Class: Rules::MissingPersistCreds

Inherits:

Base

• Object
• Base
• Rules::MissingPersistCreds

Defined in:

lib/rules/missing_persist_creds.rb

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 7

def check(workflow)
    findings = []
    seen_checkout_lines = Hash.new(0)

    workflow.jobs.each do |_job_id, job|
        job_pushes = job_does_push?(job, workflow)

        workflow.steps(job).each do |step|
            next unless step["uses"]&.match?(/actions\/checkout[@\s]|actions\/checkout$/)

            with = step["with"] || {}
            persist = with["persist-credentials"]

            next if persist == false || persist == "false"
            next if job_pushes && persist == true

            uses = step["uses"]
            all_lines = workflow.lines_of(/uses:\s*#{Regexp.escape(uses)}/)
            idx = seen_checkout_lines[uses]
            line = all_lines[idx] || all_lines.last
            seen_checkout_lines[uses] += 1

            findings << finding(workflow,
                line: line || 0,
                code: "uses: #{uses}",
                message: "Checkout without persist-credentials: false — token persists in .git/config",
                fix: "Add persist-credentials: false to the with: block"
            )
        end
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 4

def description = "actions/checkout without persist-credentials: false"

#name ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 3

def name = "missing-persist-credentials"

#severity ⇒ Object

# File 'lib/rules/missing_persist_creds.rb', line 5

def severity = :high