Merge pull request step-security#2587 from vamshi-stepsecurity/refactor/harden-runner-config

shubham-stepsecurity · web-flow · commit 403fc4d28bc4 · 2026-04-09T22:17:40.000+05:30
add test cases
diff --git a/remediation/workflow/hardenrunner/addaction_test.go b/remediation/workflow/hardenrunner/addaction_test.go
@@ -61,33 +61,65 @@ func TestUpdateHardenRunnerConfig(t *testing.T) {
 
 	blockConfig := "- name: Harden the runner (Audit all outbound calls)\n  uses: step-security/harden-runner@v2\n  with:\n    egress-policy: block\n    allowed-endpoints: >\n      github.com:443\n      api.github.com:443"
 
+	blockConfigWithComments := "# Harden Runner step added by StepSecurity\n- name: Harden the runner (Audit all outbound calls)\n  uses: step-security/harden-runner@v2\n  with:\n    egress-policy: block\n    # Approved endpoints for CI\n    allowed-endpoints: >\n      github.com:443\n      api.github.com:443\n      # npm registry\n      registry.npmjs.org:443"
+
 	tests := []struct {
 		name        string
+		inputFile   string
 		config      HardenRunnerConfig
 		wantUpdated bool
 		outputFile  string
 	}{
 		{
 			name:        "subtractive true replaces existing config",
+			inputFile:   "updateConfig.yml",
 			config:      HardenRunnerConfig{Config: blockConfig, Subtractive: true},
 			wantUpdated: true,
 			outputFile:  "updateConfig.yml",
 		},
 		{
 			name:        "subtractive false does not change existing config",
+			inputFile:   "updateConfig.yml",
 			config:      HardenRunnerConfig{Config: blockConfig, Subtractive: false},
 			wantUpdated: false,
 			outputFile:  "updateConfigNotSubtractive.yml",
 		},
-	}
-
-	input, err := ioutil.ReadFile(path.Join(inputDirectory, "updateConfig.yml"))
-	if err != nil {
-		t.Fatalf("error reading input file: %v", err)
+		{
+			name:        "subtractive replaces existing allowed-endpoints",
+			inputFile:   "updateConfigReplaceEndpoints.yml",
+			config:      HardenRunnerConfig{Config: blockConfig, Subtractive: true},
+			wantUpdated: true,
+			outputFile:  "updateConfigReplaceEndpoints.yml",
+		},
+		{
+			name:        "subtractive replaces config with comments",
+			inputFile:   "updateConfigWithComments.yml",
+			config:      HardenRunnerConfig{Config: blockConfig, Subtractive: true},
+			wantUpdated: true,
+			outputFile:  "updateConfigWithComments.yml",
+		},
+		{
+			name:        "subtractive replaces single-line allowed-endpoints",
+			inputFile:   "updateConfigSingleLine.yml",
+			config:      HardenRunnerConfig{Config: blockConfig, Subtractive: true},
+			wantUpdated: true,
+			outputFile:  "updateConfigSingleLine.yml",
+		},
+		{
+			name:        "subtractive with comments in config",
+			inputFile:   "updateConfigWithConfigComments.yml",
+			config:      HardenRunnerConfig{Config: blockConfigWithComments, Subtractive: true},
+			wantUpdated: true,
+			outputFile:  "updateConfigWithConfigComments.yml",
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.inputFile))
+			if err != nil {
+				t.Fatalf("error reading input file: %v", err)
+			}
 			got, gotUpdated, err := AddAction(string(input), tt.config, false, false, false)
 			if err != nil {
 				t.Errorf("AddAction() error = %v", err)
diff --git a/testfiles/addaction/input/updateConfigReplaceEndpoints.yml b/testfiles/addaction/input/updateConfigReplaceEndpoints.yml
@@ -0,0 +1,18 @@
+name: test-replace-endpoints
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            xyz.com:443
+            old-api.example.com:443
+            internal.corp.net:8080
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/input/updateConfigSingleLine.yml b/testfiles/addaction/input/updateConfigSingleLine.yml
@@ -0,0 +1,15 @@
+name: test-single-line-endpoints
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: xyz.com:443 old-api.example.com:443
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/input/updateConfigWithComments.yml b/testfiles/addaction/input/updateConfigWithComments.yml
@@ -0,0 +1,19 @@
+name: test-replace-with-comments
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # This step hardens the runner
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          # These endpoints were approved by the security team
+          allowed-endpoints: >
+            xyz.com:443
+            old-api.example.com:443
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/input/updateConfigWithConfigComments.yml b/testfiles/addaction/input/updateConfigWithConfigComments.yml
@@ -0,0 +1,14 @@
+name: test-config-with-comments
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/output/updateConfigReplaceEndpoints.yml b/testfiles/addaction/output/updateConfigReplaceEndpoints.yml
@@ -0,0 +1,17 @@
+name: test-replace-endpoints
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/output/updateConfigSingleLine.yml b/testfiles/addaction/output/updateConfigSingleLine.yml
@@ -0,0 +1,17 @@
+name: test-single-line-endpoints
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/output/updateConfigWithComments.yml b/testfiles/addaction/output/updateConfigWithComments.yml
@@ -0,0 +1,18 @@
+name: test-replace-with-comments
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # This step hardens the runner
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/output/updateConfigWithConfigComments.yml b/testfiles/addaction/output/updateConfigWithConfigComments.yml
@@ -0,0 +1,21 @@
+name: test-config-with-comments
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Harden Runner step added by StepSecurity
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          # Approved endpoints for CI
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            # npm registry
+            registry.npmjs.org:443
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
