Add test coverage for GitHub Actions YAML 1.2 anchor support (#362)

* Add YAML anchor support test cases and fixtures

- Add comprehensive unit tests for YAML 1.2 anchors in GitHub Actions workflows
- Add test fixtures demonstrating anchor usage:
  - anchors_env.yml: environment variable reuse
  - anchors_job.yml: complete job configuration reuse
  - anchors_multiple.yml: multiple anchor references
- Update scanner tests to verify anchor workflows are parsed correctly
- Update inventory tests to include new dependencies from anchor fixtures

Tests confirm gopkg.in/yaml.v3 already supports YAML anchors.
Next step: migrate to goccy/go-yaml for better YAML 1.2 compliance
and active maintenance.

* Fix testifylint: use require.NoError for error assertions

* Address PR review comments: improve anchor test coverage and verify detection rules

- Fix unit tests to actually verify anchors are used and values are inherited
  - "simple anchor and alias" test now verifies both jobs parse correctly
  - "anchor for steps configuration" test now uses the anchor in second job
  - "anchor for env variables" test now verifies both jobs' env vars
  - "complex nested anchor" test now verifies permissions inheritance/override

- Add integration test to ensure detection rules work with YAML anchors
  - Created anchors_with_vulnerability.yml with intentional injection flaw
  - Verified rules detect vulnerabilities in both anchor definition and usage
  - Added expected findings to TestFindings for the new test fixture

All PR feedback from Talgarr has been addressed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: fproulx-boostsecurity

models/github_actions_test.go

@@ -594,3 +594,252 @@ runs:
 	assert.Equal(t, "koi", actionMetadata.Runs.Steps[0].With[0].Value)
 	assert.Equal(t, 17, actionMetadata.Runs.Steps[0].Lines["uses"])
 }
+
+// TestGithubActionsWorkflowWithAnchors tests YAML 1.2 anchor support
+// GitHub Actions now supports YAML anchors as of 2025-09-18
+// https://github.blog/changelog/2025-09-18-actions-yaml-anchors-and-non-public-workflow-templates/
+func TestGithubActionsWorkflowWithAnchors(t *testing.T) {
+	t.Run("simple anchor and alias", func(t *testing.T) {
+		workflow := `
+name: CI
+on: push
+
+jobs:
+  build: &build_template
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+  test:
+    <<: *build_template
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Equal(t, "CI", wf.Name)
+		assert.Len(t, wf.Jobs, 2)
+
+		// Verify the first job (with anchor definition)
+		assert.Equal(t, "build", wf.Jobs[0].ID)
+		assert.Equal(t, GithubActionsJobRunsOn{"ubuntu-latest"}, wf.Jobs[0].RunsOn)
+		assert.Len(t, wf.Jobs[0].Steps, 1)
+		assert.Equal(t, "actions/checkout@v4", wf.Jobs[0].Steps[0].Uses)
+
+		// Verify the second job inherited runs-on from the anchor
+		assert.Equal(t, "test", wf.Jobs[1].ID)
+		assert.Equal(t, GithubActionsJobRunsOn{"ubuntu-latest"}, wf.Jobs[1].RunsOn)
+		assert.Len(t, wf.Jobs[1].Steps, 2)
+		assert.Equal(t, "actions/checkout@v4", wf.Jobs[1].Steps[0].Uses)
+		assert.Equal(t, "npm test", wf.Jobs[1].Steps[1].Run)
+	})
+
+	t.Run("anchor for environment configuration", func(t *testing.T) {
+		workflow := `
+name: Deploy
+on: push
+
+jobs:
+  deploy-staging:
+    runs-on: ubuntu-latest
+    environment: &env_config
+      name: staging
+      url: https://staging.example.com
+    steps:
+      - run: echo "deploying"
+
+  deploy-prod:
+    runs-on: ubuntu-latest
+    environment:
+      <<: *env_config
+      name: production
+      url: https://prod.example.com
+    steps:
+      - run: echo "deploying"
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Len(t, wf.Jobs, 2)
+		assert.Equal(t, "staging", wf.Jobs[0].Environment[0].Name)
+		assert.Equal(t, "https://staging.example.com", wf.Jobs[0].Environment[0].Url)
+		assert.Equal(t, "production", wf.Jobs[1].Environment[0].Name)
+		assert.Equal(t, "https://prod.example.com", wf.Jobs[1].Environment[0].Url)
+	})
+
+	t.Run("anchor for steps configuration", func(t *testing.T) {
+		workflow := `
+name: Test
+on: push
+
+jobs:
+  test-node-14:
+    runs-on: ubuntu-latest
+    steps: &test_steps
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '14'
+      - run: npm test
+
+  test-node-16:
+    runs-on: ubuntu-latest
+    steps: *test_steps
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Len(t, wf.Jobs, 2)
+
+		// Verify both jobs have the same steps from the anchor
+		assert.Len(t, wf.Jobs[0].Steps, 3)
+		assert.Equal(t, "actions/checkout@v4", wf.Jobs[0].Steps[0].Uses)
+		assert.Equal(t, "actions/setup-node@v4", wf.Jobs[0].Steps[1].Uses)
+		assert.Equal(t, "npm test", wf.Jobs[0].Steps[2].Run)
+
+		// Verify the second job uses the anchor and has identical steps
+		assert.Len(t, wf.Jobs[1].Steps, 3)
+		assert.Equal(t, "actions/checkout@v4", wf.Jobs[1].Steps[0].Uses)
+		assert.Equal(t, "actions/setup-node@v4", wf.Jobs[1].Steps[1].Uses)
+		assert.Equal(t, "npm test", wf.Jobs[1].Steps[2].Run)
+	})
+
+	t.Run("anchor for permissions", func(t *testing.T) {
+		workflow := `
+name: Security
+on: push
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions: &security_perms
+      contents: read
+      security-events: write
+    steps:
+      - run: echo "scanning"
+
+  report:
+    runs-on: ubuntu-latest
+    permissions: *security_perms
+    steps:
+      - run: echo "reporting"
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Len(t, wf.Jobs, 2)
+		assert.Len(t, wf.Jobs[0].Permissions, 2)
+		assert.Contains(t, wf.Jobs[0].Permissions, GithubActionsPermission{Scope: "contents", Permission: "read"})
+		assert.Contains(t, wf.Jobs[0].Permissions, GithubActionsPermission{Scope: "security-events", Permission: "write"})
+		assert.Equal(t, wf.Jobs[0].Permissions, wf.Jobs[1].Permissions)
+	})
+
+	t.Run("multiple anchors in same workflow", func(t *testing.T) {
+		workflow := `
+name: Multi
+on: push
+
+jobs:
+  job1:
+    runs-on: &runner ubuntu-latest
+    container: &container_image alpine:latest
+    steps:
+      - run: echo "test"
+
+  job2:
+    runs-on: *runner
+    container: *container_image
+    steps:
+      - run: echo "test2"
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Len(t, wf.Jobs, 2)
+		assert.Equal(t, GithubActionsJobRunsOn{"ubuntu-latest"}, wf.Jobs[0].RunsOn)
+		assert.Equal(t, GithubActionsJobRunsOn{"ubuntu-latest"}, wf.Jobs[1].RunsOn)
+		assert.Equal(t, "alpine:latest", wf.Jobs[0].Container.Image)
+		assert.Equal(t, "alpine:latest", wf.Jobs[1].Container.Image)
+	})
+
+	t.Run("anchor for env variables", func(t *testing.T) {
+		workflow := `
+name: Env Test
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env: &common_env
+      NODE_ENV: production
+      CI: true
+    steps:
+      - run: echo "build"
+
+  test:
+    runs-on: ubuntu-latest
+    env: *common_env
+    steps:
+      - run: echo "test"
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Len(t, wf.Jobs, 2)
+
+		// Verify the first job has the anchor env vars
+		assert.Len(t, wf.Jobs[0].Env, 2)
+		assert.Contains(t, wf.Jobs[0].Env, GithubActionsEnv{Name: "NODE_ENV", Value: "production"})
+		assert.Contains(t, wf.Jobs[0].Env, GithubActionsEnv{Name: "CI", Value: "true"})
+
+		// Verify the second job reuses the same env vars via alias
+		assert.Len(t, wf.Jobs[1].Env, 2)
+		assert.Contains(t, wf.Jobs[1].Env, GithubActionsEnv{Name: "NODE_ENV", Value: "production"})
+		assert.Contains(t, wf.Jobs[1].Env, GithubActionsEnv{Name: "CI", Value: "true"})
+	})
+
+	t.Run("complex nested anchor with merge keys", func(t *testing.T) {
+		workflow := `
+name: Complex
+on: push
+
+jobs:
+  base: &base_job
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+  extended:
+    <<: *base_job
+    permissions:
+      contents: write
+      issues: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm build
+`
+		var wf GithubActionsWorkflow
+		err := yaml.Unmarshal([]byte(workflow), &wf)
+		require.NoError(t, err)
+		assert.Len(t, wf.Jobs, 2)
+
+		// Verify the base job
+		assert.Equal(t, "base", wf.Jobs[0].ID)
+		assert.Equal(t, GithubActionsJobRunsOn{"ubuntu-latest"}, wf.Jobs[0].RunsOn)
+		assert.Len(t, wf.Jobs[0].Permissions, 1)
+		assert.Contains(t, wf.Jobs[0].Permissions, GithubActionsPermission{Scope: "contents", Permission: "read"})
+		assert.Len(t, wf.Jobs[0].Steps, 1)
+
+		// Verify the extended job inherited runs-on but overrode permissions
+		assert.Equal(t, "extended", wf.Jobs[1].ID)
+		assert.Equal(t, GithubActionsJobRunsOn{"ubuntu-latest"}, wf.Jobs[1].RunsOn)
+		assert.Len(t, wf.Jobs[1].Permissions, 2)
+		assert.Contains(t, wf.Jobs[1].Permissions, GithubActionsPermission{Scope: "contents", Permission: "write"})
+		assert.Contains(t, wf.Jobs[1].Permissions, GithubActionsPermission{Scope: "issues", Permission: "write"})
+		assert.Len(t, wf.Jobs[1].Steps, 2)
+	})
+}

scanner/inventory_scanner_test.go

@@ -2,10 +2,12 @@ package scanner
 
 import (
 	"context"
+	"testing"
+
 	"github.com/boostsecurityio/poutine/models"
 	"github.com/boostsecurityio/poutine/opa"
 	"github.com/stretchr/testify/assert"
-	"testing"
+	"github.com/stretchr/testify/require"
 )
 
 func TestGithubWorkflows(t *testing.T) {
@@ -29,6 +31,10 @@ func TestGithubWorkflows(t *testing.T) {
 		".github/workflows/workflow_run_valid.yml",
 		".github/workflows/workflow_run_reusable.yml",
 		".github/workflows/allowed_pr_runner.yml",
+		".github/workflows/anchors_env.yml",
+		".github/workflows/anchors_job.yml",
+		".github/workflows/anchors_multiple.yml",
+		".github/workflows/anchors_with_vulnerability.yml",
 	})
 }
 
@@ -78,6 +84,69 @@ func TestRun(t *testing.T) {
 	assert.Equal(t, 3, len(scannedPackage.GitlabciConfigs))
 }
 
+func TestGithubWorkflowsWithAnchors(t *testing.T) {
+	s := NewInventoryScanner("testdata")
+	pkgInsights := &models.PackageInsights{}
+	err := s.Run(pkgInsights)
+	require.NoError(t, err)
+
+	workflows := pkgInsights.GithubActionsWorkflows
+
+	// Find and validate the anchor workflows
+	var envWorkflow, jobWorkflow, multipleWorkflow *models.GithubActionsWorkflow
+	for i := range workflows {
+		switch workflows[i].Path {
+		case ".github/workflows/anchors_env.yml":
+			envWorkflow = &workflows[i]
+		case ".github/workflows/anchors_job.yml":
+			jobWorkflow = &workflows[i]
+		case ".github/workflows/anchors_multiple.yml":
+			multipleWorkflow = &workflows[i]
+		}
+	}
+
+	// Verify anchors_env.yml parsed correctly
+	assert.NotNil(t, envWorkflow, "anchors_env.yml should be found")
+	assert.Equal(t, "Anchors - Environment Variables", envWorkflow.Name)
+	assert.Len(t, envWorkflow.Jobs, 2)
+
+	// Both jobs should have the same environment variables (anchor was reused)
+	job1 := envWorkflow.Jobs[0]
+	job2 := envWorkflow.Jobs[1]
+	assert.Len(t, job1.Env, 2)
+	assert.Len(t, job2.Env, 2)
+	assert.Contains(t, job1.Env, models.GithubActionsEnv{Name: "NODE_ENV", Value: "production"})
+	assert.Contains(t, job2.Env, models.GithubActionsEnv{Name: "NODE_ENV", Value: "production"})
+
+	// Verify anchors_job.yml parsed correctly
+	assert.NotNil(t, jobWorkflow, "anchors_job.yml should be found")
+	assert.Equal(t, "Anchors - Complete Job", jobWorkflow.Name)
+	assert.Len(t, jobWorkflow.Jobs, 2)
+
+	// Both jobs should be identical (complete job anchor reused)
+	testJob := jobWorkflow.Jobs[0]
+	altTestJob := jobWorkflow.Jobs[1]
+	assert.Equal(t, "test", testJob.ID)
+	assert.Equal(t, "alt-test", altTestJob.ID)
+	assert.Equal(t, testJob.RunsOn, altTestJob.RunsOn)
+	assert.Equal(t, testJob.Env, altTestJob.Env)
+	assert.Len(t, testJob.Steps, 3)
+	assert.Len(t, altTestJob.Steps, 3)
+	assert.Equal(t, "actions/checkout@v5", testJob.Steps[0].Uses)
+	assert.Equal(t, "actions/checkout@v5", altTestJob.Steps[0].Uses)
+
+	// Verify anchors_multiple.yml parsed correctly
+	assert.NotNil(t, multipleWorkflow, "anchors_multiple.yml should be found")
+	assert.Equal(t, "Anchors - Multiple References", multipleWorkflow.Name)
+	assert.Len(t, multipleWorkflow.Jobs, 3)
+
+	// All three jobs should use the same runner and container (multiple anchors reused)
+	for i := 0; i < 3; i++ {
+		assert.Equal(t, models.GithubActionsJobRunsOn{"ubuntu-latest"}, multipleWorkflow.Jobs[i].RunsOn)
+		assert.Equal(t, "node:18", multipleWorkflow.Jobs[i].Container.Image)
+	}
+}
+
 func TestPipelineAsCodeTekton(t *testing.T) {
 	s := NewInventoryScanner("testdata")
 	pkgInsights := &models.PackageInsights{}

scanner/inventory_test.go

@@ -50,9 +50,11 @@ func TestPurls(t *testing.T) {
 		"pkg:azurepipelinestask/DownloadPipelineArtifact@2",
 		"pkg:azurepipelinestask/Cache@2",
 		"pkg:githubactions/org/owner@main#.github/workflows/ci.yml",
+		"pkg:githubactions/actions/checkout@v5",
+		"pkg:docker/node%3A18",
 	}
 	assert.ElementsMatch(t, i.Purls(*scannedPackage), purls)
-	assert.Len(t, scannedPackage.BuildDependencies, 20)
+	assert.Len(t, scannedPackage.BuildDependencies, 22)
 	assert.Equal(t, 4, len(scannedPackage.PackageDependencies))
 }
 
@@ -492,6 +494,38 @@ func TestFindings(t *testing.T) {
 				Details: "Sources: body.pull_request.body",
 			},
 		},
+		{
+			RuleId: "injection",
+			Purl:   purl,
+			Meta: results.FindingMeta{
+				Path:          ".github/workflows/anchors_with_vulnerability.yml",
+				Line:          15,
+				Job:           "base_job",
+				Step:          "1",
+				Details:       "Sources: github.head_ref",
+				EventTriggers: []string{"pull_request_target", "push"},
+			},
+		},
+		{
+			RuleId: "injection",
+			Purl:   purl,
+			Meta: results.FindingMeta{
+				Path:          ".github/workflows/anchors_with_vulnerability.yml",
+				Line:          15,
+				Job:           "test_job",
+				Step:          "1",
+				Details:       "Sources: github.head_ref",
+				EventTriggers: []string{"pull_request_target", "push"},
+			},
+		},
+		{
+			RuleId: "default_permissions_on_risky_events",
+			Purl:   purl,
+			Meta: results.FindingMeta{
+				Path:          ".github/workflows/anchors_with_vulnerability.yml",
+				EventTriggers: []string{"pull_request_target", "push"},
+			},
+		},
 	}
 
 	assert.Equal(t, len(findings), len(analysisResults.Findings))