Skip to content

Commit

Permalink
Update dependencies, add lint and unit-tests
Browse files Browse the repository at this point in the history
  • Loading branch information
ayala-orca committed Nov 27, 2024
1 parent d0c1af8 commit ea82674
Show file tree
Hide file tree
Showing 14 changed files with 8,085 additions and 199 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/test-fs-action-sarif.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
permissions:
security-events: write
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
- name: Scan FS
id: orcasecurity_fs_scan
uses: ./
Expand All @@ -21,7 +21,7 @@ jobs:
output: "results/"
console_output: "table"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # ratchet:github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # ratchet:github/codeql-action/upload-sarif@v3.27.5
if: ${{ always() && steps.orcasecurity_fs_scan.outputs.exit_code != 1 }}
with:
sarif_file: results/file_system.sarif
sarif_file: results/file_system.sarif
4 changes: 2 additions & 2 deletions .github/workflows/test-fs-action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
fs_scan_job:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
- name: Scan FS
uses: ./
with:
Expand All @@ -17,7 +17,7 @@ jobs:
format: "json"
output: "results/"
console_output: "table"
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # ratchet:actions/upload-artifact@v4
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4.4.3
if: always()
with:
name: orca-results
Expand Down
23 changes: 23 additions & 0 deletions .github/workflows/unit-tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Unit Tests
on:
pull_request:
branches: [main]
workflow_dispatch:

permissions:
contents: read

jobs:
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]

- name: Install dependencies
run: npm install

- name: Run lint
run: npm run lint

- name: Run tests
run: npm test
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# IDE
.idea
node_modules
node_modules

dist/
39 changes: 16 additions & 23 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,13 @@ for [Orca Shift Left Security](https://orca.security/solutions/shift-left-securi

#### More info can be found in the official Orca Shift Left Security<a href="https://docs.orcasecurity.io/v1/docs/shift-left-security"> documentation</a>



## Table of Contents

- [Orca Shift Left Security Action](#orca-shift-left-security-action)
- [More info can be found in the official Orca Shift Left Security documentation](#more-info-can-be-found-in-the-official-orca-shift-left-security-documentation)
- [Table of Contents](#table-of-contents)
- [Usage](#usage)
- [Workflow](#workflow)
- [Inputs](#inputs)
- [Annotations](#annotations)
- [Upload SARIF report](#upload-sarif-report)


- [Usage](#usage)
- [Workflow](#workflow)
- [Inputs](#inputs)
- [Annotations](#annotations)
- [Upload SARIF report](#upload-sarif-report)

## Usage

Expand All @@ -29,13 +22,13 @@ name: Sample Orca FS Scan Workflow
on:
# Scan for each push event on your protected branch. If you have a different branch configured, please adjust the configuration accordingly by replacing 'main'.
push:
branches: [ "main" ]
branches: ["main"]
# NOTE: To enable scanning for pull requests, uncomment the section below.
#pull_request:
#branches: [ "main" ]
#branches: [ "main" ]
# NOTE: To schedule a daily scan at midnight, uncomment the section below.
#schedule:
#- cron: '0 0 * * *'
#- cron: '0 0 * * *'
jobs:
orca-fs-scan:
name: Orca fs Scan
Expand All @@ -60,7 +53,7 @@ jobs:
### Inputs

| Variable | Example Value &nbsp; | Description &nbsp; | Type | Required | Default |
|------------------------------|------------------------------|--------------------------------------------------------------------------------------------|---------|----------|--------------|
| ---------------------------- | ---------------------------- | ------------------------------------------------------------------------------------------ | ------- | -------- | ------------ |
| api_token | | Orca API Token used for Authentication | String | Yes | N/A |
| project_key | my-project-key | Project Key name | String | Yes | N/A |
| path | sub-dir | Path to scan | String | Yes | N/A |
Expand Down Expand Up @@ -90,15 +83,18 @@ jobs:
| disable_active_verification | true | Disable active verification of secrets | Boolean | No | false |

## Annotations

After scanning, the action will add the results as annotations in a pull request:

![](/assets/secret_annotation_preview.png)
> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"

> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"
## Upload SARIF report

If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Orca Shift Left Security as a scanning tool
> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
Configuration:

Expand Down Expand Up @@ -129,8 +125,7 @@ jobs:
project_key: ${{ env.PROJECT_KEY }}
path: <path to scan>
format: "sarif"
output:
"results/"
output: "results/"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && steps.orcasecurity_fs_scan.outputs.exit_code != 1 }}
Expand All @@ -141,7 +136,5 @@ jobs:
The results list can be found on the security tab of your GitHub project and should look like the following image
![](/assets/code_scanning_list.png)
An entry should describe the error and in which line it occurred
An entry should describe the error and in which line it occurred
![](/assets/code_scanning_entry.png)
11 changes: 0 additions & 11 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,6 @@ inputs:
description: "Disable logs and warnings output"
required: false
default: "false"
baseline_context_key:
description: "Use this context key in case of no autodetect is configured on project"
required: false
disable_baseline:
description: "Do not compare to baseline on this scan"
required: false
default: "false"
sync_baseline:
description: "Sync baseline base on this flag"
required: false
disable_err_report:
description: "Suppress error reporting to the monitoring platform"
required: false
Expand Down Expand Up @@ -119,7 +109,6 @@ inputs:
description: "The directory path to specify where the logs should be written to on debug mode. Default to the current working directory"
required: false


outputs:
exit_code:
description: "The exit code of the scan"
16 changes: 5 additions & 11 deletions entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,20 +33,11 @@ function set_global_flags() {
if [ "${INPUT_CONFIG}" ]; then
GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
fi
if [ "${INPUT_BASELINE_CONTEXT_KEY}" ]; then
GLOBAL_FLAGS+=(--baseline-context-key "${INPUT_BASELINE_CONTEXT_KEY}")
fi
if [ "${INPUT_DISABLE_BASELINE}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-baseline)
fi
if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-err-report)
fi
if [ "${INPUT_SYNC_BASELINE}" ]; then
GLOBAL_FLAGS+=(--sync-baseline "${INPUT_SYNC_BASELINE}")
fi
if [ "${INPUT_DISPLAY_NAME}" ]; then
GLOBAL_FLAGS+=(--display-name="${INPUT_DISPLAY_NAME}")
GLOBAL_FLAGS+=(--display-name "${INPUT_DISPLAY_NAME}")
fi
if [ "${INPUT_DEBUG}" == "true" ]; then
GLOBAL_FLAGS+=(--debug)
Expand Down Expand Up @@ -97,6 +88,9 @@ function set_fs_scan_flags() {
if [ "${INPUT_EXCEPTIONS_FILEPATH}" ]; then
SCAN_FLAGS+=(--exceptions-filepath "${INPUT_EXCEPTIONS_FILEPATH}")
fi
if [ "${INPUT_TIMEOUT}" ]; then
SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")
fi
if [ "${INPUT_SHOW_FAILED_ISSUES_ONLY}" = "true" ]; then
SCAN_FLAGS+=(--show-failed-issues-only)
fi
Expand All @@ -116,7 +110,7 @@ function set_fs_scan_flags() {
SCAN_FLAGS+=(--console-output="${CONSOLE_OUTPUT_FOR_JSON}")
fi
if [ "${INPUT_CUSTOM_SECRET_CONTROLS}" ]; then
SCAN_FLAGS+=(--custom-secret-controls="${INPUT_CUSTOM_SECRET_CONTROLS}")
SCAN_FLAGS+=(--custom-secret-controls "${INPUT_CUSTOM_SECRET_CONTROLS}")
fi
if [ "${INPUT_HIDE_SKIPPED_VULNERABILITIES}" == "true" ]; then
SCAN_FLAGS+=(--hide-skipped-vulnerabilities)
Expand Down
50 changes: 50 additions & 0 deletions eslint.config.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
const js = require("@eslint/js");

module.exports = [
{
// Global ignores
ignores: ["dist/**"],
},
{
// Base configuration
files: ["**/*.{js}"],
settings: {
"import/resolver": {
typescript: {},
},
},
rules: {
...js.configs.recommended.rules,

// Spacing and formatting rules
"space-before-blocks": "error",
"keyword-spacing": "error",
"no-trailing-spaces": "error",
curly: "error",
quotes: ["error", "single"],
"object-curly-spacing": ["error", "always"],
"no-multi-spaces": "error",
"semi-spacing": "error",

// Code style rules
"prefer-const": ["error", { destructuring: "all" }],
"max-classes-per-file": ["error", 10],
"max-len": ["error", 200],

// Import rules
"import/no-unresolved": [
"error",
{ commonjs: true, caseSensitive: true },
],
"import/extensions": ["error", "ignorePackages", { js: "never" }],
},
},
{
// Test files override
files: ["**/test/**"],
rules: {
"import/no-unresolved": "off",
"import/extensions": "off",
},
},
];
Loading

0 comments on commit ea82674

Please sign in to comment.