Class: Rules::GithubDependencyRefs

Inherits:

Base

• Object
• Base
• Rules::GithubDependencyRefs

Defined in:

lib/rules/github_dependency_refs.rb

Constant Summary

GITHUB_DEP =

Matches: npm install github:owner/repo#sha, or git+github.com/… in run blocks

/(?:npm|pnpm|yarn|bun)\s+(?:install|add)\s+.*(?:github:|git\+https:\/\/github\.com)/

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/github_dependency_refs.rb', line 10

def check(workflow)
    findings = []

    workflow.raw_lines.each_with_index do |line, i|
        next if line.strip.start_with?("#")

        if line.match?(GITHUB_DEP)
            findings << finding(workflow,
                line: i + 1,
                code: line.strip,
                message: "Package installed from GitHub commit/branch ref — bypasses registry integrity checks",
                fix: "Install from the package registry instead of GitHub refs"
            )
        end
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/github_dependency_refs.rb', line 4

def description = "Direct GitHub commit/branch reference in package install"

#name ⇒ Object

# File 'lib/rules/github_dependency_refs.rb', line 3

def name = "github-dependency-refs"

#severity ⇒ Object

# File 'lib/rules/github_dependency_refs.rb', line 5

def severity = :medium