Symlink in repo seems to generate false positives for Dangerous Workflow policy in v4.4 #694
Description
Hi -- In the last week we started getting AllStar findings like this:
Error while running checks.DangerousWorkflow: internal error: error during ListFiles: error walking the path "/home/vcap/tmp/allstar623027289": stat /home/vcap/tmp/allstar623027289/meteor/.cfignore: no such file or directory
see https://github.com/cloud-gov/product/issues/3292
I've been able to reproduce this by building v4.4 and running:
./allstar -once -repo cloud-gov/cf-hello-worlds -policy "Dangerous Workflow"
{"severity":"WARNING","org":"cloud-gov","repo":"cf-hello-worlds","area":"Dangerous Workflow","error":"internal error: error during ListFiles: error walking the path \"/Users/peterdburkholder/tmp/allstar2379061765\": stat /Users/peterdburkholder/tmp/allstar2379061765/meteor/.cfignore: no such file or directory","time":"2025-05-30T18:34:07-04:00","message":"Error while running checks.DangerousWorkflow"}
Indeed, the file meteor/.cfconfig was a symlink 10 years ago: https://github.com/cloud-gov/cf-hello-worlds/tree/089391cfc6cb30fc5044a0f931771747063b6d54/meteor
When I checkout v4.3 I don't get the error.
Is that enough info to help track this down? Thanks!