(t *testing.T)
| 147 | } |
| 148 | |
| 149 | func TestGithubDangerousWorkflow(t *testing.T) { |
| 150 | t.Parallel() |
| 151 | |
| 152 | type ret struct { |
| 153 | err error |
| 154 | nb int |
| 155 | } |
| 156 | tests := []struct { |
| 157 | name string |
| 158 | filename string |
| 159 | expected ret |
| 160 | }{ |
| 161 | { |
| 162 | name: "Non-yaml file", |
| 163 | filename: "script.sh", |
| 164 | expected: ret{nb: 0}, |
| 165 | }, |
| 166 | { |
| 167 | name: "run untrusted code checkout test - workflow_run", |
| 168 | filename: ".github/workflows/github-workflow-dangerous-pattern-untrusted-checkout-workflow_run.yml", |
| 169 | expected: ret{nb: 1}, |
| 170 | }, |
| 171 | { |
| 172 | name: "run untrusted code checkout test", |
| 173 | filename: ".github/workflows/github-workflow-dangerous-pattern-untrusted-checkout.yml", |
| 174 | expected: ret{nb: 1}, |
| 175 | }, |
| 176 | { |
| 177 | name: "run trusted code checkout test", |
| 178 | filename: ".github/workflows/github-workflow-dangerous-pattern-trusted-checkout.yml", |
| 179 | expected: ret{nb: 0}, |
| 180 | }, |
| 181 | { |
| 182 | name: "run default code checkout test", |
| 183 | filename: ".github/workflows/github-workflow-dangerous-pattern-default-checkout.yml", |
| 184 | expected: ret{nb: 0}, |
| 185 | }, |
| 186 | { |
| 187 | name: "run script injection", |
| 188 | filename: ".github/workflows/github-workflow-dangerous-pattern-untrusted-script-injection.yml", |
| 189 | expected: ret{nb: 1}, |
| 190 | }, |
| 191 | { |
| 192 | name: "run safe script injection", |
| 193 | filename: ".github/workflows/github-workflow-dangerous-pattern-trusted-script-injection.yml", |
| 194 | expected: ret{nb: 0}, |
| 195 | }, |
| 196 | { |
| 197 | name: "run multiple script injection", |
| 198 | filename: ".github/workflows/github-workflow-dangerous-pattern-untrusted-multiple-script-injection.yml", |
| 199 | expected: ret{nb: 2}, |
| 200 | }, |
| 201 | { |
| 202 | name: "run inline script injection", |
| 203 | filename: ".github/workflows/github-workflow-dangerous-pattern-untrusted-inline-script-injection.yml", |
| 204 | expected: ret{nb: 1}, |
| 205 | }, |
| 206 | { |
nothing calls this directly
no test coverage detected