Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support disabling deny_inherit_secrets #464

Merged
merged 2 commits into from
Jun 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -101,12 +101,22 @@ You can specify the configuration file with the command line option `-config (-c
ghalint -c foo.yaml run
```

You can exclude the policy `job_secrets` and `action_ref_should_be_full_length_commit_sha`.
### Disable policies

You can disable the following policies.

- [deny_inherit_secrets](docs/policies/004.md)
- [job_secrets](docs/policies/006.md)
- [action_ref_should_be_full_length_commit_sha](docs/policies/008.md)
- [github_app_should_limit_repositories](docs/policies/009.md)

e.g.

```yaml
excludes:
- policy_name: deny_inherit_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
- policy_name: job_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
Expand All @@ -118,14 +128,6 @@ excludes:
step_id: create_token
```

### excludes[].policy_name

Required. You can exclude only the following policies.

- [job_secrets](docs/policies/006.md)
- [action_ref_should_be_full_length_commit_sha](docs/policies/008.md)
- [github_app_should_limit_repositories](docs/policies/009.md)

## Environment variables

- `GHALINT_CONFIG`: Configuration file path
Expand Down
17 changes: 17 additions & 0 deletions docs/policies/004.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,20 @@ jobs:
## Why?

Secrets should be exposed to only required jobs.

## How to ignore the violation

We don't recommend, but if you want to ignore the violation of this policy, please configure it with [the configuration file](../../README.md#configuration-file).

e.g.

ghalint.yaml

```yaml
excludes:
- policy_name: deny_inherit_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
```

`policy_name`, `workflow_file_path`, and `job_name` are required.
7 changes: 7 additions & 0 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,13 @@ func validate(exclude *Exclude) error { //nolint:cyclop
if exclude.JobName == "" {
return errors.New(`job_name is required to exclude job_secrets`)
}
case "deny_inherit_secrets":
if exclude.WorkflowFilePath == "" {
return errors.New(`workflow_file_path is required to exclude deny_inherit_secrets`)
}
if exclude.JobName == "" {
return errors.New(`job_name is required to exclude deny_inherit_secrets`)
}
case "github_app_should_limit_repositories":
if exclude.WorkflowFilePath == "" && exclude.ActionFilePath == "" {
return errors.New(`workflow_file_path or action_file_path is required to exclude github_app_should_limit_repositories`)
Expand Down
5 changes: 4 additions & 1 deletion pkg/policy/deny_inherit_secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,10 @@ func (p *DenyInheritSecretsPolicy) ID() string {
return "004"
}

func (p *DenyInheritSecretsPolicy) ApplyJob(_ *logrus.Entry, _ *config.Config, _ *JobContext, job *workflow.Job) error {
func (p *DenyInheritSecretsPolicy) ApplyJob(_ *logrus.Entry, cfg *config.Config, jobCtx *JobContext, job *workflow.Job) error {
if checkExcludes(p.Name(), jobCtx, cfg) {
return nil
}
if job.Secrets.Inherit() {
return errors.New("`secrets: inherit` should not be used. Only required secrets should be passed explicitly")
}
Expand Down
67 changes: 62 additions & 5 deletions pkg/policy/deny_inherit_secrets_test.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
//nolint:funlen
package policy_test

import (
"testing"

"github.com/sirupsen/logrus"
"github.com/suzuki-shunsuke/ghalint/pkg/config"
"github.com/suzuki-shunsuke/ghalint/pkg/policy"
"github.com/suzuki-shunsuke/ghalint/pkg/workflow"
"gopkg.in/yaml.v3"
Expand All @@ -12,17 +14,72 @@ import (
func TestDenyInheritSecretsPolicy_ApplyJob(t *testing.T) {
suzuki-shunsuke marked this conversation as resolved.
Show resolved Hide resolved
t.Parallel()
data := []struct {
name string
job string
isErr bool
name string
job string
cfg *config.Config
jobCtx *policy.JobContext
isErr bool
}{
{
name: "error",
name: "exclude",
cfg: &config.Config{
Excludes: []*config.Exclude{
{
PolicyName: "deny_inherit_secrets",
WorkflowFilePath: ".github/workflows/test.yaml",
JobName: "foo",
},
},
},
jobCtx: &policy.JobContext{
Workflow: &policy.WorkflowContext{
FilePath: ".github/workflows/test.yaml",
},
Name: "foo",
},
job: `secrets: inherit`,
},
{
name: "not exclude",
cfg: &config.Config{
Excludes: []*config.Exclude{
{
PolicyName: "deny_inherit_secrets",
WorkflowFilePath: ".github/workflows/test.yaml",
JobName: "bar",
},
},
},
jobCtx: &policy.JobContext{
Workflow: &policy.WorkflowContext{
FilePath: ".github/workflows/test.yaml",
},
Name: "foo",
},
job: `secrets: inherit`,
isErr: true,
},
{
name: "error",
job: `secrets: inherit`,
cfg: &config.Config{},
jobCtx: &policy.JobContext{
Workflow: &policy.WorkflowContext{
FilePath: ".github/workflows/test.yaml",
},
Name: "foo",
},
isErr: true,
},
{
name: "pass",
cfg: &config.Config{},
jobCtx: &policy.JobContext{
Workflow: &policy.WorkflowContext{
FilePath: ".github/workflows/test.yaml",
},
Name: "foo",
},
job: `secrets:
foo: ${{secrets.API_KEY}}`,
},
Expand All @@ -37,7 +94,7 @@ func TestDenyInheritSecretsPolicy_ApplyJob(t *testing.T) {
if err := yaml.Unmarshal([]byte(d.job), job); err != nil {
t.Fatal(err)
}
if err := p.ApplyJob(logE, nil, nil, job); err != nil {
if err := p.ApplyJob(logE, d.cfg, d.jobCtx, job); err != nil {
if d.isErr {
return
}
Expand Down