domains or []
 
     @staticmethod
     def factory() -> SettingsFromFactory:
@@ -201,4 +204,5 @@ class Settings:
             approved_actions=settings["approved_actions"],
             actionlint_version=actionlint_version,
             default_branch=default_branch,
+            blocked_domains=settings.get("blocked_domains", []),
         )

{bitwarden_workflow_linter-1.3.5.dist-info → bitwarden_workflow_linter-1.4.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 1.3.5
+Version: 1.4.0
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues

{bitwarden_workflow_linter-1.3.5.dist-info → bitwarden_workflow_linter-1.4.0.dist-info}/RECORD

@@ -1,19 +1,20 @@
-bitwarden_workflow_linter/__about__.py,sha256=HtbtQa9qdNm2w7XisN1PYSnjhyrmSa7MdX08d4DRAfs,59
+bitwarden_workflow_linter/__about__.py,sha256=-Y6k93jwyGvISIX3gB34noQVqGX1AWpSjfpcbkH39uk,59
 bitwarden_workflow_linter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 bitwarden_workflow_linter/actionlint_version.yaml,sha256=CKhiDwaDBNCExOHTlcpiavfEgf01uG_tTPrgLRaj6_k,28
 bitwarden_workflow_linter/actions.py,sha256=LAn3yQeMMmCOvJWeTn3dE1U2nyEJqIBMwESq3TtY9hE,9069
 bitwarden_workflow_linter/cli.py,sha256=v2XNncIBscGyH691Ngeew6qSVRJQm1r3RwmpKoXooW8,1812
-bitwarden_workflow_linter/default_actions.json,sha256=VotDA4-K1a9RTVQfMAOIOVkqYEnXnlnfpAwjuj1tvTE,14406
-bitwarden_workflow_linter/default_settings.yaml,sha256=CYFWd_VwJtBlQuyMKGBqat-5odolWfARKsr08mldsgo,1059
+bitwarden_workflow_linter/default_actions.json,sha256=KWubDc6qWgmdiMC4Z9zVl2Mu5GQVIi2wIdljuZvsM9g,14562
+bitwarden_workflow_linter/default_settings.yaml,sha256=shXZ7-0v2o3rrV9WwW3pt4UUlKh1al5fqJi8AuRiB34,1267
 bitwarden_workflow_linter/lint.py,sha256=ei66eVupfIgNj_-68CSwLfstOe66noEYNmAV2kzn8NA,6348
 bitwarden_workflow_linter/load.py,sha256=FWxotIlB0vyKzrVw87sOx3qdRiJG_0hVHRbbLXZY4Sc,5553
 bitwarden_workflow_linter/rule.py,sha256=Qb60JiUDAWN3ayrMGoSbbDCSFmw-ql8djzAkxISaob4,3250
-bitwarden_workflow_linter/utils.py,sha256=KV2Vo-hhNVRWOiIq_y-55li-noMt9F-FFgkJK-nUKJo,5823
+bitwarden_workflow_linter/utils.py,sha256=93PS9zVhniHZVbBnCbvUyIUJj2gG3RJFJa6_vmp5Mr0,6035
 bitwarden_workflow_linter/models/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 bitwarden_workflow_linter/models/job.py,sha256=oqFq8A4JGQplBlaDjUUFV9kWT5rh9A0V6FYGf0IaGg0,2553
 bitwarden_workflow_linter/models/step.py,sha256=j81iWYWcNI9x55n1MOR0N6ogKaQ_4-CKu9LnI_fwEOE,1814
 bitwarden_workflow_linter/models/workflow.py,sha256=lIgGI2cDwC2lTOM-k3fqKgceLdSJ6vhTLCAhaeoD-fc,1645
 bitwarden_workflow_linter/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+bitwarden_workflow_linter/rules/check_blocked_domains.py,sha256=v-sbwqRl3x2mupKLvnqFECOx_LPVbaAkKD_icT_srzE,7771
 bitwarden_workflow_linter/rules/check_pr_target.py,sha256=HXvOvDZeZ7OPtIs_pqcXlxffUWqEsCmvtuz9_APxXf8,3507
 bitwarden_workflow_linter/rules/job_environment_prefix.py,sha256=bdE8l4B5DQiCFVmblXTs4ptsHPGvjhJrR5ONo2kRY2U,2757
 bitwarden_workflow_linter/rules/name_capitalized.py,sha256=lGHPi_Ix0DVSzGEdrUm2vAEQD4qQ8dxU1hddsCdqA2w,2126
@@ -24,8 +25,8 @@ bitwarden_workflow_linter/rules/run_actionlint.py,sha256=m6SaejtkUz704exAiq_ti0d
 bitwarden_workflow_linter/rules/step_approved.py,sha256=4pUCrOlWomo43bwGBunORphv1RJzc3spRKgZ4VLtDS0,3304
 bitwarden_workflow_linter/rules/step_pinned.py,sha256=MagV8LNdgRKyncmSdH9V-TlIcsdjzoDHDWqovzWon9E,3559
 bitwarden_workflow_linter/rules/underscore_outputs.py,sha256=LoCsDN_EfQ8H9n5BfZ5xCe7BeHqJGPMcV0vo1c9YJcw,4275
-bitwarden_workflow_linter-1.3.5.dist-info/METADATA,sha256=phyCCSCAeEDb6H9aiXsUI1iaFoipysFP7nVSMkZLQOg,10227
-bitwarden_workflow_linter-1.3.5.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-bitwarden_workflow_linter-1.3.5.dist-info/entry_points.txt,sha256=SA_yF9CwL4VMUvdcmCd7k9rjsQNzfeOUBuDnMnaO8QQ,60
-bitwarden_workflow_linter-1.3.5.dist-info/licenses/LICENSE.txt,sha256=uY-7N9tbI7xc_c0WeTIGpacSCnsB91N05eCIg3bkaRw,35140
-bitwarden_workflow_linter-1.3.5.dist-info/RECORD,,
+bitwarden_workflow_linter-1.4.0.dist-info/METADATA,sha256=lXVfByPjXiRaPaxQdT8mCX3Jz5URBzAqdnHa3ImUGf0,10227
+bitwarden_workflow_linter-1.4.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+bitwarden_workflow_linter-1.4.0.dist-info/entry_points.txt,sha256=SA_yF9CwL4VMUvdcmCd7k9rjsQNzfeOUBuDnMnaO8QQ,60
+bitwarden_workflow_linter-1.4.0.dist-info/licenses/LICENSE.txt,sha256=uY-7N9tbI7xc_c0WeTIGpacSCnsB91N05eCIg3bkaRw,35140
+bitwarden_workflow_linter-1.4.0.dist-info/RECORD,,