Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(github): Improving GHA schema validation #3513

Merged
merged 4 commits into from
Sep 19, 2022
Merged

feat(github): Improving GHA schema validation #3513

merged 4 commits into from
Sep 19, 2022

Conversation

Eliran-Turgeman
Copy link
Contributor

@Eliran-Turgeman Eliran-Turgeman commented Sep 15, 2022
edited
Loading

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Improving GHA schema validation.
Schema resource is from https://www.schemastore.org/json/ - I made it "softer" to match the tests.

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Should improve false negatives as previous schema wasn't detailed enough.

Note - I suppressed a bandit check on yaml.load since the loader used is inheriting from SafeLoader.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

gruebel
gruebel approved these changes Sep 19, 2022
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice job 🚀

checkov/common/util/type_forcers.py
@@ -62,8 +62,8 @@ def force_dict(obj: Any) -> dict[str, Any] | None:
"""
if isinstance(obj, dict):
return obj
if isinstance(obj, list) and len(obj) > 0 and isinstance(obj[0], dict):
return obj[0]
if (isinstance(obj, list) or isinstance(obj, tuple)) and len(obj) > 0:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add this change to the doc string?

If the object is a list/tuple of length 1 or more, ...

checkov/github_actions/runner.py Outdated
@@ -181,13 +186,22 @@ def resolve_step_name(job_definition: dict[str, Any], start_line: int, end_line:
@staticmethod
def is_schema_valid(config: dict[str, Any] | list[dict[str, Any]]) -> bool:
valid = False
config = force_list(config)
config = force_dict(config)
dir_path = os.path.dirname(os.path.realpath(__file__))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dir_path = os.path.dirname(os.path.realpath(__file__))
dir_path = os.path.dirname(__file__)

please never use realpath it has unwanted behaviour on Mac for example

@Eliran-Turgeman Eliran-Turgeman merged commit 3daf386 into master Sep 19, 2022
@Eliran-Turgeman Eliran-Turgeman deleted the improve_gha_schema_validation branch September 19, 2022 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gruebel gruebel gruebel approved these changes

@nimrodkor nimrodkor nimrodkor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Eliran-Turgeman @nimrodkor @gruebel