Skip to content

Commit

Permalink
Use hasDangerousWorfklowTrigger in evaluation
Browse files Browse the repository at this point in the history
Signed-off-by: Raghav Kaul <[email protected]>
  • Loading branch information
raghavkaul committed Feb 20, 2024
1 parent ab3627e commit e70c8ab
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
17 changes: 16 additions & 1 deletion checks/evaluation/dangerous_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
sce "github.com/ossf/scorecard/v4/errors"
"github.com/ossf/scorecard/v4/finding"
"github.com/ossf/scorecard/v4/probes/hasDangerousWorkflowScriptInjection"
"github.com/ossf/scorecard/v4/probes/hasDangerousWorkflowTrigger"
"github.com/ossf/scorecard/v4/probes/hasDangerousWorkflowUntrustedCheckout"
)

Expand All @@ -28,6 +29,7 @@ func DangerousWorkflow(name string,
) checker.CheckResult {
expectedProbes := []string{
hasDangerousWorkflowScriptInjection.Probe,
hasDangerousWorkflowTrigger.Probe,
hasDangerousWorkflowUntrustedCheckout.Probe,
}

Expand Down Expand Up @@ -58,7 +60,8 @@ func DangerousWorkflow(name string,
}
}

if hasDWWithUntrustedCheckout(findings) || hasDWWithScriptInjection(findings) {
if hasDWWithUntrustedCheckout(findings) || hasDWWithScriptInjection(findings) ||
hasDWWithWorkflowRunTrigger(findings) {
return checker.CreateMinScoreResult(name,
"dangerous workflow patterns detected")
}
Expand Down Expand Up @@ -101,3 +104,15 @@ func hasDWWithScriptInjection(findings []finding.Finding) bool {
}
return false
}

func hasDWWithWorkflowRunTrigger(findings []finding.Finding) bool {
for i := range findings {
f := &findings[i]
if f.Probe == hasDangerousWorkflowTrigger.Probe {
if f.Outcome == finding.OutcomeNegative {
return true
}
}
}
return false
}
2 changes: 2 additions & 0 deletions probes/entries.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ var (
hasOSVVulnerabilities.Probe: hasOSVVulnerabilities.Run,
sastToolRunsOnAllCommits.Probe: sastToolRunsOnAllCommits.Run,
hasDangerousWorkflowScriptInjection.Probe: hasDangerousWorkflowScriptInjection.Run,
hasDangerousWorkflowTrigger.Probe: hasDangerousWorkflowTrigger.Run,
hasDangerousWorkflowUntrustedCheckout.Probe: hasDangerousWorkflowUntrustedCheckout.Run,
notArchived.Probe: notArchived.Run,
hasRecentCommits.Probe: hasRecentCommits.Run,
Expand Down Expand Up @@ -212,6 +213,7 @@ var (
hasOSVVulnerabilities.Probe: "Vulnerabilities",
sastToolRunsOnAllCommits.Probe: "SAST",
hasDangerousWorkflowScriptInjection.Probe: "Dangerous-Workflow",
hasDangerousWorkflowTrigger.Probe: "Dangerous-Workflow",
hasDangerousWorkflowUntrustedCheckout.Probe: "Dangerous-Workflow",
notArchived.Probe: "Maintained",
hasRecentCommits.Probe: "Maintained",
Expand Down

0 comments on commit e70c8ab

Please sign in to comment.