Class: Rules::MissingPersistCreds

Inherits:

Base

• Object
• Base
• Rules::MissingPersistCreds

Defined in:

lib/rules/missing_persist_creds.rb

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 7

def check(workflow)
  findings = []
  seen_checkout_lines = Hash.new(0)

  workflow.jobs.each do |_job_id, job|
    job_pushes = job_does_push?(job, workflow)

    workflow.steps(job).each do |step|
      next unless step["uses"]&.match?(/actions\/checkout[@\s]|actions\/checkout$/)

      with = step["with"] || {}
      persist = with["persist-credentials"]

      next if persist == false || persist == "false"
      next if job_pushes && persist == true

      uses = step["uses"]
      all_lines = workflow.lines_of(/uses:\s*#{Regexp.escape(uses)}/)
      idx = seen_checkout_lines[uses]
      line = all_lines[idx] || all_lines.last
      seen_checkout_lines[uses] += 1

      findings << finding(workflow,
        line: line || 0,
        code: "uses: #{uses}",
        message: "Checkout without persist-credentials: false — token persists in .git/config",
        fix: "Add persist-credentials: false to the with: block"
      )
    end
  end

  findings
end

#description ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 4

def description = "actions/checkout without persist-credentials: false"

#name ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 3

def name = "missing-persist-credentials"

#severity ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 5

def severity = :high