update

checker/raw_result.go

@@ -301,14 +301,9 @@ type DangerousWorkflowData struct {
 
 // DangerousWorkflow represents a dangerous workflow.
 type DangerousWorkflow struct {
-	Workflow Workflow
-	Type     DangerousWorkflowType
-}
-
-// Workflow represents a workflow.
-type Workflow struct {
 	Job  *WorkflowJob
 	File File
+	Type DangerousWorkflowType
 }
 
 // WorkflowJob reprresents a workflow job.

checks/evaluation/dangerous_workflow.go

@@ -34,20 +34,20 @@ func DangerousWorkflow(name string, dl checker.DetailLogger,
 		var text string
 		switch e.Type {
 		case checker.DangerousWorkflowUntrustedCheckout:
-			text = fmt.Sprintf("untrusted code checkout '%v'", e.Workflow.File.Snippet)
+			text = fmt.Sprintf("untrusted code checkout '%v'", e.File.Snippet)
 		case checker.DangerousWorkflowScriptInjection:
-			text = fmt.Sprintf("script injection with untrusted input '%v'", e.Workflow.File.Snippet)
+			text = fmt.Sprintf("script injection with untrusted input '%v'", e.File.Snippet)
 		default:
 			err := sce.WithMessage(sce.ErrScorecardInternal, "invalid type")
 			return checker.CreateRuntimeErrorResult(name, err)
 		}
 
 		dl.Warn(&checker.LogMessage{
-			Path:    e.Workflow.File.Path,
-			Type:    e.Workflow.File.Type,
-			Offset:  e.Workflow.File.Offset,
+			Path:    e.File.Path,
+			Type:    e.File.Type,
+			Offset:  e.File.Offset,
 			Text:    text,
-			Snippet: e.Workflow.File.Snippet,
+			Snippet: e.File.Snippet,
 		})
 	}
 

checks/raw/dangerous_workflow.go

@@ -194,15 +194,13 @@ func checkJobForUntrustedCodeCheckout(job *actionlint.Job, path string,
 			pdata.Workflows = append(pdata.Workflows,
 				checker.DangerousWorkflow{
 					Type: checker.DangerousWorkflowUntrustedCheckout,
-					Workflow: checker.Workflow{
-						File: checker.File{
-							Path:    path,
-							Type:    checker.FileTypeSource,
-							Offset:  line,
-							Snippet: ref.Value.Value,
-						},
-						Job: createJob(job),
+					File: checker.File{
+						Path:    path,
+						Type:    checker.FileTypeSource,
+						Offset:  line,
+						Snippet: ref.Value.Value,
 					},
+					Job: createJob(job),
 				},
 			)
 		}
@@ -255,15 +253,13 @@ func checkVariablesInScript(script string, pos *actionlint.Pos,
 			line := fileparser.GetLineNumber(pos)
 			pdata.Workflows = append(pdata.Workflows,
 				checker.DangerousWorkflow{
-					Workflow: checker.Workflow{
-						File: checker.File{
-							Path:    path,
-							Type:    checker.FileTypeSource,
-							Offset:  line,
-							Snippet: variable,
-						},
-						Job: createJob(job),
+					File: checker.File{
+						Path:    path,
+						Type:    checker.FileTypeSource,
+						Offset:  line,
+						Snippet: variable,
 					},
+					Job:  createJob(job),
 					Type: checker.DangerousWorkflowScriptInjection,
 				},
 			)

pkg/json_raw_results.go

@@ -156,10 +156,10 @@ const (
 )
 
 type jsonWorkflow struct {
-	Job *jsonWorkflowJob `json:"job"`
+	Job  *jsonWorkflowJob `json:"job"`
+	File *jsonFile        `json:"file"`
 	// Type is a string to allow different types for permissions, unpinned dependencies, etc.
-	Type string   `json:"type"`
-	File jsonFile `json:"file"`
+	Type string `json:"type"`
 }
 
 type jsonWorkflowJob struct {
@@ -201,18 +201,18 @@ func (r *jsonScorecardRawResult) addDangerousWorkflowRawResults(df *checker.Dang
 	r.Results.Workflows = []jsonWorkflow{}
 	for _, e := range df.Workflows {
 		v := jsonWorkflow{
-			File: jsonFile{
-				Path:   e.Workflow.File.Path,
-				Offset: int(e.Workflow.File.Offset),
+			File: &jsonFile{
+				Path:   e.File.Path,
+				Offset: int(e.File.Offset),
 			},
 		}
-		if e.Workflow.File.Snippet != "" {
-			v.File.Snippet = &e.Workflow.File.Snippet
+		if e.File.Snippet != "" {
+			v.File.Snippet = &e.File.Snippet
 		}
-		if e.Workflow.Job != nil {
+		if e.Job != nil {
 			v.Job = &jsonWorkflowJob{
-				Name: e.Workflow.Job.Name,
-				ID:   e.Workflow.Job.ID,
+				Name: e.Job.Name,
+				ID:   e.Job.ID,
 			}
 		}