From 91c15e6de0c79254ff9bcad7aeaf8e87dcd77ffb Mon Sep 17 00:00:00 2001
From: AdamKorcz <adam@adalogics.com>
Date: Fri, 29 Sep 2023 12:31:09 +0100
Subject: [PATCH] Add test + nits

Signed-off-by: AdamKorcz <adam@adalogics.com>
---
 checks/evaluation/webhooks_test.go      | 81 +++++++++++++++++++++++++
 probes/webhooksWithoutTokenAuth/def.yml | 10 +--
 2 files changed, 86 insertions(+), 5 deletions(-)

diff --git a/checks/evaluation/webhooks_test.go b/checks/evaluation/webhooks_test.go
index d4264ee89608..67cfd81ad653 100644
--- a/checks/evaluation/webhooks_test.go
+++ b/checks/evaluation/webhooks_test.go
@@ -108,6 +108,87 @@ func TestWebhooks(t *testing.T) {
 				Score: 4,
 			},
 		},
+		{
+			name: "Twelve webhooks none of which have secrets",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "hasWebhooks",
+					Outcome: finding.OutcomePositive,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				}, {
+					Probe:   "webhooksWithoutTokenAuth",
+					Outcome: finding.OutcomeNegative,
+				},
+			},
+			result: scut.TestReturn{
+				Score: 0,
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt
diff --git a/probes/webhooksWithoutTokenAuth/def.yml b/probes/webhooksWithoutTokenAuth/def.yml
index 08ba7db0e626..bca30ca24e64 100644
--- a/probes/webhooksWithoutTokenAuth/def.yml
+++ b/probes/webhooksWithoutTokenAuth/def.yml
@@ -13,20 +13,20 @@
 # limitations under the License.
 
 id: webhooksWithoutTokenAuth
-short: This check determines whether the webhook defined in the repository has a token configured to authenticate the origins of requests.
+short: This check determines whether webhooks defined in the repository use a token to authenticate to remote servers.
 motivation: >
   Webhooks without token authorization have the potential to make projects accessible to third-parties.
 implementation: >
-  The probe checks all webhooks of a project and returns if it finds a single webhook without token authentication.
+  The probe checks all webhooks of a project and checks whether each uses token authentication.
 outcome:
-  - If the project has a single webhook without token authorization, the probe returns one OutcomeNegative (0).
+  - If the project has one or more webhooks without token authorization, the probe returns as many OutcomeNegative (0) as the project has webhooks without token authorization.
   - If the project does not have any webhooks without token authorization, the probe returns one OutcomePositive (1).
 remediation:
   effort: Low
   text:
     - Check whether your service supports token authentication.
-    - If there is support for token authentication, set the secret in the webhook configuration. 
-    - If there is no support for token authentication, request the webhook service implement token authentication functionality.
+    - If there is support for token authentication, set the secret in the webhook configuration. See [Setting up a webhook](https://docs.github.com/en/developers/webhooks-and-events/webhooks/creating-webhooks#setting-up-a-webhook).
+    - If there is no support for token authentication, request the webhook service implement token authentication functionality by following [these directions](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks).
   markdown:
     - Check whether your service supports token authentication.
     - If there is support for token authentication, set the secret in the webhook configuration. See [Setting up a webhook](https://docs.github.com/en/developers/webhooks-and-events/webhooks/creating-webhooks#setting-up-a-webhook).