fix: move artipacked pendantic finding to auditor (#272)

woodruffw · Dec 10, 2024 · 0f88aac · 0f88aac
1 parent 94722be
commit 0f88aac
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 14 deletions.
diff --git a/src/audit/artipacked.rs b/src/audit/artipacked.rs
@@ -73,8 +73,8 @@ impl WorkflowAudit for Artipacked {
                         Some(EnvValue::Boolean(false)) => continue,
                         Some(EnvValue::Boolean(true)) => {
                             // If a user explicitly sets `persist-credentials: true`,
-                            // they probably mean it. Only report if being pedantic.
-                            vulnerable_checkouts.push((step, Persona::Pedantic))
+                            // they probably mean it. Only report if in auditor mode.
+                            vulnerable_checkouts.push((step, Persona::Auditor))
                         }
                         // TODO: handle expressions and literal strings here.
                         // persist-credentials is true by default.

diff --git a/tests/snapshot.rs b/tests/snapshot.rs
@@ -138,6 +138,11 @@ fn artipacked() -> Result<()> {
         .workflow(workflow_under_test("artipacked.yml"))
         .run()?);
 
+    insta::assert_snapshot!(zizmor()
+        .workflow(workflow_under_test("artipacked.yml"))
+        .args(["--persona=auditor"])
+        .run()?);
+
     Ok(())
 }
 

diff --git a/tests/snapshots/snapshot__artipacked-3.snap b/tests/snapshots/snapshot__artipacked-3.snap
@@ -0,0 +1,25 @@
+---
+source: tests/snapshot.rs
+expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).args([\"--persona=auditor\"]).run()?"
+snapshot_kind: text
+---
+warning[artipacked]: credential persistence through GitHub Actions artifacts
+  --> @@INPUT@@:13:9
+   |
+13 |       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+   |         ---------------------------------------------------------------------------- does not set persist-credentials: false
+   |
+   = note: audit confidence → Low
+
+warning[artipacked]: credential persistence through GitHub Actions artifacts
+  --> @@INPUT@@:18:9
+   |
+18 |         - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+   |  _________-
+19 | |         with:
+20 | |           persist-credentials: true
+   | |____________________________________- does not set persist-credentials: false
+   |
+   = note: audit confidence → Low
+
+2 findings: 0 unknown, 0 informational, 0 low, 2 medium, 0 high
diff --git a/tests/snapshots/snapshot__artipacked.snap b/tests/snapshots/snapshot__artipacked.snap
@@ -11,15 +11,4 @@ warning[artipacked]: credential persistence through GitHub Actions artifacts
    |
    = note: audit confidence → Low
 
-warning[artipacked]: credential persistence through GitHub Actions artifacts
-  --> @@INPUT@@:18:9
-   |
-18 |         - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
-   |  _________-
-19 | |         with:
-20 | |           persist-credentials: true
-   | |____________________________________- does not set persist-credentials: false
-   |
-   = note: audit confidence → Low
-
-2 findings: 0 unknown, 0 informational, 0 low, 2 medium, 0 high
+2 findings (1 suppressed): 0 unknown, 0 informational, 0 low, 1 medium, 0 high