Update dependencies, add lint and unit-tests

orcasecurity · Nov 26, 2024 · d7aa4ab · d7aa4ab
1 parent d0c1af8
commit d7aa4ab
Show file tree

Hide file tree

Showing 14 changed files with 8,080 additions and 199 deletions.
diff --git a/.github/workflows/test-fs-action-sarif.yaml b/.github/workflows/test-fs-action-sarif.yaml
@@ -9,7 +9,7 @@ jobs:
     permissions:
       security-events: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
       - name: Scan FS
         id: orcasecurity_fs_scan
         uses: ./
@@ -21,7 +21,7 @@ jobs:
           output: "results/"
           console_output: "table"
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # ratchet:github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # ratchet:github/codeql-action/upload-sarif@v3.27.5
         if: ${{ always() && steps.orcasecurity_fs_scan.outputs.exit_code != 1 }}
         with:
-          sarif_file: results/file_system.sarif
+          sarif_file: results/file_system.sarif
diff --git a/.github/workflows/test-fs-action.yaml b/.github/workflows/test-fs-action.yaml
@@ -7,7 +7,7 @@ jobs:
   fs_scan_job:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
       - name: Scan FS
         uses: ./
         with:
@@ -17,7 +17,7 @@ jobs:
           format: "json"
           output: "results/"
           console_output: "table"
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # ratchet:actions/upload-artifact@v4
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4.4.3
         if: always()
         with:
           name: orca-results

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -0,0 +1,23 @@
+name: Unit Tests
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run lint
+        run: npm run lint
+
+      - name: Run tests
+        run: npm test
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 # IDE
 .idea
-node_modules
+node_modules
+
+dist/
diff --git a/README.md b/README.md
@@ -5,20 +5,13 @@ for [Orca Shift Left Security](https://orca.security/solutions/shift-left-securi
 
 #### More info can be found in the official Orca Shift Left Security<a href="https://docs.orcasecurity.io/v1/docs/shift-left-security"> documentation</a>
 
-
-
 ## Table of Contents
 
-- [Orca Shift Left Security Action](#orca-shift-left-security-action)
-      - [More info can be found in the official Orca Shift Left Security documentation](#more-info-can-be-found-in-the-official-orca-shift-left-security-documentation)
-  - [Table of Contents](#table-of-contents)
-  - [Usage](#usage)
-    - [Workflow](#workflow)
-    - [Inputs](#inputs)
-  - [Annotations](#annotations)
-  - [Upload SARIF report](#upload-sarif-report)
-
-
+- [Usage](#usage)
+  - [Workflow](#workflow)
+  - [Inputs](#inputs)
+- [Annotations](#annotations)
+- [Upload SARIF report](#upload-sarif-report)
 
 ## Usage
 
@@ -29,13 +22,13 @@ name: Sample Orca FS Scan Workflow
 on:
   # Scan for each push event on your protected branch. If you have a different branch configured, please adjust the configuration accordingly by replacing 'main'.
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   # NOTE: To enable scanning for pull requests, uncomment the section below.
   #pull_request:
-    #branches: [ "main" ]
+  #branches: [ "main" ]
   # NOTE: To schedule a daily scan at midnight, uncomment the section below.
   #schedule:
-    #- cron: '0 0 * * *'
+  #- cron: '0 0 * * *'
 jobs:
   orca-fs-scan:
     name: Orca fs Scan
@@ -60,7 +53,7 @@ jobs:
 ### Inputs
 
 | Variable                     | Example Value &nbsp;         | Description &nbsp;                                                                         | Type    | Required | Default      |
-|------------------------------|------------------------------|--------------------------------------------------------------------------------------------|---------|----------|--------------|
+| ---------------------------- | ---------------------------- | ------------------------------------------------------------------------------------------ | ------- | -------- | ------------ |
 | api_token                    |                              | Orca API Token used for Authentication                                                     | String  | Yes      | N/A          |
 | project_key                  | my-project-key               | Project Key name                                                                           | String  | Yes      | N/A          |
 | path                         | sub-dir                      | Path to scan                                                                               | String  | Yes      | N/A          |
@@ -90,15 +83,18 @@ jobs:
 | disable_active_verification  | true                         | Disable active verification of secrets                                                     | Boolean | No       | false        |
 
 ## Annotations
+
 After scanning, the action will add the results as annotations in a pull request:
 
 ![](/assets/secret_annotation_preview.png)
->  **NOTE:**  Annotations can be disabled by setting the "show_annotation" input to "false"
 
+> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"
 
 ## Upload SARIF report
+
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Orca Shift Left Security as a scanning tool
-> **NOTE:**  Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
+
+> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
 
 Configuration:
 
@@ -129,8 +125,7 @@ jobs:
           project_key: ${{ env.PROJECT_KEY }}
           path: <path to scan>
           format: "sarif"
-          output:
-            "results/"
+          output: "results/"
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@v3
         if: ${{ always() && steps.orcasecurity_fs_scan.outputs.exit_code != 1 }}
@@ -141,7 +136,5 @@ jobs:
 The results list can be found on the security tab of your GitHub project and should look like the following image
 ![](/assets/code_scanning_list.png)
 
-
-An entry should describe the error and in which line it occurred 
+An entry should describe the error and in which line it occurred
 ![](/assets/code_scanning_entry.png)
-
diff --git a/action.yaml b/action.yaml
@@ -27,16 +27,6 @@ inputs:
     description: "Disable logs and warnings output"
     required: false
     default: "false"
-  baseline_context_key:
-    description: "Use this context key in case of no autodetect is configured on project"
-    required: false
-  disable_baseline:
-    description: "Do not compare to baseline on this scan"
-    required: false
-    default: "false"
-  sync_baseline:
-    description: "Sync baseline base on this flag"
-    required: false
   disable_err_report:
     description: "Suppress error reporting to the monitoring platform"
     required: false
@@ -119,7 +109,6 @@ inputs:
     description: "The directory path to specify where the logs should be written to on debug mode. Default to the current working directory"
     required: false
 
-
 outputs:
   exit_code:
     description: "The exit code of the scan"
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -33,20 +33,11 @@ function set_global_flags() {
   if [ "${INPUT_CONFIG}" ]; then
     GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
   fi
-  if [ "${INPUT_BASELINE_CONTEXT_KEY}" ]; then
-    GLOBAL_FLAGS+=(--baseline-context-key "${INPUT_BASELINE_CONTEXT_KEY}")
-  fi
-  if [ "${INPUT_DISABLE_BASELINE}" == "true" ]; then
-    GLOBAL_FLAGS+=(--disable-baseline)
-  fi
   if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
     GLOBAL_FLAGS+=(--disable-err-report)
   fi
-  if [ "${INPUT_SYNC_BASELINE}" ]; then
-    GLOBAL_FLAGS+=(--sync-baseline "${INPUT_SYNC_BASELINE}")
-  fi
   if [ "${INPUT_DISPLAY_NAME}" ]; then
-    GLOBAL_FLAGS+=(--display-name="${INPUT_DISPLAY_NAME}")
+    GLOBAL_FLAGS+=(--display-name "${INPUT_DISPLAY_NAME}")
   fi
   if [ "${INPUT_DEBUG}" == "true" ]; then
     GLOBAL_FLAGS+=(--debug)
@@ -97,6 +88,9 @@ function set_fs_scan_flags() {
   if [ "${INPUT_EXCEPTIONS_FILEPATH}" ]; then
     SCAN_FLAGS+=(--exceptions-filepath "${INPUT_EXCEPTIONS_FILEPATH}")
   fi
+  if [ "${INPUT_TIMEOUT}" ]; then
+    SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")
+  fi
   if [ "${INPUT_SHOW_FAILED_ISSUES_ONLY}" = "true" ]; then
     SCAN_FLAGS+=(--show-failed-issues-only)
   fi
@@ -116,7 +110,7 @@ function set_fs_scan_flags() {
     SCAN_FLAGS+=(--console-output="${CONSOLE_OUTPUT_FOR_JSON}")
   fi
   if [ "${INPUT_CUSTOM_SECRET_CONTROLS}" ]; then
-    SCAN_FLAGS+=(--custom-secret-controls="${INPUT_CUSTOM_SECRET_CONTROLS}")
+    SCAN_FLAGS+=(--custom-secret-controls "${INPUT_CUSTOM_SECRET_CONTROLS}")
   fi
   if [ "${INPUT_HIDE_SKIPPED_VULNERABILITIES}" == "true"  ]; then
     SCAN_FLAGS+=(--hide-skipped-vulnerabilities)

diff --git a/eslint.config.js b/eslint.config.js
@@ -0,0 +1,50 @@
+const js = require("@eslint/js");
+
+module.exports = [
+  {
+    // Global ignores
+    ignores: ["dist/**"],
+  },
+  {
+    // Base configuration
+    files: ["**/*.{js}"],
+    settings: {
+      "import/resolver": {
+        typescript: {},
+      },
+    },
+    rules: {
+      ...js.configs.recommended.rules,
+
+      // Spacing and formatting rules
+      "space-before-blocks": "error",
+      "keyword-spacing": "error",
+      "no-trailing-spaces": "error",
+      curly: "error",
+      quotes: ["error", "single"],
+      "object-curly-spacing": ["error", "always"],
+      "no-multi-spaces": "error",
+      "semi-spacing": "error",
+
+      // Code style rules
+      "prefer-const": ["error", { destructuring: "all" }],
+      "max-classes-per-file": ["error", 10],
+      "max-len": ["error", 200],
+
+      // Import rules
+      "import/no-unresolved": [
+        "error",
+        { commonjs: true, caseSensitive: true },
+      ],
+      "import/extensions": ["error", "ignorePackages", { js: "never" }],
+    },
+  },
+  {
+    // Test files override
+    files: ["**/test/**"],
+    rules: {
+      "import/no-unresolved": "off",
+      "import/extensions": "off",
+    },
+  },
+];