✨ update log msg for non-pinned actions (#1370)

2024-11-05 05:17:00 +03:00 · 2021-12-06 17:33:27 -08:00 · 2021-12-06 17:33:27 -08:00 · 1aac7aa39c
commit 1aac7aa39c
parent 063d384b6d
1 changed files with 13 additions and 3 deletions
--- a/checks/pinned_dependencies.go
+++ b/checks/pinned_dependencies.go
@ -561,6 +561,13 @@ func testIsGitHubActionsWorkflowPinned(pathfn string, content []byte, dl checker
 	return createReturnForIsGitHubActionsWorkflowPinned(r, dl, err)
 }

+func generateOwnerToDisplay(gitHubOwned bool) string {
+	if gitHubOwned {
+		return "GitHub-owned"
+	}
+	return "third-party"
+}
+
 // validateGitHubActionWorkflow checks if the workflow file contains unpinned actions. Returns true if the check
 // should continue executing after this file.
 func validateGitHubActionWorkflow(pathfn string, content []byte,
@ -614,18 +621,21 @@ func validateGitHubActionWorkflow(pathfn string, content []byte,
 				continue
 			}

+			// Check if we are dealing with a GitHub action or a third-party one.
+			gitHubOwned := fileparser.IsGitHubOwnedAction(execAction.Uses.Value)
+			owner := generateOwnerToDisplay(gitHubOwned)
+
 			// Ensure a hash at least as large as SHA1 is used (40 hex characters).
 			// Example: action-name@hash
 			match := hashRegex.Match([]byte(execAction.Uses.Value))
 			if !match {
 				dl.Warn3(&checker.LogMessage{
 					Path: pathfn, Type: checker.FileTypeSource, Offset: execAction.Uses.Pos.Line, Snippet: execAction.Uses.Value,
-					Text: fmt.Sprintf("dependency not pinned by hash (job '%v')", jobName),
+					Text: fmt.Sprintf("%s dependency not pinned by hash (job '%v')", owner, jobName),
 				})
 			}

-			githubOwned := fileparser.IsGitHubOwnedAction(execAction.Uses.Value)
-			addWorkflowPinnedResult(pdata, match, githubOwned)
+			addWorkflowPinnedResult(pdata, match, gitHubOwned)
 		}
 	}