Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript', 'actions' ]
language: [ 'javascript-typescript', 'actions', 'ruby' ]

steps:
- name: Checkout repository
Expand All @@ -38,7 +38,7 @@ jobs:
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
paths-ignore:
- dist/index.js
- dist/sourcemap-register.js

Expand Down
89 changes: 5 additions & 84 deletions scripts/scan_pr
Original file line number Diff line number Diff line change
@@ -1,87 +1,8 @@
#!/usr/bin/env ruby
require 'json'
require 'tempfile'
require 'open3'
require 'bundler/inline'
require 'optparse'

gemfile do
source 'https://rubygems.org'
gem 'octokit'
end
# Load the scan_pr library
require_relative 'scan_pr_lib'

config_file = nil
github_token = ENV["GITHUB_TOKEN"]

if !github_token || github_token.empty?
puts "Please set the GITHUB_TOKEN environment variable"
exit -1
end

op = OptionParser.new do |opts|
usage = <<EOF
Run Dependency Review on a repository.

\e[1mUsage:\e[22m
scripts/scan_pr [options] <pr_url>

\e[1mExample:\e[22m
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

EOF

opts.banner = usage

opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
config_file = cf
end

opts.on("-h", "--help", "Prints this help") do
puts opts
exit
end
end

op.parse!

# make sure we have a NWO somewhere in the parameters
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))

if arg.nil?
puts op
exit -1
end

repo_nwo = arg[:repo_nwo]
pr_number = arg[:pr_number]

octo = Octokit::Client.new(access_token: github_token)
pr = octo.pull_request(repo_nwo, pr_number)

event_file = Tempfile.new
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close

action_inputs = {
"repo-token": github_token,
"config-file": config_file
}

dev_cmd_env = {
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path,
"GITHUB_STEP_SUMMARY" => "/dev/null"
}

# bash does not like variable names with dashes like the ones Actions
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
# manually setting them does the job.
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"

Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
while line = out.gets
puts line.gsub(github_token, "<REDACTED>")
end
end
# Create and run the scanner
scanner = ScanPr.new
scanner.run(ARGV)
128 changes: 128 additions & 0 deletions scripts/scan_pr_lib.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
require 'json'
Copy link

Copilot AI Aug 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot detected a code snippet with 2 occurrences. See search results for more details.

Matched Code Snippet
= OptionParser.new do |opts|
      usage = <<EOF
Run Dependency Review on a repository.

\e[1mUsage:\e[22m
  scripts/scan_pr [options] <pr_url>

\e[1mExample:\e[22m
  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

EOF

      opts.banner = usage

      opts.on('-c', '--config-file <FILE>', 'Use an external configuration file'

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Aug 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot detected a code snippet with 2 occurrences. See search results for more details.

Matched Code Snippet
{
      "GITHUB_REPOSITORY" => repo_nwo,
      "GITHUB_EVENT_NAME" => "pull_request",
      "GITHUB_EVENT_PATH" => event_file.path,
      "GITHUB_STEP_SUMMARY" => "/dev/null"
    }

    # bash does not like variable names with dashes like the ones Actions
    # uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
    # manually setting them does the job.
    action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
    dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"

    Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
      while line =

Copilot uses AI. Check for mistakes.
require 'tempfile'
require 'open3'
require 'bundler/inline'
require 'optparse'

gemfile do
source 'https://rubygems.org'
gem 'octokit'
end

class ScanPr
def initialize
@config_file = nil
@github_token = ENV["GITHUB_TOKEN"]

validate_token
end

def run(args)
parse_options(args)
repo_nwo, pr_number = extract_repo_and_pr(args)

pr = fetch_pull_request(repo_nwo, pr_number)
event_file = create_event_file(pr)

execute_dependency_review(repo_nwo, event_file)
ensure
event_file&.unlink
end

private

def validate_token
if !@github_token || @github_token.empty?
puts "Please set the GITHUB_TOKEN environment variable"
exit -1
end
end

def parse_options(args)
op = OptionParser.new do |opts|
usage = <<EOF
Run Dependency Review on a repository.

\e[1mUsage:\e[22m
scripts/scan_pr [options] <pr_url>

\e[1mExample:\e[22m
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

EOF

opts.banner = usage

opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
@config_file = cf
end

opts.on("-h", "--help", "Prints this help") do
puts opts
exit
end
end

op.parse!(args)
@option_parser = op
end

def extract_repo_and_pr(args)
# make sure we have a NWO somewhere in the parameters
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(args.join(" "))

if arg.nil?
puts @option_parser
exit -1
end

[arg[:repo_nwo], arg[:pr_number]]
end

def fetch_pull_request(repo_nwo, pr_number)
octo = Octokit::Client.new(access_token: @github_token)
octo.pull_request(repo_nwo, pr_number)
end

def create_event_file(pr)
event_file = Tempfile.new
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close
event_file
end

def execute_dependency_review(repo_nwo, event_file)
action_inputs = {
"repo-token": @github_token,
"config-file": @config_file
}

dev_cmd_env = {
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path,
"GITHUB_STEP_SUMMARY" => "/dev/null"
}

# Merge action inputs into environment, formatting keys as INPUT_...
action_inputs_env = action_inputs.each_with_object({}) do |(name, value), h|
h["INPUT_#{name.to_s.upcase}"] = value unless value.nil?
end
env = dev_cmd_env.merge(action_inputs_env)

dev_cmd = [
"./node_modules/.bin/nodemon",
"--exec",
"node",
"-r",
"esbuild-register",
"src/main.ts"
]

Open3.popen2e(env, *dev_cmd) do |stdin, out|
while line = out.gets
puts line.gsub(@github_token, "<REDACTED>")
end
end
end
end