From 31bd48e04d08515da12f147312d4f13b63ff9cf7 Mon Sep 17 00:00:00 2001 From: Nayuta Ishii Date: Fri, 15 Mar 2024 17:23:01 +0900 Subject: [PATCH 1/6] MAINT: bump create-pull-request to v6 --- .github/workflows/depup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depup.yml b/.github/workflows/depup.yml index c68ab8f..423789d 100644 --- a/.github/workflows/depup.yml +++ b/.github/workflows/depup.yml @@ -21,7 +21,7 @@ jobs: repo: reviewdog/reviewdog - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} title: "chore(deps): update reviewdog to ${{ steps.depup.outputs.latest }}" From 981e5bd3995638fe05efadaafb64b242575c0744 Mon Sep 17 00:00:00 2001 From: Nayuta Ishii Date: Fri, 15 Mar 2024 19:59:49 +0900 Subject: [PATCH 2/6] Add test for fs --- .github/workflows/tests.yml | 85 +++++++++---------- .../terraform}/with_detections/example.tf | 0 .../terraform}/with_detections/main.tf | 0 .../terraform}/without_detections/main.tf | 0 .../fs/npm/with_detections/package-lock.json | 20 +++++ testdata/fs/npm/with_detections/package.json | 15 ++++ .../npm/without_detections/package-lock.json | 12 +++ .../fs/npm/without_detections/package.json | 14 +++ 8 files changed, 102 insertions(+), 44 deletions(-) rename testdata/{ => config/terraform}/with_detections/example.tf (100%) rename testdata/{ => config/terraform}/with_detections/main.tf (100%) rename testdata/{ => config/terraform}/without_detections/main.tf (100%) create mode 100644 testdata/fs/npm/with_detections/package-lock.json create mode 100644 testdata/fs/npm/with_detections/package.json create mode 100644 testdata/fs/npm/without_detections/package-lock.json create mode 100644 testdata/fs/npm/without_detections/package.json diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4961b1f..3d48b15 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -11,48 +11,35 @@ defaults: shell: bash jobs: - test-check: - name: trivy (github-check) + setup: runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.output-matrix.outputs.matrix }} steps: - uses: actions/checkout@v4 - - - uses: ./ - continue-on-error: true - id: test - with: - github_token: ${{ secrets.github_token }} - trivy_command: config - trivy_target: . - reporter: github-check - level: info - working_directory: testdata/with_detections - - # The check is expected to fail on the test data - - name: Check return codes - if: success() || failure () + - name: Set up matrix + id: output-matrix run: | - trivy_return="${{ steps.test.outputs.trivy-return-code }}" - reviewdog_return="${{ steps.test.outputs.reviewdog-return-code }}" - - if [[ "$trivy_return" -eq 1 ]]; then - echo "trivy correctly returned failure ${trivy_return}" - else - echo "trivy returned ${trivy_return}, expected '1'. Failing..." - exit 1 - fi + # Find all the directories in the testdata directory + DIRS="$(find ./testdata -type d)" + for dir in ${DIRS}; do + if [ "$(echo "${DIRS}" | grep -c "${dir}" || true)" -le 1 ]; then + DIRS_RESULT="${DIRS_RESULT}${dir}," + fi + done + MATRIX_JSON=$(echo "${DIRS_RESULT}" | sed 's/,$//' | sed 's/\\n//g' | jq -R -s -c 'split(",") | [.[] | {dir: ., command: split("/")[1], type: split("/")[4], label: [split("/")[2],split("/")[3]] | join("/")}]') + MATRIX="matrix={\"include\":${MATRIX_JSON}}" >> $GITHUB_OUTPUT + echo "${MATRIX}" + echo "${MATRIX}" >> $GITHUB_OUTPUT - if [[ "$reviewdog_return" -eq 0 ]]; then - echo "reviewdog correctly returned success: ${reviewdog_return}" - else - echo "reviewdog returned ${reviewdog_return}, expected '0'. Failing..." - exit 1 - fi - - test-check-without-detections: - name: trivy (github-check-without-detections) + test-check: + name: trivy (github-check) runs-on: ubuntu-latest + needs: setup + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.setup.outputs.matrix) }} steps: - uses: actions/checkout@v4 @@ -62,24 +49,34 @@ jobs: id: test with: github_token: ${{ secrets.github_token }} - trivy_command: config + trivy_command: ${{ matrix.command }} trivy_target: . reporter: github-check level: info - working_directory: testdata/without_detections + working_directory: ${{ matrix.dir }} # The check is expected to fail on the test data - name: Check return codes if: success() || failure () run: | + check_type="${{ matrix.type }}" trivy_return="${{ steps.test.outputs.trivy-return-code }}" reviewdog_return="${{ steps.test.outputs.reviewdog-return-code }}" - if [[ "$trivy_return" -eq 0 ]]; then - echo "trivy correctly returned success ${trivy_return}" + if [[ "$check_type" = "with_detections" ]]; then + if [[ "$trivy_return" -eq 1 ]]; then + echo "trivy correctly returned failure: ${trivy_return}" + else + echo "trivy returned ${trivy_return}, expected '1'. Failing..." + exit 1 + fi else - echo "trivy returned ${trivy_return}, expected '0'. Failing..." - exit 1 + if [[ "$trivy_return" -eq 0 ]]; then + echo "trivy correctly returned success: ${trivy_return}" + else + echo "trivy returned ${trivy_return}, expected '0'. Failing..." + exit 1 + fi fi if [[ "$reviewdog_return" -eq 0 ]]; then @@ -106,7 +103,7 @@ jobs: trivy_target: . reporter: github-pr-check level: info - working_directory: testdata/with_detections + working_directory: testdata/config/terraform/with_detections # The check is expected to fail on the test data - name: Check return codes @@ -146,7 +143,7 @@ jobs: trivy_target: . reporter: github-pr-review level: info - working_directory: testdata/with_detections + working_directory: testdata/config/terraform/with_detections # The check is expected to fail on the test data # but for forked PRs reviewdog will just output @@ -191,7 +188,7 @@ jobs: trivy_target: . reporter: github-check level: info - working_directory: testdata/with_detections + working_directory: testdata/config/terraform/with_detections # The check is expected to fail on the test data - name: Check return codes diff --git a/testdata/with_detections/example.tf b/testdata/config/terraform/with_detections/example.tf similarity index 100% rename from testdata/with_detections/example.tf rename to testdata/config/terraform/with_detections/example.tf diff --git a/testdata/with_detections/main.tf b/testdata/config/terraform/with_detections/main.tf similarity index 100% rename from testdata/with_detections/main.tf rename to testdata/config/terraform/with_detections/main.tf diff --git a/testdata/without_detections/main.tf b/testdata/config/terraform/without_detections/main.tf similarity index 100% rename from testdata/without_detections/main.tf rename to testdata/config/terraform/without_detections/main.tf diff --git a/testdata/fs/npm/with_detections/package-lock.json b/testdata/fs/npm/with_detections/package-lock.json new file mode 100644 index 0000000..514c874 --- /dev/null +++ b/testdata/fs/npm/with_detections/package-lock.json @@ -0,0 +1,20 @@ +{ + "name": "npm", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "npm", + "version": "1.0.0", + "dependencies": { + "lodash": "^4.0.0" + } + }, + "node_modules/lodash": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.0.0.tgz", + "integrity": "sha512-bWpSlBobTcHYK9eUzcBYHhSBGzvSzEsxocnW5+v7p6wCRlY1icneTe2ACam3mGdAu82+RLL32cmyl7TRlJHqZw==" + } + } +} diff --git a/testdata/fs/npm/with_detections/package.json b/testdata/fs/npm/with_detections/package.json new file mode 100644 index 0000000..79bc80c --- /dev/null +++ b/testdata/fs/npm/with_detections/package.json @@ -0,0 +1,15 @@ +{ + "name": "npm", + "version": "1.0.0", + "description": "", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "keywords": [], + "author": "", + "license": "", + "dependencies": { + "lodash": "^4.0.0" + } +} diff --git a/testdata/fs/npm/without_detections/package-lock.json b/testdata/fs/npm/without_detections/package-lock.json new file mode 100644 index 0000000..bce49cf --- /dev/null +++ b/testdata/fs/npm/without_detections/package-lock.json @@ -0,0 +1,12 @@ +{ + "name": "npm", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "npm", + "version": "1.0.0" + } + } +} diff --git a/testdata/fs/npm/without_detections/package.json b/testdata/fs/npm/without_detections/package.json new file mode 100644 index 0000000..b959061 --- /dev/null +++ b/testdata/fs/npm/without_detections/package.json @@ -0,0 +1,14 @@ +{ + "name": "npm", + "version": "1.0.0", + "description": "", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "keywords": [], + "author": "", + "license": "", + "dependencies": { + } +} From 1d5ca4c1dff6b85215969eb6c85db7c7b85a2e10 Mon Sep 17 00:00:00 2001 From: Nayuta Ishii Date: Fri, 15 Mar 2024 21:16:11 +0900 Subject: [PATCH 3/6] fixup! Add test for fs --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3d48b15..9348568 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -28,7 +28,7 @@ jobs: DIRS_RESULT="${DIRS_RESULT}${dir}," fi done - MATRIX_JSON=$(echo "${DIRS_RESULT}" | sed 's/,$//' | sed 's/\\n//g' | jq -R -s -c 'split(",") | [.[] | {dir: ., command: split("/")[1], type: split("/")[4], label: [split("/")[2],split("/")[3]] | join("/")}]') + MATRIX_JSON=$(echo "${DIRS_RESULT}" | sed 's/,$//' | sed 's/\\n//g' | jq -R -s -c 'split(",") | [.[] | {dir: ., command: split("/")[2], type: split("/")[4], label: [split("/")[2],split("/")[3]] | join("/")}]') MATRIX="matrix={\"include\":${MATRIX_JSON}}" >> $GITHUB_OUTPUT echo "${MATRIX}" echo "${MATRIX}" >> $GITHUB_OUTPUT From abcda0d04eaf2084115ec7e42d061c88900a314f Mon Sep 17 00:00:00 2001 From: Nayuta Ishii Date: Tue, 11 Jun 2024 23:01:36 +0900 Subject: [PATCH 4/6] Add Dockerfile test --- testdata/config/docker/with_detections/Dockerfile | 12 ++++++++++++ .../config/docker/without_detections/Dockerfile | 14 ++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 testdata/config/docker/with_detections/Dockerfile create mode 100644 testdata/config/docker/without_detections/Dockerfile diff --git a/testdata/config/docker/with_detections/Dockerfile b/testdata/config/docker/with_detections/Dockerfile new file mode 100644 index 0000000..aab4919 --- /dev/null +++ b/testdata/config/docker/with_detections/Dockerfile @@ -0,0 +1,12 @@ +FROM alpine:latest + +RUN apk add --no-cache curl + +COPY . /app + +WORKDIR /app + +#HEALTHCHECK --interval=30s --timeout=3s \ +# CMD curl -f http://localhost/ || exit 1 + +CMD [ "python", "app.py" ] diff --git a/testdata/config/docker/without_detections/Dockerfile b/testdata/config/docker/without_detections/Dockerfile new file mode 100644 index 0000000..483860e --- /dev/null +++ b/testdata/config/docker/without_detections/Dockerfile @@ -0,0 +1,14 @@ +FROM alpine:3.20 + +RUN apk add --no-cache curl + +COPY . /app + +WORKDIR /app + +USER app + +HEALTHCHECK --interval=30s --timeout=3s \ + CMD curl -f http://localhost/ || exit 1 + +CMD [ "python", "app.py" ] From 8906cf9edd5ed4766785d3f1626eca5f0282e94d Mon Sep 17 00:00:00 2001 From: Nayuta Ishii Date: Tue, 11 Jun 2024 23:16:55 +0900 Subject: [PATCH 5/6] Add testing params --- .github/workflows/tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 9348568..eae4163 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -54,6 +54,11 @@ jobs: reporter: github-check level: info working_directory: ${{ matrix.dir }} + # Below are for testing purposes + filter_mode: nofilter # Check all files, not just the diff + fail_on_error: false # Fail action if errors are found + flags: -tee # Add debug flag to reviewdog + trivy_flags: "" # Optional # The check is expected to fail on the test data - name: Check return codes From d20b7d361f8afcf843d6cbe1532e854b587b65de Mon Sep 17 00:00:00 2001 From: Nayuta Ishii Date: Wed, 26 Jun 2024 19:11:54 +0900 Subject: [PATCH 6/6] Revert "Add testing params" This reverts commit 8906cf9edd5ed4766785d3f1626eca5f0282e94d. --- .github/workflows/tests.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index eae4163..9348568 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -54,11 +54,6 @@ jobs: reporter: github-check level: info working_directory: ${{ matrix.dir }} - # Below are for testing purposes - filter_mode: nofilter # Check all files, not just the diff - fail_on_error: false # Fail action if errors are found - flags: -tee # Add debug flag to reviewdog - trivy_flags: "" # Optional # The check is expected to fail on the test data - name: Check return codes