|
| 1 | +--- |
| 2 | +version: v1 |
| 3 | +release_phase: alpha |
| 4 | +type: rule-type |
| 5 | +name: force_package_json_for_node_version |
| 6 | +display_name: Force GitHub Actions to use the node version specified in package.json |
| 7 | +short_failure_message: GitHub Actions need to specify node version using `node-version-file` |
| 8 | +severity: |
| 9 | + value: medium |
| 10 | +context: {} |
| 11 | +description: | |
| 12 | + Verifies that the Node version used in GitHub Actions workflow files is the same as the one specified |
| 13 | + in `package.json`. This ensures that the application is tested with the same Node version in GitHub Actions |
| 14 | + that it is meant to be locally developed with. |
| 15 | +guidance: | |
| 16 | + To make sure you are running GitHub Actions with the same Node version that your application is meant |
| 17 | + to be developed and deploy with, one step you can take is manage your Node version through `package.json`. |
| 18 | +
|
| 19 | + In the `actions/setup-node` GitHub Action, you can use the `node-version-file` input set to `package.json`. |
| 20 | + This helps establish a single source of truth for the Node version. |
| 21 | +
|
| 22 | + For more information, check out `actions/setup-node`'s [documentation](https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#node-version-file). |
| 23 | +
|
| 24 | + This approach is recommended for Node applications that are meant to be deployed in the cloud directly, |
| 25 | + but might not be as well suited for libraries that need to be tested against various different versions of Node. |
| 26 | +def: |
| 27 | + in_entity: repository |
| 28 | + rule_schema: |
| 29 | + type: object |
| 30 | + properties: {} |
| 31 | + ingest: |
| 32 | + type: git |
| 33 | + git: {} |
| 34 | + eval: |
| 35 | + type: rego |
| 36 | + rego: |
| 37 | + type: deny-by-default |
| 38 | + def: | |
| 39 | + package minder |
| 40 | + import future.keywords.if |
| 41 | + import future.keywords.every |
| 42 | +
|
| 43 | + default message := "For GitHub Actions workflows, Node version has to be specified through the `node-version-file` argument." |
| 44 | + default allow := false |
| 45 | +
|
| 46 | + workflows := file.ls(".github/workflows/") |
| 47 | +
|
| 48 | + all_args[args] { |
| 49 | + some w |
| 50 | +
|
| 51 | + file.read(workflows[w]) |
| 52 | + workflowstr := file.read(workflows[w]) |
| 53 | + workflow := parse_yaml(workflowstr) |
| 54 | +
|
| 55 | + some job_id |
| 56 | + job := workflow.jobs[job_id] |
| 57 | +
|
| 58 | + some step_id |
| 59 | + step := job.steps[step_id] |
| 60 | +
|
| 61 | + startswith(step.uses, "actions/setup-node@") |
| 62 | +
|
| 63 | + args := step["with"] |
| 64 | + } |
| 65 | +
|
| 66 | + allow if { |
| 67 | + every args in all_args { |
| 68 | + print(args) |
| 69 | + args["node-version-file"] == "package.json" |
| 70 | + not args["node-version"] |
| 71 | + } |
| 72 | + } |
| 73 | +
|
| 74 | + message := "" if allow |
| 75 | + alert: |
| 76 | + type: security_advisory |
| 77 | + security_advisory: {} |
0 commit comments