microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
.github/workflows/dependency-pinning-scan.yml
181lines · modecode
| 1 | name: Dependency Pinning Scan |
| 2 | |
| 3 | on: |
| 4 | workflow_call: |
| 5 | inputs: |
| 6 | threshold: |
| 7 | description: 'Compliance threshold percentage (0-100)' |
| 8 | required: false |
| 9 | type: number |
| 10 | default: 95 |
| 11 | dependency-types: |
| 12 | description: 'Comma-separated list of dependency types to check' |
| 13 | required: false |
| 14 | type: string |
| 15 | default: 'github-actions,npm,workflow-npm-commands' |
| 16 | soft-fail: |
| 17 | description: 'Whether to continue on compliance violations' |
| 18 | required: false |
| 19 | type: boolean |
| 20 | default: false |
| 21 | upload-sarif: |
| 22 | description: 'Whether to upload SARIF results to Security tab' |
| 23 | required: false |
| 24 | type: boolean |
| 25 | default: false |
| 26 | upload-artifact: |
| 27 | description: 'Whether to upload results as artifact' |
| 28 | required: false |
| 29 | type: boolean |
| 30 | default: true |
| 31 | outputs: |
| 32 | compliance-score: |
| 33 | description: 'Compliance score percentage' |
| 34 | value: ${{ jobs.scan.outputs.compliance-score }} |
| 35 | unpinned-count: |
| 36 | description: 'Number of unpinned dependencies found' |
| 37 | value: ${{ jobs.scan.outputs.unpinned-count }} |
| 38 | is-compliant: |
| 39 | description: 'Whether repository meets compliance threshold' |
| 40 | value: ${{ jobs.scan.outputs.is-compliant }} |
| 41 | |
| 42 | permissions: |
| 43 | contents: read |
| 44 | |
| 45 | jobs: |
| 46 | scan: |
| 47 | name: Validate SHA Pinning Compliance |
| 48 | runs-on: ubuntu-latest |
| 49 | permissions: |
| 50 | contents: read |
| 51 | security-events: write # Required for SARIF upload to Security tab |
| 52 | outputs: |
| 53 | compliance-score: ${{ steps.pinning.outputs.compliance-score }} |
| 54 | unpinned-count: ${{ steps.pinning.outputs.unpinned-count }} |
| 55 | is-compliant: ${{ steps.pinning.outputs.is-compliant }} |
| 56 | steps: |
| 57 | - name: Checkout code |
| 58 | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 59 | with: |
| 60 | persist-credentials: false |
| 61 | |
| 62 | - name: Run Dependency Pinning Validation |
| 63 | id: pinning |
| 64 | shell: pwsh |
| 65 | run: | |
| 66 | Write-Host "Validating dependency SHA pinning compliance..." |
| 67 | |
| 68 | # Ensure logs directory exists |
| 69 | New-Item -ItemType Directory -Force -Path logs | Out-Null |
| 70 | |
| 71 | # Build parameter list for JSON output (always generate) |
| 72 | $params = @{ |
| 73 | Path = '.' |
| 74 | Format = 'json' |
| 75 | OutputPath = 'logs/dependency-pinning-results.json' |
| 76 | } |
| 77 | |
| 78 | # Enable failure on threshold violations unless soft-fail is requested |
| 79 | if ('${{ inputs.soft-fail }}' -ne 'true') { |
| 80 | $params['FailOnUnpinned'] = $true |
| 81 | } |
| 82 | |
| 83 | # Pass dependency types filter to script |
| 84 | if ('${{ inputs.dependency-types }}') { |
| 85 | $params['IncludeTypes'] = '${{ inputs.dependency-types }}' |
| 86 | } |
| 87 | |
| 88 | # Pass compliance threshold to script (script handles enforcement) |
| 89 | if ('${{ inputs.threshold }}') { |
| 90 | $params['Threshold'] = [int]'${{ inputs.threshold }}' |
| 91 | } |
| 92 | |
| 93 | # Run validation script (JSON format) |
| 94 | & scripts/security/Test-DependencyPinning.ps1 @params |
| 95 | $jsonExitCode = $LASTEXITCODE |
| 96 | |
| 97 | # Generate SARIF format if requested |
| 98 | if ('${{ inputs.upload-sarif }}' -eq 'true') { |
| 99 | Write-Host "Generating SARIF format for Security tab..." |
| 100 | $params['Format'] = 'sarif' |
| 101 | $params['OutputPath'] = 'logs/dependency-pinning-results.sarif' |
| 102 | |
| 103 | & scripts/security/Test-DependencyPinning.ps1 @params |
| 104 | } |
| 105 | |
| 106 | # Extract metrics from JSON report |
| 107 | if (Test-Path logs/dependency-pinning-results.json) { |
| 108 | $report = Get-Content logs/dependency-pinning-results.json | ConvertFrom-Json |
| 109 | $complianceScore = $report.ComplianceScore |
| 110 | $unpinnedCount = $report.UnpinnedDependencies |
| 111 | |
| 112 | # Extract threshold from report metadata (script calculated compliance) |
| 113 | $threshold = $report.Metadata.ComplianceThreshold |
| 114 | $isCompliant = $complianceScore -ge $threshold |
| 115 | |
| 116 | "compliance-score=$complianceScore" >> $env:GITHUB_OUTPUT |
| 117 | "unpinned-count=$unpinnedCount" >> $env:GITHUB_OUTPUT |
| 118 | "is-compliant=$($isCompliant.ToString().ToLower())" >> $env:GITHUB_OUTPUT |
| 119 | |
| 120 | Write-Host "Compliance Score: $complianceScore%" |
| 121 | Write-Host "Unpinned Dependencies: $unpinnedCount" |
| 122 | Write-Host "Is Compliant (>=$threshold%): $isCompliant" |
| 123 | } |
| 124 | else { |
| 125 | Write-Error "Failed to generate dependency pinning report" |
| 126 | exit 1 |
| 127 | } |
| 128 | |
| 129 | - name: Upload SARIF to Security tab |
| 130 | if: inputs.upload-sarif && always() |
| 131 | uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0 |
| 132 | with: |
| 133 | sarif_file: logs/dependency-pinning-results.sarif |
| 134 | category: dependency-pinning |
| 135 | continue-on-error: true |
| 136 | |
| 137 | - name: Upload validation report |
| 138 | if: inputs.upload-artifact && always() |
| 139 | uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 |
| 140 | with: |
| 141 | name: dependency-pinning-results |
| 142 | path: logs/dependency-pinning-results.json |
| 143 | retention-days: 90 |
| 144 | |
| 145 | - name: Add job summary |
| 146 | if: always() |
| 147 | shell: pwsh |
| 148 | run: | |
| 149 | $complianceScore = '${{ steps.pinning.outputs.compliance-score }}' |
| 150 | $unpinnedCount = '${{ steps.pinning.outputs.unpinned-count }}' |
| 151 | $isCompliant = '${{ steps.pinning.outputs.is-compliant }}' |
| 152 | |
| 153 | @" |
| 154 | ## Dependency Pinning Scan Results |
| 155 | |
| 156 | | Metric | Value | |
| 157 | |--------|-------| |
| 158 | | Compliance Score | $complianceScore% | |
| 159 | | Unpinned Dependencies | $unpinnedCount | |
| 160 | | Status | $(if ($isCompliant -eq 'true') { '✅ Compliant' } else { '⚠️ Non-Compliant' }) | |
| 161 | |
| 162 | $(if ($unpinnedCount -ne '0') { |
| 163 | @" |
| 164 | |
| 165 | ### ⚠️ Action Required |
| 166 | |
| 167 | **$unpinnedCount dependencies are not properly pinned.** |
| 168 | |
| 169 | Review the warnings in the workflow log and pin dependencies to specific SHA commits. |
| 170 | |
| 171 | "@ |
| 172 | } else { |
| 173 | @" |
| 174 | |
| 175 | ### ✅ All Dependencies Pinned |
| 176 | |
| 177 | All dependencies are properly pinned. |
| 178 | |
| 179 | "@ |
| 180 | }) |
| 181 | "@ | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Encoding UTF8 |