Class: Rules::UnpinnedArtifact

Inherits:

Base

• Object
• Base
• Rules::UnpinnedArtifact

Defined in:

lib/rules/unpinned_artifact.rb

Constant Summary

DOWNLOAD_ARTIFACT_PATTERN =

/\bactions\/download-artifact\b/

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/unpinned_artifact.rb', line 9

def check(workflow)
    findings = []

    workflow.uses_actions.each do |action|
        uses = action[:uses]
        next unless uses&.match?(DOWNLOAD_ARTIFACT_PATTERN)

        step = action[:step]
        with_block = step["with"]
        has_name = with_block.is_a?(Hash) && with_block.key?("name") && !with_block["name"].nil? && with_block["name"].to_s.strip != ""

        unless has_name
            findings << finding(workflow,
                line: action[:line] || 0,
                code: "uses: #{uses}",
                message: "download-artifact without specific name downloads ALL artifacts — may include untrusted content",
                fix: "Specify artifact name: in download-artifact to avoid downloading unintended artifacts"
            )
        end
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/unpinned_artifact.rb', line 4

def description = "download-artifact without specific artifact name"

#name ⇒ Object

# File 'lib/rules/unpinned_artifact.rb', line 3

def name = "unpinned-artifact"

#severity ⇒ Object

# File 'lib/rules/unpinned_artifact.rb', line 5

def severity = :medium