Travis Truman
69575bbd60
feat: emit pedantic finding for tagged OCI images ( #740 )
...
Co-authored-by: William Woodruff <william@yossarian.net>
2025-05-02 17:52:53 +00:00
William Woodruff
e7d8899eec
chore(docs): put examples in example blocks ( #739 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-05-02 16:40:32 +00:00
Travis Truman
58a6596c33
feat: add unpinned-container-images check ( #733 )
...
Co-authored-by: William Woodruff <william@yossarian.net>
2025-05-02 12:28:18 -04:00
Jan Holthuis
0effad5b06
New Audit unsound-contains: Checks for problematic contains() usage ( #577 )
...
Co-authored-by: William Woodruff <william@yossarian.net>
2025-05-02 05:14:09 +00:00
William Woodruff
4a9211a79c
bugfix: fix edge case in remote audit input collection ( #731 )
2025-05-01 10:52:33 -04:00
Marcono1234
d55fb35ff3
doc: mention insta --force-update-snapshots ( #728 )
2025-04-30 21:53:58 +00:00
William Woodruff
4921e0029b
chore(docs): bump trophies ( #727 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-30 17:47:50 +00:00
William Woodruff
d5c3bcdeb3
feat: more informative error message ( #719 )
...
Co-authored-by: reandreev <58111850+reandreev@users.noreply.github.com>
2025-04-30 00:38:44 -04:00
Marcono1234
ebca08dd02
feat: new audit: stale-action-refs ( #713 )
...
Co-authored-by: William Woodruff <william@yossarian.net>
2025-04-30 03:07:37 +00:00
William Woodruff
d1ff64357b
chore(docs): bump trophies ( #717 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-30 02:59:10 +00:00
William Woodruff
cf4918f6a7
chore(docs): bump trophies ( #715 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-29 16:23:47 +00:00
William Woodruff
c0cccc22de
chore(docs): bump trophies ( #712 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-29 15:08:18 +00:00
William Woodruff
27f820c7b9
bugfix: sarif: prefix ID, add rule names ( #710 )
2025-04-29 10:29:16 -04:00
William Woodruff
9cd012b752
chore(docs): bump trophies ( #708 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-29 02:41:23 +00:00
William Woodruff
f8ed4fee2b
chore(docs): bump trophies ( #706 )
2025-04-28 22:42:24 +00:00
William Woodruff
fd8bd06b2c
chore(docs): hash-pin setup-uv in usage.md ( #705 )
2025-04-28 21:25:57 +00:00
William Woodruff
d3b7eb86c1
chore(docs): update trophies ( #700 )
2025-04-27 23:27:19 +00:00
William Woodruff
b3094b1d2e
chore(docs): update trophies ( #699 )
2025-04-27 21:43:29 +00:00
William Woodruff
bc35a413e6
chore(docs): bump trophies ( #694 )
2025-04-24 18:37:04 +00:00
Marcono1234
1514afd84e
docs: extend remediation for dangerous-triggers ( #692 )
...
Co-authored-by: William Woodruff <william@yossarian.net>
2025-04-24 17:37:55 +00:00
William Woodruff
e0dfef80fe
feat: new audit: obfuscation ( #683 )
2025-04-23 21:32:48 +00:00
Marcono1234
2c1c91ce65
docs: recommend GitHubSecurityLab/actions-permissions ( #688 )
...
Co-authored-by: William Woodruff <william@yossarian.net>
2025-04-23 18:54:23 +00:00
William Woodruff
7b4e76e94b
chore(docs): clarify default rule in explicit config ( #687 )
2025-04-22 16:04:25 +00:00
William Woodruff
fb0e31e3c2
docs: bump trophies ( #682 )
2025-04-19 22:24:40 -04:00
William Woodruff
fb8520bdd5
chore: prep for release 1.6.0 ( #681 )
2025-04-19 22:13:28 -04:00
William Woodruff
d922717d80
feat: generalize RepositoryUsesPattern ( #670 )
2025-04-16 23:29:26 -04:00
William Woodruff
db3072104c
bugfix: template-injection: mark another context as safe ( #675 )
2025-04-16 19:02:27 +00:00
William Woodruff
07d2c2401d
docs: bump trophies ( #671 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-15 21:53:38 +00:00
William Woodruff
8b23a9e577
feat: new audit: forbidden-uses ( #664 )
...
Co-authored-by: Jan Holthuis <jan.holthuis@ruhr-uni-bochum.de>
2025-04-14 21:13:49 -04:00
William Woodruff
c4600e99fd
chore(docs): bump trophies ( #668 )
2025-04-14 19:41:18 +00:00
William Woodruff
83297264aa
feat: rewrite unpinned-uses, fold in forbidden-uses ( #663 )
...
Co-authored-by: Jan Holthuis <jan.holthuis@ruhr-uni-bochum.de>
2025-04-13 16:00:55 -04:00
William Woodruff
14f9bbebb3
bugfix: github.job is not a template injection risk ( #661 )
2025-04-10 20:12:54 +00:00
William Woodruff
9b1ec923be
bugfix: bump yamlpath, fix #659 ( #660 )
2025-04-10 11:15:38 -04:00
William Woodruff
5ebba3e220
feat: add JSON format versioning ( #657 )
...
* feat: add JSON format versioning
* docs: bump snippets, add PR
2025-04-07 20:18:50 -04:00
William Woodruff
f823fcedfc
usage: note when --format=github is available ( #656 )
2025-04-07 23:54:32 +00:00
William Woodruff
4d5c79a582
cli: add a "GitHub" output format ( #634 )
...
* cli: add a "GitHub" output format
Closes #633 .
Signed-off-by: William Woodruff <william@yossarian.net>
* try using SARIF path
Signed-off-by: William Woodruff <william@yossarian.net>
* fix lines
Signed-off-by: William Woodruff <william@yossarian.net>
* fmt
Signed-off-by: William Woodruff <william@yossarian.net>
* add --no-exit-codes
Signed-off-by: William Woodruff <william@yossarian.net>
* bump help snippet
Signed-off-by: William Woodruff <william@yossarian.net>
* bump snippet
Signed-off-by: William Woodruff <william@yossarian.net>
* integration test for github output
Signed-off-by: William Woodruff <william@yossarian.net>
* github: output tweaks
* update snapshot
* test-output: test GitHub output on just one file
* remove columns
* bump snapshot
* try something else
Signed-off-by: William Woodruff <william@yossarian.net>
* fixup snapshot
Signed-off-by: William Woodruff <william@yossarian.net>
* one last hack
Signed-off-by: William Woodruff <william@yossarian.net>
* add primary annotation to message
Signed-off-by: William Woodruff <william@yossarian.net>
* usage: document --format=github, add integration docs
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: update release notes
---------
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-07 19:51:19 -04:00
William Woodruff
2f0227dde0
chore(docs): bump trophies ( #655 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-07 19:01:43 +00:00
William Woodruff
493c9ecce0
bugfix: bump github-actions-models to 0.28.0 ( #653 )
...
* bugfix: bump github-actions-models to 0.28.0
Fixes #650 .
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: record changes
Signed-off-by: William Woodruff <william@yossarian.net>
---------
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-07 14:13:36 -04:00
William Woodruff
984db1c65e
bugfix: bump github-actions-models to 0.27.0 ( #649 )
...
* bugfix: bump github-actions-models to 0.27.0
See #646 .
* docs: update release notes
2025-04-06 10:27:25 -04:00
William Woodruff
059e7187b3
bugfix: cache-poisoning: fix false positive for docker/setup-buildx-action ( #644 )
...
* bugfix: cache-poisoning: fix false positive for docker/setup-buildx-action
Fixes #642 .
* cleanup
* update jdx/mise-action coordinate
* release-notes: record changes
2025-04-04 20:57:35 -04:00
Risu
0a0de30a2f
feat: cache-poisoning: add jdx/mise-action to cache aware actions ( #645 )
...
* feat: cache-poisoning: add jdx/mise-action to cache aware actions
* docs: record changes
Signed-off-by: William Woodruff <william@yossarian.net>
---------
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: William Woodruff <william@yossarian.net>
2025-04-04 13:32:48 -04:00
William Woodruff
ccd4178eb5
feat: basic dataflow for context expansion ( #640 )
...
* feat: basic dataflow for context expansion
WIP. This will make audits like `template-injection` more
precise.
Signed-off-by: William Woodruff <william@yossarian.net>
* make it work
Signed-off-by: William Woodruff <william@yossarian.net>
* tests
Signed-off-by: William Woodruff <william@yossarian.net>
* fixup, more tests
Signed-off-by: William Woodruff <william@yossarian.net>
* comments
Signed-off-by: William Woodruff <william@yossarian.net>
* rename function, add more tests
* fixup release notes
---------
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-01 23:44:19 -04:00
William Woodruff
47bd0d9fc8
docs: bump trophies ( #641 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-04-01 22:33:03 +00:00
William Woodruff
67fdebff77
docs: add a callout about SARIF exit code behavior ( #630 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-03-29 01:23:52 +02:00
William Woodruff
a0c9e5ddae
bugfix: add github.event.pull_request.head.sha as a safe context ( #636 )
...
* bugfix: add `github.event.pull_request.head.sha` as a safe context
Signed-off-by: William Woodruff <william@yossarian.net>
* release-notes: record changes
Signed-off-by: William Woodruff <william@yossarian.net>
---------
Signed-off-by: William Woodruff <william@yossarian.net>
2025-03-28 21:08:26 +00:00
Michael Mior
ae47960558
Add jsonpath-ng to the trophy case ( #632 )
2025-03-26 16:53:44 +00:00
William Woodruff
2a4f72dbb9
feat: attempt to mark SARIF results as security findings ( #631 )
...
* feat: attempt to mark SARIF results as security findings
Signed-off-by: William Woodruff <william@yossarian.net>
* try additional_properties
Signed-off-by: William Woodruff <william@yossarian.net>
* fix type
Signed-off-by: William Woodruff <william@yossarian.net>
* security-severity does not work as expected
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: record changes
Signed-off-by: William Woodruff <william@yossarian.net>
---------
Signed-off-by: William Woodruff <william@yossarian.net>
2025-03-26 00:05:41 +00:00
William Woodruff
0c590a6e14
chore: prep for v1.5.2 release ( #623 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-03-23 14:52:59 +00:00
William Woodruff
fcedd86d1a
bugfix: sarif: add working directory to invocation ( #621 )
...
* bugfix: sarif: add working directory to invocation
Signed-off-by: William Woodruff <william@yossarian.net>
* ci: add test-sarif workflow
Signed-off-by: William Woodruff <william@yossarian.net>
* sarif: tweak tool name in debug mode
Signed-off-by: William Woodruff <william@yossarian.net>
* tweak name
Signed-off-by: William Woodruff <william@yossarian.net>
* change category
Signed-off-by: William Woodruff <william@yossarian.net>
* sarif: remove uri_base_id
Signed-off-by: William Woodruff <william@yossarian.net>
* Revert "sarif: remove uri_base_id"
This reverts commit 4d3f29784f40c62246edc5ee0835c1#622 .
Signed-off-by: William Woodruff <william@yossarian.net>
---------
Signed-off-by: William Woodruff <william@yossarian.net>
2025-03-23 14:46:42 +00:00
William Woodruff
f6c0af21ac
docs: bump trophies ( #620 )
...
Signed-off-by: William Woodruff <william@yossarian.net>
2025-03-22 00:36:59 +00:00
