Composite actions: support for existing audits

[woodruffw]

#331 will add composite action support. From there, the current audits need to be extended to work with composite actions, where appropriate.

• artipacked
• dangerous-triggers (N/A)
• excessive-permissions (N/A)
• hardcoded-container-credentials (N/A?)
• impostor-commit: feat: composite action support #331
• known-vulnerable-actions @ubiratansoares feat: adds composite actions support to known-vulnerable-actions #367
• ref-confusion @ubiratansoares feat: ref-confusion now supports composite actions #365
• self-hosted-runner (N/A?)
• template-injection: feat: composite action support #331
• use-trusted-publishing
• unpinned-uses @ubiratansoares feat: adds unpinned-uses support to composite actions #364
• insecure-commands feat: insecure-commands: support composite actions #359
• github-env feat: github-env: support composite actions #358
• cache-poisoning (N/A?)

[woodruffw]

I'm going to keep burning this down, but I would appreciate help as well! If anybody is interested in working on one of these, leave a comment here and I'll assign it to you 🙂

[ubiratansoares]

@woodruffw Happy to help here!

Let me give a try on known-vulnerable-actions, unpinned-uses, and ref-confusion, they don't look too hard and I can learn a bit more about their inner details along the way. I'll raise individual PRs for each one, for the sake of easier reviews 🙂

[ubiratansoares]

@woodruffw Happy new year 🎉🎉🎉

If ok for you, I'm happy take the 2 remaining audits, so we get the all audits supported in Composite Actions 🙂

[woodruffw]

That would be awesome, thank you @ubiratansoares! And happy new year!