Skip to content

Add a self-maintained Electron assessment fixture and CI#5

Open
gronke wants to merge 1 commit into
crabnebula-dev:mainfrom
gronke:fixtures/electron-sample
Open

Add a self-maintained Electron assessment fixture and CI#5
gronke wants to merge 1 commit into
crabnebula-dev:mainfrom
gronke:fixtures/electron-sample

Conversation

@gronke

@gronke gronke commented Jun 29, 2026

Copy link
Copy Markdown

Introduce an intentionally vulnerable Electron fixture for roundtrip tests.

`crates/fixtures` builds a synthetic, deliberately-vulnerable Electron app from committed source: a packed `electron-sample.asar` and a minimal `ElectronSample.app`.
Every defect is intentional — `sandbox: false`, `nodeIntegration: true`, `contextIsolation: false` and `webSecurity: false` in `main.js`, no CSP in `index.html`, a `lodash@4.17.20` dependency, weak App Transport Security flags and a registered URL scheme in `Info.plist`, and a correct `ElectronAsarIntegrity` hash.

`expected.json` lists the findings to expect.
The `assess` bin compares the `detect`, `static-scan` and `audit` output to it as plain JSON, so the crate depends on none of the analysis crates.

`.github/workflows/fixtures.yml` builds the target on Linux, then runs the analyzers against it on macOS, the default bundle path, and checks the manifest.
The workflow runs read-only because the fixture is untrusted.
@gronke gronke force-pushed the fixtures/electron-sample branch from 3f7b976 to a5e3d01 Compare June 29, 2026 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant