-
Notifications
You must be signed in to change notification settings - Fork 36
Expand file tree
/
Copy pathanalyzeRepoStaleBranches.go
More file actions
63 lines (50 loc) · 2.2 KB
/
analyzeRepoStaleBranches.go
File metadata and controls
63 lines (50 loc) · 2.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package cmd
import (
"errors"
"fmt"
"regexp"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
var expand bool
var regex string
var analyzeRepoStaleBranches = &cobra.Command{
Use: "analyze_repo_stale_branches",
Short: "Analyzes a remote repository for pull_request_target vulnerabilities in stale branches",
Long: `Analyzes a remote repository, looping through all remote branches to find unique GitHub Actions workflows with old pull_request_target vulnerabilities, even though the default branch does not have that vulnerability anymore.
Example Scanning a remote Github Repository: poutine analyze_repo_stale_branches org/repo --token "$GH_TOKEN"`,
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
Token = viper.GetString("token")
ctx := cmd.Context()
analyzer, err := GetAnalyzer(ctx, "analyze_repo_stale_branches")
if err != nil {
return fmt.Errorf("error getting analyzer analyze_repo_stale_branches: %w", err)
}
if Format == "sarif" {
return errors.New("sarif formatter not supported for analyze_repo_stale_branches")
}
repo := args[0]
reg, err := regexp.Compile(regex)
if err != nil {
return fmt.Errorf("error compiling regex: %w", err)
}
result, err := analyzer.AnalyzeStaleBranches(ctx, repo, &threads, &expand, reg)
if err != nil {
return fmt.Errorf("failed to analyze repo %s: %w", repo, err)
}
if failOnViolation && result != nil && len(result.FindingsResults.Findings) > 0 {
return ErrViolationsFound
}
return nil
},
}
func init() {
RootCmd.AddCommand(analyzeRepoStaleBranches)
analyzeRepoStaleBranches.Flags().StringVarP(&Token, "token", "t", "", "SCM access token (env: GH_TOKEN)")
analyzeRepoStaleBranches.Flags().IntVarP(&threads, "threads", "j", 5, "Parallelization factor for scanning stale branches")
analyzeRepoStaleBranches.Flags().BoolVarP(&expand, "expand", "e", false, "Expand the output to the classic representation from analyze_repo")
analyzeRepoStaleBranches.Flags().StringVarP(®ex, "regex", "r", "pull_request_target", "Regex to check if the workflow is accessible in stale branches")
_ = viper.BindPFlag("token", analyzeRepoStaleBranches.Flags().Lookup("token"))
_ = viper.BindEnv("token", "GH_TOKEN")
}