Add/actions sniffer (#5)

* feat: add action to check gh action versions

* chore(tests): add tests for gh actions script

Author: 1shooperman

bin/gh-actions-sast

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+RESET='\033[0m'
+
+EXCLUDE_LIST=()
+
+MIN_VERSION=6
+
+is_excluded() {
+  local action="$1"
+  for ex in "${EXCLUDE_LIST[@]}"; do
+    [[ "$ex" == "$action" ]] && return 0
+  done
+  return 1
+}
+
+found_error=0
+
+while IFS= read -r file; do
+  while IFS= read -r line; do
+    if [[ "$line" =~ (actions/[a-zA-Z-]+)@v([0-9]+) ]]; then
+      action="${BASH_REMATCH[1]}"
+      version="${BASH_REMATCH[2]}"
+      if (( version < MIN_VERSION )); then
+        if is_excluded "$action"; then
+          echo -e "${YELLOW}WARN${RESET}  $file: $action@v$version is below v$MIN_VERSION (excluded)"
+        else
+          echo -e "${RED}ERROR${RESET} $file: $action@v$version is below v$MIN_VERSION"
+          found_error=1
+        fi
+      fi
+    fi
+  done < "$file"
+done < <(find .github/workflows -name '*.yml' 2>/dev/null)
+
+exit $found_error

tests/test_gh_actions_sast.bats

@@ -0,0 +1,131 @@
+#!/usr/bin/env bats
+
+setup() {
+  TMPDIR="$(mktemp -d)"
+  mkdir -p "$TMPDIR/.github/workflows"
+  cp "$BATS_TEST_DIRNAME/../bin/gh-actions-sast" "$TMPDIR/gh-actions-sast"
+  chmod +x "$TMPDIR/gh-actions-sast"
+  GH_ACTIONS_SAST="$TMPDIR/gh-actions-sast"
+}
+
+teardown() {
+  rm -rf "$TMPDIR"
+}
+
+write_workflow() {
+  cat > "$TMPDIR/.github/workflows/ci.yml"
+}
+
+@test "no workflows dir: exits 0" {
+  rm -rf "$TMPDIR/.github"
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 0 ]
+}
+
+@test "action at MIN_VERSION (v6): exits 0" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v6
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 0 ]
+}
+
+@test "action above MIN_VERSION (v7): exits 0" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v7
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 0 ]
+}
+
+@test "action below MIN_VERSION (v5): exits 1 with ERROR" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v5
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"ERROR"* ]]
+  [[ "$output" == *"actions/checkout@v5"* ]]
+}
+
+@test "action at v1: exits 1 with ERROR" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/setup-node@v1
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"ERROR"* ]]
+  [[ "$output" == *"actions/setup-node@v1"* ]]
+}
+
+@test "multiple old actions: all reported" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"actions/checkout@v4"* ]]
+  [[ "$output" == *"actions/setup-node@v3"* ]]
+}
+
+@test "mixed old and new actions: exits 1" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v3
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"actions/setup-node@v3"* ]]
+}
+
+@test "non-yml file ignored" {
+  cp "$TMPDIR/.github/workflows/ci.yml" "$TMPDIR/.github/workflows/notes.txt" 2>/dev/null || true
+  cat > "$TMPDIR/.github/workflows/notes.txt" <<'EOF'
+uses: actions/checkout@v1
+EOF
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v6
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 0 ]
+}
+
+@test "multiple workflow files: all scanned" {
+  write_workflow <<'EOF'
+jobs:
+  test:
+    steps:
+      - uses: actions/checkout@v6
+EOF
+  cat > "$TMPDIR/.github/workflows/release.yml" <<'EOF'
+jobs:
+  release:
+    steps:
+      - uses: actions/upload-artifact@v4
+EOF
+  run bash -c "cd '$TMPDIR' && '$GH_ACTIONS_SAST'"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"actions/upload-artifact@v4"* ]]
+}