code-pathfinder/action.yml at main · shivasurya/code-pathfinder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# action.yml
name: 'Code-Pathfinder'
description: 'Security scanning with Code Pathfinder - open source, type-aware SAST with cross-file dataflow analysis'
author: 'Shivasurya <shiva@shivasurya.me>'
branding:
  icon: "shield"
  color: "blue"

inputs:
  rules:
    description: 'Path to Python SDK rules file or directory'
    required: false
  ruleset:
    description: 'Remote ruleset(s) to use (e.g., python/flask, docker/security). Can specify multiple comma-separated.'
    required: false
  project:
    description: 'Path to source code to scan'
    required: false
    default: '.'
  output:
    description: 'Output format: sarif, json, or csv'
    required: false
    default: 'sarif'
  output-file:
    description: 'Output file path (e.g., results.sarif)'
    required: false
    default: 'pathfinder-results.sarif'
  fail-on:
    description: 'Fail with exit code 1 if findings match severities (e.g., critical,high)'
    required: false
    default: ''
  verbose:
    description: 'Enable verbose output'
    required: false
    default: 'false'
  python-version:
    description: 'Python version to use'
    required: false
    default: '3.12'
  skip-tests:
    description: 'Skip scanning test files'
    required: false
    default: 'true'
  refresh-rules:
    description: 'Force refresh of cached rulesets (bypasses cache)'
    required: false
    default: 'false'
  debug:
    description: 'Enable debug diagnostics with timestamps'
    required: false
    default: 'false'
  disable-metrics:
    description: 'Disable anonymous usage metrics collection'
    required: false
    default: 'false'
  pr-comment:
    description: 'Post a summary comment on the pull request with scan results'
    required: false
    default: 'false'
  pr-inline:
    description: 'Post inline review comments for critical/high severity findings'
    required: false
    default: 'false'
  github-token:
    description: 'GitHub token for posting PR comments (required when pr-comment or pr-inline is enabled)'
    required: false
    default: ''
  no-diff:
    description: 'Disable diff-aware scanning (scan all files instead of only changed files)'
    required: false
    default: 'false'

outputs:
  results-file:
    description: 'Path to the output results file'
    value: ${{ inputs.output-file }}
  version:
    description: 'Installed pathfinder version'
    value: ${{ steps.install.outputs.version }}

runs:
  using: 'composite'
  steps:
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: ${{ inputs.python-version }}

    - name: Install Code-Pathfinder
      id: install
      shell: bash
      run: |
        pip install --quiet codepathfinder
        VERSION=$(pathfinder version | head -1 | cut -d' ' -f2)
        echo "version=${VERSION}" >> $GITHUB_OUTPUT
        echo "Code-Pathfinder ${VERSION} installed successfully"

    - name: Run Security Scan
      shell: bash
      run: |
        set -euo pipefail

        # Input validation to prevent command injection
        # Check for dangerous shell metacharacters that could enable command injection
        validate_no_injection() {
          local input="$1"
          local field_name="$2"
          # Block shell command separators and substitution operators
          if [[ "$input" =~ [\;\|\&\$\`] ]] || [[ "$input" =~ $'\n' ]]; then
            echo "Error: Potentially dangerous characters detected in $field_name input"
            echo "Blocked characters: ; | & \$ \` (newline)"
            echo "These characters could be used for command injection"
            exit 1
          fi
        }

        # Validate that at least one rule source is provided
        if [ -z "${{ inputs.rules }}" ] && [ -z "${{ inputs.ruleset }}" ]; then
          echo "Error: Either 'rules' or 'ruleset' input must be specified"
          exit 1
        fi

        # Validate all user-provided inputs
        [ -n "${{ inputs.project }}" ] && validate_no_injection "${{ inputs.project }}" "project"
        [ -n "${{ inputs.rules }}" ] && validate_no_injection "${{ inputs.rules }}" "rules"
        [ -n "${{ inputs.ruleset }}" ] && validate_no_injection "${{ inputs.ruleset }}" "ruleset"
        [ -n "${{ inputs.output }}" ] && validate_no_injection "${{ inputs.output }}" "output"
        [ -n "${{ inputs.output-file }}" ] && validate_no_injection "${{ inputs.output-file }}" "output-file"
        [ -n "${{ inputs.fail-on }}" ] && validate_no_injection "${{ inputs.fail-on }}" "fail-on"
        [ -n "${{ inputs.github-token }}" ] && validate_no_injection "${{ inputs.github-token }}" "github-token"

        # Validate PR commenting requirements
        if [ "${{ inputs.pr-comment }}" = "true" ] || [ "${{ inputs.pr-inline }}" = "true" ]; then
          if [ -z "${{ inputs.github-token }}" ]; then
            echo "Error: 'github-token' input is required when 'pr-comment' or 'pr-inline' is enabled"
            exit 1
          fi
        fi

        # Build command arguments using array to prevent injection
        ARGS=(ci)
        ARGS+=(--project "${{ inputs.project }}")

        # Add rules or ruleset
        if [ -n "${{ inputs.rules }}" ]; then
          ARGS+=(--rules "${{ inputs.rules }}")
        fi

        if [ -n "${{ inputs.ruleset }}" ]; then
          # Split comma-separated rulesets and add each one
          IFS=',' read -ra RULESETS <<< "${{ inputs.ruleset }}"
          for ruleset in "${RULESETS[@]}"; do
            # Trim whitespace
            ruleset=$(echo "$ruleset" | xargs)
            # Skip empty entries (e.g., trailing commas)
            [ -z "$ruleset" ] && continue
            ARGS+=(--ruleset "$ruleset")
          done
        fi

        ARGS+=(--output "${{ inputs.output }}")
        ARGS+=(--output-file "${{ inputs.output-file }}")

        if [ "${{ inputs.verbose }}" = "true" ]; then
          ARGS+=(--verbose)
        fi

        if [ -n "${{ inputs.fail-on }}" ]; then
          ARGS+=(--fail-on "${{ inputs.fail-on }}")
        fi

        if [ "${{ inputs.skip-tests }}" = "true" ]; then
          ARGS+=(--skip-tests)
        else
          ARGS+=(--skip-tests=false)
        fi

        if [ "${{ inputs.refresh-rules }}" = "true" ]; then
          ARGS+=(--refresh-rules)
        fi

        if [ "${{ inputs.debug }}" = "true" ]; then
          ARGS+=(--debug)
        fi

        if [ "${{ inputs.disable-metrics }}" = "true" ]; then
          ARGS+=(--disable-metrics)
        fi

        if [ "${{ inputs.no-diff }}" = "true" ]; then
          ARGS+=(--no-diff)
        fi

        # PR commenting flags - auto-wire GitHub context
        if [ "${{ inputs.pr-comment }}" = "true" ] || [ "${{ inputs.pr-inline }}" = "true" ]; then
          # Validate PR number is available (empty on non-pull_request events)
          PR_NUMBER="${{ github.event.pull_request.number }}"
          if [ -z "$PR_NUMBER" ]; then
            echo "Error: PR commenting requires a pull_request event, but 'github.event.pull_request.number' is empty."
            echo "Hint: Use a conditional to only enable PR commenting on pull requests:"
            echo "  pr-comment: \${{ github.event_name == 'pull_request' }}"
            exit 1
          fi

          ARGS+=(--github-token "${{ inputs.github-token }}")
          ARGS+=(--github-repo "${{ github.repository }}")
          ARGS+=(--github-pr "$PR_NUMBER")

          if [ "${{ inputs.pr-comment }}" = "true" ]; then
            ARGS+=(--pr-comment)
          fi

          if [ "${{ inputs.pr-inline }}" = "true" ]; then
            ARGS+=(--pr-inline)
          fi
        fi

        pathfinder "${ARGS[@]}"