diff --git a/docs/audits.md b/docs/audits.md index 4df4b9c4..6d585a85 100644 --- a/docs/audits.md +++ b/docs/audits.md @@ -357,9 +357,9 @@ the action if one is available, or remove the action's usage entirely. ## `ref-confusion` -| Type | Examples | Introduced in | Works offline | Enabled by default | -|----------|---------------------|---------------|----------------|--------------------| -| Workflow | [ref-confusion.yml] | v0.1.0 | ❌ | ✅ | +| Type | Examples | Introduced in | Works offline | Enabled by default | +|------------------|---------------------|---------------|----------------|--------------------| +| Workflow, Action | [ref-confusion.yml] | v0.1.0 | ❌ | ✅ | [ref-confusion.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/ref-confusion.yml diff --git a/src/audit/ref_confusion.rs b/src/audit/ref_confusion.rs index c12e17f3..cfb2b083 100644 --- a/src/audit/ref_confusion.rs +++ b/src/audit/ref_confusion.rs @@ -12,6 +12,8 @@ use anyhow::{anyhow, Result}; use github_actions_models::workflow::Job; use super::{audit_meta, Audit}; +use crate::finding::Finding; +use crate::models::CompositeStep; use crate::{ finding::{Confidence, Severity}, github_api, @@ -115,4 +117,29 @@ impl Audit for RefConfusion { Ok(findings) } + + fn audit_composite_step<'a>(&self, step: &CompositeStep<'a>) -> Result>> { + let mut findings = vec![]; + + let Some(Uses::Repository(uses)) = step.uses() else { + return Ok(findings); + }; + + if self.confusable(&uses)? { + findings.push( + Self::finding() + .severity(Severity::Medium) + .confidence(Confidence::High) + .add_location( + step.location() + .primary() + .with_keys(&["uses".into()]) + .annotated(REF_CONFUSION_ANNOTATION), + ) + .build(step.action())?, + ); + } + + Ok(findings) + } }