Update dependencies, add lint and unit-tests (#50)

Author: ayala-orca

.github/workflows/test-iac-action-sarif.yaml

@@ -13,7 +13,7 @@ jobs:
     permissions:
       security-events: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
       - name: Scan IaC
         id: orcasecurity_iac_scan
         uses: ./
@@ -25,12 +25,7 @@ jobs:
           output: "results/"
           console_output: "cli"
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # ratchet:github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # ratchet:github/codeql-action/upload-sarif@v3.27.5
         if: ${{ always() && steps.orcasecurity_iac_scan.outputs.exit_code != 1 }}
         with:
           sarif_file: results/iac.sarif
-
-
-
-
-

.github/workflows/test-iac-action.yaml

@@ -9,7 +9,7 @@ jobs:
   iac_scan_job:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
       - name: Scan IaC
         uses: ./
         with:
@@ -19,13 +19,8 @@ jobs:
           format: "json"
           output: "results/"
           console_output: "cli"
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # ratchet:actions/upload-artifact@v4
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # ratchet:actions/upload-artifact@v4.4.3
         if: always()
         with:
           name: orca-results
           path: results/
-
-
-
-
-

.github/workflows/unit-tests.yml

@@ -0,0 +1,23 @@
+name: Unit Tests
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run lint
+        run: npm run lint
+
+      - name: Run tests
+        run: npm test

.gitignore

@@ -1,3 +1,5 @@
 # IDE
 .idea
-node_modules
+node_modules
+
+dist

README.md

@@ -5,19 +5,13 @@ for [Orca Shift Left Security](https://orca.security/solutions/shift-left-securi
 
 #### More info can be found in the official Orca Shift Left Security<a href="https://docs.orcasecurity.io/v1/docs/shift-left-security"> documentation</a>
 
-
-
 ## Table of Contents
 
-- [Orca Shift Left Security Action](#orca-shift-left-security-action)
-      - [More info can be found in the official Orca Shift Left Security documentation](#more-info-can-be-found-in-the-official-orca-shift-left-security-documentation)
-  - [Table of Contents](#table-of-contents)
-  - [Usage](#usage)
-    - [Workflow](#workflow)
-    - [Inputs](#inputs)
-  - [Annotations](#annotations)
-  - [Upload SARIF report](#upload-sarif-report)
-
+- [Usage](#usage)
+  - [Workflow](#workflow)
+  - [Inputs](#inputs)
+- [Annotations](#annotations)
+- [Upload SARIF report](#upload-sarif-report)
 
 ## Usage
 
@@ -28,13 +22,13 @@ name: Sample Orca IaC Scan Workflow
 on:
   # Scan for each push event on your protected branch. If you have a different branch configured, please adjust the configuration accordingly by replacing 'main'.
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   # NOTE: To enable scanning for pull requests, uncomment the section below.
   #pull_request:
-    #branches: [ "main" ]
+  #branches: [ "main" ]
   # NOTE: To schedule a daily scan at midnight, uncomment the section below.
   #schedule:
-    #- cron: '0 0 * * *'
+  #- cron: '0 0 * * *'
 jobs:
   orca-iac_scan:
     name: Orca IaC Scan
@@ -59,7 +53,7 @@ jobs:
 ### Inputs
 
 | Variable                 | Example Value &nbsp;                       | Description &nbsp;                                                                                      | Type    | Required | Default                       |
-|--------------------------|--------------------------------------------|---------------------------------------------------------------------------------------------------------|---------|----------|-------------------------------|
+| ------------------------ | ------------------------------------------ | ------------------------------------------------------------------------------------------------------- | ------- | -------- | ----------------------------- |
 | api_token                |                                            | Orca API Token used for Authentication                                                                  | String  | Yes      | N/A                           |
 | project_key              | my-project-key                             | Project Key name                                                                                        | String  | Yes      | N/A                           |
 | path                     | terraform,sub-dir,other-sub-dir/Dockerfile | Paths or directories to scan (comma-separated)                                                          | String  | Yes      | N/A                           |
@@ -87,15 +81,18 @@ jobs:
 | log_path                 | results/                                   | The directory path to specify where the logs should be written to on debug mode.                        | String  | No       | working directory             |
 
 ## Annotations
+
 After scanning, the action will add the results as annotations in a pull request:
 
 ![](/assets/annotations_preview.png)
->  **NOTE:**  Annotations can be disabled by setting the "show_annotation" input to "false"
 
+> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"
 
 ## Upload SARIF report
+
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Orca Shift Left Security as a scanning tool
-> **NOTE:**  Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
+
+> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
 
 Configuration:
 
@@ -126,8 +123,7 @@ jobs:
           project_key: ${{ env.PROJECT_KEY }}
           path: <path to scan>
           format: "sarif"
-          output:
-            "results/"
+          output: "results/"
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@v3
         if: ${{ always() && steps.orcasecurity_iac_scan.outputs.exit_code != 1 }}
@@ -139,6 +135,6 @@ The results list can be found on the security tab of your GitHub project and sho
 
 ![](/assets/code_scanning.png)
 
-An entry should describe the error and in which line it occurred 
+An entry should describe the error and in which line it occurred
 
 ![](/assets/code_scanning_alert.png)

SECURITY.md

@@ -1,19 +1,20 @@
-
 ## Reporting a Vulnerability
 
-At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately. 
+At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately.
 
 To report a security issue, please email us at address `[email protected]`
 
 ---
+
 **Important:**
-   1. Please **do not** create a Github issue for security vulnerabilities.
-   2. Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure.
-   3. Please include the following details in your report:
-         - Description of the vulnerability
-         - Steps to reproduce the vulnerability
-         - Any additional information or context that might be helpful
+
+1.  Please **do not** create a Github issue for security vulnerabilities.
+2.  Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure.
+3.  Please include the following details in your report:
+    - Description of the vulnerability
+    - Steps to reproduce the vulnerability
+    - Any additional information or context that might be helpful
+
 ---
 
 > Submission of reports by any means is subject to Orca's [Vulnerability Disclosure Policy](https://trustcenter.orca.security/?itemUid=ff1626be-71c0-4468-b93c-82fe08aac01f&source=documents_card). Please make sure to read and accept before submitting your report.
-

action.yaml

@@ -27,16 +27,6 @@ inputs:
     description: "Disable logs and warnings output"
     required: false
     default: "false"
-  baseline_context_key:
-    description: "Use this context key in case of no autodetect is configured on project"
-    required: false
-  disable_baseline:
-    description: "Do not compare to baseline on this scan"
-    required: false
-    default: "false"
-  sync_baseline:
-    description: "Sync baseline base on this flag"
-    required: false
   disable_err_report:
     description: "Suppress error reporting to the monitoring platform"
     required: false

entrypoint.sh

@@ -34,18 +34,9 @@ function set_global_flags() {
   if [ "${INPUT_CONFIG}" ]; then
     GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
   fi
-  if [ "${INPUT_BASELINE_CONTEXT_KEY}" ]; then
-    GLOBAL_FLAGS+=(--baseline-context-key "${INPUT_BASELINE_CONTEXT_KEY}")
-  fi
-  if [ "${INPUT_DISABLE_BASELINE}" == "true" ]; then
-    GLOBAL_FLAGS+=(--disable-baseline)
-  fi
   if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
     GLOBAL_FLAGS+=(--disable-err-report)
   fi
-  if [ "${INPUT_SYNC_BASELINE}" ]; then
-    GLOBAL_FLAGS+=(--sync-baseline "${INPUT_SYNC_BASELINE}")
-  fi
   if [ "${INPUT_DISPLAY_NAME}" ]; then
     GLOBAL_FLAGS+=(--display-name "${INPUT_DISPLAY_NAME}")
   fi
@@ -102,7 +93,7 @@ function set_iac_scan_flags() {
     SCAN_FLAGS+=(--exclude-platform "${INPUT_EXCLUDE_PLATFORM}")
   fi
   if [ "${INPUT_CONTROL_TIMEOUT}" ]; then
-    SCAN_FLAGS+=(--control_timeout "${INPUT_CONTROL_TIMEOUT}")
+    SCAN_FLAGS+=(--control-timeout "${INPUT_CONTROL_TIMEOUT}")
   fi
   if [ "${INPUT_TIMEOUT}" ]; then
     SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")

eslint.config.js

@@ -0,0 +1,50 @@
+const js = require("@eslint/js");
+
+module.exports = [
+  {
+    // Global ignores
+    ignores: ["dist/**"],
+  },
+  {
+    // Base configuration
+    files: ["**/*.{js}"],
+    settings: {
+      "import/resolver": {
+        typescript: {},
+      },
+    },
+    rules: {
+      ...js.configs.recommended.rules,
+
+      // Spacing and formatting rules
+      "space-before-blocks": "error",
+      "keyword-spacing": "error",
+      "no-trailing-spaces": "error",
+      curly: "error",
+      quotes: ["error", "single"],
+      "object-curly-spacing": ["error", "always"],
+      "no-multi-spaces": "error",
+      "semi-spacing": "error",
+
+      // Code style rules
+      "prefer-const": ["error", { destructuring: "all" }],
+      "max-classes-per-file": ["error", 10],
+      "max-len": ["error", 200],
+
+      // Import rules
+      "import/no-unresolved": [
+        "error",
+        { commonjs: true, caseSensitive: true },
+      ],
+      "import/extensions": ["error", "ignorePackages", { js: "never" }],
+    },
+  },
+  {
+    // Test files override
+    files: ["**/test/**"],
+    rules: {
+      "import/no-unresolved": "off",
+      "import/extensions": "off",
+    },
+  },
+];