Update workflow policy to scan all branches for dangerous workflows #569

[serb-google]

This PR addresses #569 and introduces 2 changes:

• Adds support for local git repos in scorecard.go, with additional functionality to switch between all branches. I opted to not replace the existing Github client as policies may want to interact directly with Github.
• Updates workflow.go to scan all remote branches in the local git repo.

Tested locally using https://github.com/serb-google/allstar, with a branch insecure_test which contains a fake unsafe workflow rule. Verified this triggered the alert which included output Vulnerable Branch: refs/remotes/origin/insecure_test.

This is my first contribution to this repo, please review carefully :)

[jeffmendoza]

LGTM

[jeffmendoza]

@raghavkaul can you review as well? Thanks.

[raghavkaul]

Thanks for this push, looks good with minor feedback.

[raghavkaul]

@jeffmendoza do we need to defer this func somewhere?

[serb-google]

Nice catch! I went through and defer scorecard.Close... all uses of the Get function.

[jeffmendoza]

We have the Close here:

allstar/pkg/enforce/enforce.go

Line 342 in 5ef0769

defer scorecard.Close(fmt.Sprintf("%s/%s", owner, repo))

Just one per repo run, so that each policy can get the clients, the first one will download the tarball, but the subsequent policies that use scorecard will not have to download the tarball again.

[serb-google]

Yup, you're right. I was able to validate this running ./main -once=true with inotifywait -m -e modify,create,delete /tmp also running. Only one folder named allstar<random number> is created and then deleted per-run after removing the unnecessary closes.

[raghavkaul]

Suggested change

	Pass: true,
	Pass: false,

[serb-google]

fixed!

[raghavkaul]

Suggested change

	Pass: true,
	Pass: false,

[serb-google]

fixed!

[raghavkaul]

Suggested change

	Pass: true,
	Pass: false,

[serb-google]

fixed!

[serb-google]

Validated this still works as expected:

{"severity":"INFO","org":"serb-google","repo":"allstar","area":"Dangerous Workflow","result":false,"enabled":false,"notify":"Project is out of compliance with Dangerous Workflow policy: dangerous workflow patterns detected\n\n\t\t**Rule Description**\n\t\tDangerous workflows are GitHub Action workflows that exhibit dangerous patterns that could render them vulnerable to attack. A vulnerable workflow is susceptible to leaking repository secrets, or allowing an attacker write access using the GITHUB_TOKEN. For more information about the particular patterns that are detected, see the [OpenSSF Scorecard documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) on dangerous workflows. Any vulnerable branch can be exploited, so this rule will check all branches (vulnerable list below).\n\n\t\t**Remediation Steps**\n\t\tAvoid the dangerous workflow patterns. See this [post](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) for information on avoiding untrusted code checkouts. See this [document](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) for information on avoiding and mitigating the risk of script injections.\n\t\t**Dangerous Patterns Found**\n\n- [0]:\n\n**Additional Information**\n\tThis policy uses [OpenSSF Scorecard](https://github.com/ossf/scorecard/). You may wish to run a Scorecard scan directly on this repository for more details.\n\nVulnerable Branch: refs/remotes/origin/insecure_test","details":{"Findings":null},"time":"2025-02-28T21:36:22Z","message":"Policy run result."}

[serb-google]

Force-pushed to add Signed-off-by line which was missing in previous commit.

[raghavkaul]

New changes LGTM.

[jeffmendoza]

Thanks!

[coheigea]

@jeffmendoza @serb-google This PR is breaking the dangerous workflows scan for private repositories. It fails with an authentication failure on:

repo, err := git.PlainClone(dir, false, &git.CloneOptions{
		URL: "https://github.com/" + fullRepo,
	})

which can only work for public repos as it's not re-using the http config. The logs I see are:

{"severity":"ERROR","error":"authentication required: Repository not found.","time":"2025-03-06T07:02:58Z","message":"Unexpected error running policies."}

[serb-google]

Hi @coheigea, I believe serb-google@57aa84f should address this, but I need to find a way to test this before sending it out for a PR.

[coheigea]

@serb-google Hi, I get a different error message with the patch.

Before:

{"severity":"ERROR","error":"authentication required: Repository not found.","time":"2025-03-07T09:54:00Z","message":"Unexpected error running policies."}

After:

{"severity":"ERROR","error":"authentication required: invalid credentials","time":"2025-03-07T09:54:40Z","message":"Unexpected error running policies."}

[serb-google]

Hi @coheigea , I was able to work through this issue and found a way to also test this. If you don't mind can you test #660 as well?

Thanks,
Sam

[coheigea]

@serb-google I've found our scans running way slower than before on big repos with many branches after this change. What do you think about adding a boolean config whether to restrict to the default branch or not?

[serb-google]

Sorry for the delay @coheigea. I created #677 which should give you enough control to specify which branches you would like checked.

Thanks,
Sam