Merge pull request #41 from resideo/tm/twistlock

Twistlock CLI

.github/workflows/twistlock.yml

@@ -0,0 +1,21 @@
+name: Twistlock
+
+on:
+  pull_request:
+    branches: 
+      - master
+
+jobs:
+  twistlock:
+    name: Run Twistlock
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ./twistlock
+      with:
+        project: Titan-QA
+        consoleURL: https://twistlock.cloud.resideo.com
+        username: ${{ secrets.TEMP_TWISTCLI_USERNAME }}
+        password: ${{ secrets.TEMP_TWISTCLI_PASSWORD }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -1,14 +1,16 @@
-## Resideo Actions
+# Resideo Actions
 
 This repository is a collection of actions for Resideo projects.
 
-
 ## Actions
+
 The following are our current actions. Go to its directories for a more detailed instructions on how to use them.
 
-| Actions | Description |
-| ------- | ----------- |
-| [auth0-add-origin](/auth0-add-origin) | Add a URL (such as a preview URL) to an Auth0 Client |
-| [auth0-remove-origin](/auth0-remove-origin) | Remove a URL (such as a preview URL) from an Auth0 Client |
-| [publish-releases](/publish-releases) | Bump version and publish packages that have been modified. |
-| [publish-previews](/publish-previews) | Publish preview package(s) from pull request. |
+| Actions | Description | Status |
+| ------- | ----------- | ------ |
+| [twistlock](/twistlock) | Run twistlock on repository | Active |
+| [publish-releases](/publish-releases) | Bump version and publish packages that have been modified. | Active |
+| [publish-previews](/publish-previews) | Publish preview package(s) from pull request. | Active |
+| [auth0-add-origin](/auth0-add-origin) | Add a URL (such as a preview URL) to an Auth0 Client | Deprecated |
+| [auth0-remove-origin](/auth0-remove-origin) | Remove a URL (such as a preview URL) from an Auth0 Client | Deprecated |
+

auth0-add-origin/index.ts

@@ -37,7 +37,9 @@ async function main({
 
     core.info(`Origin "${origin}" added to auth0 client "${clientId}"`);
   } catch (error) {
-    core.setFailed(error.message);
+    if (error instanceof Error) {
+      core.setFailed(error.message);
+    }
   }
 }
 

auth0-remove-origin/index.ts

@@ -31,7 +31,9 @@ async function main({
 
     core.info(`Origin "${origin}" removed from auth0 client "${clientId}"`);
   } catch (error) {
-    core.setFailed(error.message);
+    if (error instanceof Error) {
+      core.setFailed(error.message);
+    }
   }
 }
 

package.json

@@ -6,6 +6,7 @@
     "packages": [
       "auth0-add-origin",
       "auth0-remove-origin",
+      "twistlock",
       "core/*"
     ]
   },
@@ -14,7 +15,8 @@
       "@resideo/typescript"
     ],
     "ignorePatterns": [
-      "dist"
+      "dist",
+      "node_modules/"
     ]
   },
   "scripts": {
@@ -33,13 +35,13 @@
     "lerna": "^3.20.2",
     "npm-run-all": "^4.1.5",
     "prettier": "^1.19.1",
-    "typescript": "^3.7.5"
+    "typescript": "^4.4.3"
   },
   "resolutions": {
     "minimist": ">=1.2.2"
   },
   "volta": {
-    "node": "10.16.0",
-    "yarn": "1.22.0"
+    "node": "12.18.4",
+    "yarn": "1.22.11"
   }
 }

twistlock/.gitignore

@@ -0,0 +1 @@
+dist/**/*.map

twistlock/README.md

@@ -0,0 +1,23 @@
+# Twistlock Action
+
+Run Twistlock to list dependencies that have security vulnerabilities.
+
+## Usage
+```yaml
+on: pull_request
+
+jobs:
+  job_name:
+    name: Job Name
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: resideo/actions/twistlock@master
+      with:
+        project: Titan-QA
+        consoleURL: https://twistlock.cloud.resideo.com
+        username: ${{ secrets.TWISTLOCK_USERNAME }}
+        password: ${{ secrets.TWISTLOCK_PASSWORD }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```

twistlock/action.yml

@@ -0,0 +1,24 @@
+name: Twistlock
+description: Run Twistlock
+
+inputs:
+  project:
+    description: Specifies a target project
+    required: true
+  consoleURL:
+    description: Prisma Cloud Console's URL
+    required: true
+  repositoryPath:
+    description: Password for authenticating with Prisma Cloud Console.
+    required: false
+    default: '.'
+  username:
+    description: User for authenticating with Prisma Cloud Console.
+    required: true
+  password:
+    description: Password for authenticating with Prisma Cloud Console.
+    required: true
+
+runs:
+  using: "node12"
+  main: "dist/index.js"

twistlock/dist/index.d.ts

@@ -0,0 +1 @@
+export {};

twistlock/dist/src/githubComment.d.ts

@@ -0,0 +1,5 @@
+export declare function postGithubComment(octokit: any, { message, tag }: {
+    message: any;
+    tag: any;
+}): Generator<any, void, unknown>;
+//# sourceMappingURL=githubComment.d.ts.map

twistlock/dist/src/index.d.ts

@@ -0,0 +1,9 @@
+import { SetupCliReturn, TwistlockResults, TwistlockRun } from "./twistlock";
+export declare function run({ user, password, consoleUrl, project, repositoryPath, octokit }: TwistlockRun): Generator<Generator<any, SetupCliReturn, any> | Generator<any, TwistlockResults, any> | Generator<Generator<import("effection").Operation<{
+    [x: string]: unknown;
+}>, (import("./twistlock").Vulnerability & {
+    yarnWhy?: string[] | undefined;
+})[], unknown>, string, (import("./twistlock").Vulnerability & {
+    yarnWhy?: string[] | undefined;
+})[]> | Generator<any, void, unknown>, void, SetupCliReturn & TwistlockResults>;
+//# sourceMappingURL=index.d.ts.map

twistlock/dist/src/twistlock.d.ts

@@ -0,0 +1,61 @@
+import { GitHub } from "@actions/github/lib/utils";
+export declare const SEVERITY_LEVELS: readonly ["critical", "high", "medium", "low"];
+export interface Vulnerability {
+    id: string;
+    status: string;
+    cvss: string;
+    vector: string;
+    description: string;
+    severity: typeof SEVERITY_LEVELS[number];
+    packageName: string;
+    link: string;
+    riskFactor: string[];
+    impactedVersions: string[];
+    publishDate: string;
+    discoveredDate: string;
+}
+export interface Distribution {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    total: number;
+}
+export interface TwistlockRun {
+    user: string;
+    password: string;
+    consoleUrl: string;
+    project: string;
+    repositoryPath: string;
+    octokit: InstanceType<typeof GitHub>;
+}
+export interface TwistlockResults {
+    repository: string;
+    passed: boolean;
+    packages: {
+        type: string;
+        name: string;
+        version: string;
+        path: string;
+        license: string[];
+    }[];
+    complianceIssues: unknown;
+    complianceDistribution: Distribution;
+    vulnerabilities: Vulnerability[];
+    vulnerabilityDistribution: Distribution;
+}
+interface DownloadCliParams {
+    user: string;
+    password: string;
+    consoleUrl: string;
+    project: string;
+}
+interface ScanRepositoryParams {
+    repositoryPath: string;
+}
+export declare type SetupCliReturn = {
+    scanRepository: (params: ScanRepositoryParams) => Generator<any, TwistlockResults, any>;
+};
+export declare function setupCli({ user, password, consoleUrl, project }: DownloadCliParams): Generator<any, SetupCliReturn, any>;
+export {};
+//# sourceMappingURL=twistlock.d.ts.map

twistlock/dist/src/yarnWhyFormat.d.ts

@@ -0,0 +1,16 @@
+import { Vulnerability } from "./twistlock";
+declare type VulnerabilityTagged = Vulnerability & {
+    yarnWhy?: string[];
+};
+export interface VulnerabilitiesCategorized {
+    severity: string;
+    packages: VulnerabilityTagged[];
+}
+export declare function yarmWhyFormat({ message, tag }: {
+    message: any;
+    tag: any;
+}): Generator<Generator<import("effection").Operation<{
+    [x: string]: unknown;
+}>, VulnerabilityTagged[], unknown>, string, VulnerabilityTagged[]>;
+export {};
+//# sourceMappingURL=yarnWhyFormat.d.ts.map

twistlock/index.ts

@@ -0,0 +1,21 @@
+import * as core from "@actions/core";
+import * as github from "@actions/github";
+import { main } from "effection";
+import { run } from "./src";
+
+const token =
+  core.getInput("token") === ""
+    ? process.env.GITHUB_TOKEN || ""
+    : core.getInput("token");
+const octokit = github.getOctokit(token);
+
+main(
+  run({
+    user: core.getInput("username"),
+    password: core.getInput("password"),
+    consoleUrl: core.getInput("consoleURL"),
+    project: core.getInput("project"),
+    repositoryPath: core.getInput("repositoryPath"),
+    octokit
+  })
+);

twistlock/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@resideo/twistlock-action",
+  "version": "1.0.0",
+  "description": "Run Twistlock on repository content.",
+  "main": "dist/index.js",
+  "scripts": {
+    "build": "ncc build index.ts --minify",
+    "watch": "yarn build --watch",
+    "problems": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@actions/core": "^1.2.2",
+    "@actions/exec": "^1.1.0",
+    "@actions/github": "^5.0.0",
+    "@effection/process": "^2.0.0-beta.15",
+    "@octokit/action": "^3.15.6",
+    "effection": "^2.0.0-beta.16",
+    "markdown-table": "^3.0.1",
+    "tmp-promise": "^3.0.2"
+  },
+  "devDependencies": {
+    "@resideo/tsconfig": "^0.0.6",
+    "@types/node": "^14.14.31",
+    "@types/tmp": "^0.2.1",
+    "@vercel/ncc": "^0.31.1",
+    "typescript": "^4.4.3"
+  },
+  "volta": {
+    "node": "12.18.4",
+    "yarn": "1.22.11"
+  }
+}

twistlock/src/githubComment.ts

@@ -0,0 +1,40 @@
+import * as core from "@actions/core";
+import * as github from "@actions/github";
+
+export function* postGithubComment(octokit, { message, tag }) {
+  if (!github.context.payload.pull_request) {
+    core.setFailed("This action can only be run on pull requests");
+  } else {
+    const { owner, repo } = github.context.repo;
+    const { number } = github.context.payload.pull_request;
+
+    const allComments = yield octokit.rest.issues.listComments({
+      owner,
+      repo,
+      // eslint-disable-next-line @typescript-eslint/camelcase
+      issue_number: number
+    });
+
+    const previousComment =
+      allComments.data.length > 0 &&
+      allComments.data.find(comment => comment.body.includes(tag));
+
+    if (previousComment) {
+      yield octokit.rest.issues.updateComment({
+        owner,
+        repo,
+        // eslint-disable-next-line @typescript-eslint/camelcase
+        comment_id: previousComment.id,
+        body: `${message}`
+      });
+    } else {
+      yield octokit.rest.issues.createComment({
+        owner,
+        repo,
+        // eslint-disable-next-line @typescript-eslint/camelcase
+        issue_number: number,
+        body: `${message}`
+      });
+    }
+  }
+}

twistlock/src/index.ts

@@ -0,0 +1,31 @@
+import { setupCli } from "./twistlock";
+import { SetupCliReturn, TwistlockResults, TwistlockRun } from "./twistlock";
+import { yarmWhyFormat } from "./yarnWhyFormat";
+import { postGithubComment } from "./githubComment";
+
+const tag =
+  '<p align="right"><em>Generated by <a href="https://github.com/resideo/actions/tree/master/twistlock">resideo/actions/twistlock</a>.<br>Please <a href="https://github.com/resideo/actions/issues/new">create an issue</a> in the repository if you have any feedback.<em></p><!-- Twistlock Action by Frontside Software -->';
+
+export function* run({
+  user,
+  password,
+  consoleUrl,
+  project,
+  repositoryPath,
+  octokit
+}: TwistlockRun) {
+  const twistcli: SetupCliReturn = yield setupCli({
+    user,
+    password,
+    consoleUrl,
+    project
+  });
+
+  const results: TwistlockResults = yield twistcli.scanRepository({
+    repositoryPath
+  });
+
+  const message = yield yarmWhyFormat({ message: results, tag });
+
+  yield postGithubComment(octokit, { message, tag });
+}