You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(although getSonarWorkflows might be a special case?)
Especially as more tools are added (#3743 ), we shouldn't have the same code copy/pasted for each workflow detection.
It seems like there's a common state for these github action detections:
mapping some SASTWorkflowType value (Snyk, Sonar, CodeQL, etc) to some action regex:
so as regex maybe?
Snyk: "^snyk/actions/.*" (prefix)
CodeQL: "^github/codeql-action/analyze$" full match
qodona: "^JetBrains/qodana-action$" full match
pysa: "^facebook/pysa-action$" full match
The text was updated successfully, but these errors were encountered:
* Add SAST Pysa probe
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Pysa positive unit test
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Qodana as well
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some messaging
Signed-off-by: David Korczynski <david@adalogics.com>
* checks: raw: sast: dedup by way of regex
Ref: #3745
Signed-off-by: David Korczynski <david@adalogics.com>
* deduplicate SAST score checker
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* Rename variables appropriately
Signed-off-by: David Korczynski <david@adalogics.com>
* fix error message
Signed-off-by: David Korczynski <david@adalogics.com>
* rename useRegex to usesRegex and add comment
Signed-off-by: David Korczynski <david@adalogics.com>
* Force regex to compile
Signed-off-by: David Korczynski <david@adalogics.com>
---------
Signed-off-by: David Korczynski <david@adalogics.com>
Between the 3 existing detected SAST tools, there's a lot of duplication:
scorecard/checks/raw/sast.go
Lines 57 to 75 in 2ef20f1
(although
getSonarWorkflows
might be a special case?)Especially as more tools are added (#3743 ), we shouldn't have the same code copy/pasted for each workflow detection.
It seems like there's a common state for these github action detections:
mapping some SASTWorkflowType value (Snyk,
Sonar, CodeQL, etc) to some action regex:Snyk: strings.HasPrefix(action, "snyk/actions/")
CodeQL:
action == "github/codeql-action/analyze"
so as regex maybe?
Snyk: "^snyk/actions/.*" (prefix)
CodeQL: "^github/codeql-action/analyze$" full match
qodona: "^JetBrains/qodana-action$" full match
pysa: "^facebook/pysa-action$" full match
The text was updated successfully, but these errors were encountered: