(t *testing.T)
| 27 | ) |
| 28 | |
| 29 | func TestDangerousWorkflow(t *testing.T) { |
| 30 | t.Parallel() |
| 31 | tests := []struct { |
| 32 | name string |
| 33 | workflowPaths []string |
| 34 | err error |
| 35 | expected scut.TestReturn |
| 36 | }{ |
| 37 | { |
| 38 | name: "no workflows is an inconclusive score", |
| 39 | workflowPaths: nil, |
| 40 | err: nil, |
| 41 | expected: scut.TestReturn{ |
| 42 | Score: checker.InconclusiveResultScore, |
| 43 | }, |
| 44 | }, |
| 45 | { |
| 46 | name: "untrusted checkout is a failing score", |
| 47 | workflowPaths: []string{".github/workflows/github-workflow-dangerous-pattern-untrusted-checkout.yml"}, |
| 48 | err: nil, |
| 49 | expected: scut.TestReturn{ |
| 50 | Score: checker.MinResultScore, |
| 51 | NumberOfWarn: 1, |
| 52 | }, |
| 53 | }, |
| 54 | { |
| 55 | name: "script injection is a failing score", |
| 56 | workflowPaths: []string{".github/workflows/github-workflow-dangerous-pattern-untrusted-script-injection.yml"}, |
| 57 | err: nil, |
| 58 | expected: scut.TestReturn{ |
| 59 | Score: checker.MinResultScore, |
| 60 | NumberOfWarn: 1, |
| 61 | }, |
| 62 | }, |
| 63 | { |
| 64 | name: "only safe workflows is passing score", |
| 65 | workflowPaths: []string{ |
| 66 | ".github/workflows/github-workflow-dangerous-pattern-safe-trigger.yml", |
| 67 | ".github/workflows/github-workflow-dangerous-pattern-trusted-checkout.yml", |
| 68 | }, |
| 69 | err: nil, |
| 70 | expected: scut.TestReturn{ |
| 71 | Score: checker.MaxResultScore, |
| 72 | }, |
| 73 | }, |
| 74 | } |
| 75 | for _, tt := range tests { |
| 76 | t.Run(tt.name, func(t *testing.T) { |
| 77 | t.Parallel() |
| 78 | dl := scut.TestDetailLogger{} |
| 79 | ctrl := gomock.NewController(t) |
| 80 | mockRepoClient := mockrepo.NewMockRepoClient(ctrl) |
| 81 | mockRepoClient.EXPECT().ListFiles(gomock.Any()).Return(tt.workflowPaths, nil) |
| 82 | mockRepoClient.EXPECT().GetFileReader(gomock.Any()).DoAndReturn(func(file string) (io.ReadCloser, error) { |
| 83 | return os.Open("./testdata/" + file) |
| 84 | }).AnyTimes() |
| 85 | |
| 86 | req := &checker.CheckRequest{ |
nothing calls this directly
no test coverage detected