hol-guard 2.0.3__tar.gz

hol_guard-2.0.3/.clusterfuzzlite/Dockerfile

@@ -0,0 +1,9 @@
+FROM gcr.io/oss-fuzz-base/base-builder-python@sha256:721650302bfda2f3832df73bb24aeacfa41c32e692f3d6e4dd06074e79c64ed7
+
+COPY ./.clusterfuzzlite/requirements-atheris.txt $SRC/requirements-atheris.txt
+RUN python3 -m pip install --require-hashes --no-cache-dir --no-binary=:all: --no-deps \
+    -r $SRC/requirements-atheris.txt
+
+COPY . $SRC/codex-plugin-scanner
+WORKDIR $SRC/codex-plugin-scanner
+COPY ./.clusterfuzzlite/build.sh $SRC/build.sh

hol_guard-2.0.3/.clusterfuzzlite/build.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -eu
+
+cd "$SRC/codex-plugin-scanner"
+export PYTHONPATH="$PWD/src${PYTHONPATH:+:$PYTHONPATH}"
+
+for fuzzer in fuzzers/*_fuzzer.py; do
+  compile_python_fuzzer "$fuzzer"
+done

hol_guard-2.0.3/.clusterfuzzlite/project.yaml

@@ -0,0 +1,3 @@
+homepage: "https://github.com/hashgraph-online/codex-plugin-scanner"
+language: python
+main_repo: "https://github.com/hashgraph-online/codex-plugin-scanner"

hol_guard-2.0.3/.clusterfuzzlite/requirements-atheris.txt

@@ -0,0 +1 @@
+atheris==3.0.0 --hash=sha256:1f0929c7bc3040f3fe4102e557718734190cf2d7718bbb8e3ce6d3eb56ef5bb3

hol_guard-2.0.3/.dockerignore

@@ -0,0 +1,10 @@
+.git
+.github
+.pytest_cache
+.ruff_cache
+.venv
+__pycache__
+dist
+tests
+action
+*.pyc

hol_guard-2.0.3/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @hashgraph-online/core

hol_guard-2.0.3/.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10

hol_guard-2.0.3/.github/workflows/ci.yml

@@ -0,0 +1,45 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - run: uv sync --frozen --extra dev --python ${{ matrix.python-version }}
+      - run: uv run --no-sync python -m ruff check src/
+      - run: uv run --no-sync python -m ruff format --check src/
+      - run: uv run --no-sync pytest --tb=short
+
+  cross-platform:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest]
+        python-version: ["3.12"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - run: uv sync --frozen --extra dev --python ${{ matrix.python-version }}
+      - run: uv run --no-sync pytest tests/test_cli.py tests/test_verification.py tests/test_action_runner.py --tb=short

hol_guard-2.0.3/.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 4 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    if: ${{ vars.CODEQL_ADVANCED_ENABLED == 'true' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, python]
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Provide legacy workspace alias for CodeQL default setup state
+        run: |
+          LEGACY_ROOT="/home/runner/work/codex-plugin-scanner"
+          mkdir -p "$LEGACY_ROOT"
+          ln -sfn "$GITHUB_WORKSPACE" "$LEGACY_ROOT/codex-plugin-scanner"
+      - uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: none
+          source-root: .
+      - uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+        with:
+          category: /language:${{ matrix.language }}

hol_guard-2.0.3/.github/workflows/e2e-test.yml

@@ -0,0 +1,112 @@
+name: E2E Tests
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [feat/*]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  scanner-text:
+    name: Scanner (text format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          min_score: 80
+
+  scanner-json:
+    name: Scanner (JSON format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          format: json
+          output: report.json
+      - name: Validate JSON
+        run: |
+          python3 -c "
+          import json
+          d = json.load(open('report.json'))
+          assert 'score' in d
+          assert 'grade' in d
+          assert d['score'] >= 80, f'Expected score >= 80, got {d[\"score\"]}'
+          print(f'JSON output valid: score={d[\"score\"]}, grade={d[\"grade\"]}')
+          "
+
+  scanner-sarif:
+    name: Scanner (SARIF format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          format: sarif
+          output: report.sarif
+      - name: Validate SARIF
+        run: |
+          python3 -c "
+          import json
+          d = json.load(open('report.sarif'))
+          assert d['version'] == '2.1.0'
+          assert d['\$schema'].startswith('https://')
+          print('SARIF output valid')
+          "
+    # Skip SARIF upload - CodeQL upload-sarif requires code scanning to be enabled on the repo
+
+  scanner-fail:
+    name: Scanner (fail on low score)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        continue-on-error: true
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/bad-plugin
+          min_score: 99
+      - name: Verify failure
+        if: always() && steps.scan.outcome == 'failure'
+        run: echo "Correctly failed for low score"
+      - name: Should have failed
+        if: always() && steps.scan.outcome != 'failure'
+        run: |
+          echo "Expected failure but scanner passed"
+          exit 1
+
+  scanner-markdown:
+    name: Scanner (Markdown format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          format: markdown
+          output: report.md
+      - name: Validate Markdown
+        run: |
+          python3 -c "
+          content = open('report.md').read()
+          assert '/100' in content
+          assert 'Excellent' in content or 'Good' in content or 'Fair' in content
+          print('Markdown output valid')
+          "

hol_guard-2.0.3/.github/workflows/fuzz.yml

@@ -0,0 +1,53 @@
+name: Fuzzing
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  code-change:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: google/clusterfuzzlite/actions/build_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          language: python
+          sanitizer: address
+      - uses: google/clusterfuzzlite/actions/run_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          mode: code-change
+          sanitizer: address
+          fuzz-seconds: 600
+          output-sarif: true
+
+  batch:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: google/clusterfuzzlite/actions/build_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          language: python
+          sanitizer: address
+      - uses: google/clusterfuzzlite/actions/run_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          mode: batch
+          sanitizer: address
+          fuzz-seconds: 1800
+          output-sarif: true

hol_guard-2.0.3/.github/workflows/publish-action-repo.yml

@@ -0,0 +1,206 @@
+name: Publish GitHub Action Repository
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ai-plugin-scanner-action-repo-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  publish-action-repo:
+    name: Sync action repo + publish release notes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      ACTION_CANONICAL_REPOSITORY: ${{ vars.ACTION_CANONICAL_REPOSITORY != '' && vars.ACTION_CANONICAL_REPOSITORY || 'hashgraph-online/ai-plugin-scanner-action' }}
+      ACTION_COMPAT_REPOSITORY: ${{ vars.ACTION_COMPAT_REPOSITORY != '' && vars.ACTION_COMPAT_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
+      SOURCE_REF: ${{ github.sha }}
+      SOURCE_REPOSITORY: ${{ github.repository }}
+      SOURCE_SERVER_URL: ${{ github.server_url }}
+    steps:
+      - name: Validate publication credentials
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          if [ -z "$ACTION_REPO_TOKEN" ]; then
+            echo "ACTION_REPO_TOKEN must be configured to publish the Marketplace action repository." >&2
+            exit 1
+          fi
+
+      - name: Checkout source repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+
+      - name: Compute next action release tag
+        id: version
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          latest_release_tag() {
+            target_repo="$1"
+            if ! gh repo view "$target_repo" >/dev/null 2>&1; then
+              return
+            fi
+            gh release list --repo "$target_repo" --limit 1 --json tagName --jq '.[0].tagName // ""'
+          }
+
+          latest_remote_tag() {
+            target_repo="$1"
+            if ! gh repo view "$target_repo" >/dev/null 2>&1; then
+              return
+            fi
+            git ls-remote --tags --refs "https://x-access-token:${GH_TOKEN}@github.com/${target_repo}.git" "refs/tags/v*" \
+              | awk -F'/' '{print $3}' \
+              | sort -V \
+              | tail -n1
+          }
+
+          LAST_TAG=""
+          for candidate in \
+            "$(latest_release_tag "$ACTION_CANONICAL_REPOSITORY")" \
+            "$(latest_release_tag "$ACTION_COMPAT_REPOSITORY")" \
+            "$(latest_remote_tag "$ACTION_CANONICAL_REPOSITORY")" \
+            "$(latest_remote_tag "$ACTION_COMPAT_REPOSITORY")"; do
+            if [ -z "$candidate" ]; then
+              continue
+            fi
+            if [ -z "$LAST_TAG" ] || [ "$(printf '%s\n%s\n' "$LAST_TAG" "$candidate" | sort -V | tail -n1)" = "$candidate" ]; then
+              LAST_TAG="$candidate"
+            fi
+          done
+
+          if [ -z "$LAST_TAG" ]; then
+            TAG="v1.0.0"
+          else
+            IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+            if [ -z "$MAJOR" ] || [ -z "$MINOR" ] || [ -z "$PATCH" ]; then
+              echo "Unsupported release tag format: $LAST_TAG" >&2
+              exit 1
+            fi
+            TAG="v${MAJOR}.${MINOR}.$((PATCH + 1))"
+          fi
+
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Compute scanner package version
+        id: scanner_version
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+        run: |
+          BASE_VERSION=$(python3 -c "import tomllib; p=tomllib.load(open('pyproject.toml','rb')); print(p['project']['version'])")
+          VERSION="$BASE_VERSION"
+          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
+            VERSION="${GITHUB_REF#refs/tags/v}"
+          elif [[ "$GITHUB_EVENT_NAME" == "push" && "$GITHUB_REF" == "refs/heads/main" ]]; then
+            LAST_TAG=$(git tag --list 'v*' --sort=-version:refname | head -n1)
+            if [[ -n "$LAST_TAG" ]]; then
+              IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+              if [[ -z "$MAJOR" || -z "$MINOR" || -z "$PATCH" ]]; then
+                echo "Unsupported release tag format: $LAST_TAG" >&2
+                exit 1
+              fi
+              VERSION="${MAJOR}.${MINOR}.$((PATCH + 1))"
+            fi
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Sync canonical and compatibility action repositories
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+          TAG: ${{ steps.version.outputs.tag }}
+          SCANNER_VERSION: ${{ steps.scanner_version.outputs.version }}
+        run: |
+          any_repo_changed="false"
+
+          publish_action_release() {
+            target_repo="$1"
+            repo_dir="$2"
+
+            git -C "$repo_dir" tag -fa v1 -m "Update floating major tag to ${TAG}"
+            if git -C "$repo_dir" ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
+              echo "Refusing to publish action bundle with colliding existing tag ${TAG} in ${target_repo}." >&2
+              exit 1
+            fi
+            git -C "$repo_dir" tag "${TAG}"
+            git -C "$repo_dir" push origin "refs/tags/${TAG}"
+            git -C "$repo_dir" push origin refs/tags/v1 --force
+
+            if ! gh release view "${TAG}" --repo "$target_repo" >/dev/null 2>&1; then
+              gh release create "${TAG}" \
+                --repo "$target_repo" \
+                --title "${TAG}" \
+                --generate-notes \
+                --notes "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"
+            fi
+          }
+
+          sync_action_repo() {
+            target_repo="$1"
+            readme_source="$2"
+            repo_description="$3"
+            repo_dir="$GITHUB_WORKSPACE/action-repos/${target_repo##*/}"
+            repo_changed="false"
+
+            if gh repo view "$target_repo" >/dev/null 2>&1; then
+              gh repo edit "$target_repo" --description "$repo_description"
+              gh repo clone "$target_repo" "$repo_dir" -- --depth 1
+            else
+              gh repo create "$target_repo" --public --description "$repo_description" --clone
+              mv "${target_repo##*/}" "$repo_dir"
+            fi
+
+            git -C "$repo_dir" remote set-url origin "https://x-access-token:${ACTION_REPO_TOKEN}@github.com/${target_repo}.git"
+
+            cp "${GITHUB_WORKSPACE}/action/action.yml" "${repo_dir}/action.yml"
+            cp "$readme_source" "${repo_dir}/README.md"
+            printf '%s\n' "$SCANNER_VERSION" > "${repo_dir}/scanner-version.txt"
+            cp "${GITHUB_WORKSPACE}/action/cisco-version.txt" "${repo_dir}/cisco-version.txt"
+            cp "${GITHUB_WORKSPACE}/action/pypi-attestations-version.txt" "${repo_dir}/pypi-attestations-version.txt"
+            cp "${GITHUB_WORKSPACE}/LICENSE" "${repo_dir}/LICENSE"
+            cp "${GITHUB_WORKSPACE}/SECURITY.md" "${repo_dir}/SECURITY.md"
+            cp "${GITHUB_WORKSPACE}/CONTRIBUTING.md" "${repo_dir}/CONTRIBUTING.md"
+
+            if [ -n "$(git -C "$repo_dir" status --short -- action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md)" ]; then
+              repo_changed="true"
+              git -C "$repo_dir" config user.name "github-actions[bot]"
+              git -C "$repo_dir" config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git -C "$repo_dir" add action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md
+              git -C "$repo_dir" commit -m "chore: publish action bundle ${TAG}"
+              git -C "$repo_dir" push origin HEAD:main
+              any_repo_changed="true"
+            fi
+
+            printf '%s\t%s\n' "$target_repo" "$repo_dir" >> "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"
+          }
+
+          mkdir -p "$GITHUB_WORKSPACE/action-repos"
+          : > "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"
+
+          sync_action_repo \
+            "$ACTION_CANONICAL_REPOSITORY" \
+            "${GITHUB_WORKSPACE}/action/README.md" \
+            "HOL AI Plugin Scanner GitHub Action"
+
+          sync_action_repo \
+            "$ACTION_COMPAT_REPOSITORY" \
+            "${GITHUB_WORKSPACE}/action/README.legacy.md" \
+            "Compatibility alias for HOL AI Plugin Scanner GitHub Action"
+
+          if [ "$any_repo_changed" != "true" ]; then
+            exit 0
+          fi
+
+          while IFS=$'\t' read -r target_repo repo_dir; do
+            publish_action_release "$target_repo" "$repo_dir"
+          done < "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"