|
| 1 | +#!/usr/bin/env bash |
| 2 | +# Validate .github/codeql-allowlist.yml expiry dates. |
| 3 | +# Expired entries fail with a clear message for security on-call follow-up. |
| 4 | +set -euo pipefail |
| 5 | + |
| 6 | +ALLOWLIST_FILE="${1:-.github/codeql-allowlist.yml}" |
| 7 | + |
| 8 | +if [[ ! -f "$ALLOWLIST_FILE" ]]; then |
| 9 | + echo "No allowlist file at $ALLOWLIST_FILE; skipping expiry check." |
| 10 | + exit 0 |
| 11 | +fi |
| 12 | + |
| 13 | +if ! command -v python3 >/dev/null 2>&1; then |
| 14 | + echo "python3 is required to validate $ALLOWLIST_FILE" >&2 |
| 15 | + exit 1 |
| 16 | +fi |
| 17 | + |
| 18 | +python3 - "$ALLOWLIST_FILE" <<'PY' |
| 19 | +import datetime |
| 20 | +import re |
| 21 | +import sys |
| 22 | +
|
| 23 | +path = sys.argv[1] |
| 24 | +text = open(path, encoding="utf-8").read() |
| 25 | +
|
| 26 | +# Minimal parser for our allowlist schema (no PyYAML dependency). |
| 27 | +entries = [] |
| 28 | +current = None |
| 29 | +for line in text.splitlines(): |
| 30 | + stripped = line.strip() |
| 31 | + if stripped.startswith("- "): |
| 32 | + if current: |
| 33 | + entries.append(current) |
| 34 | + current = {} |
| 35 | + item = stripped[2:].strip() |
| 36 | + m = re.search(r"rule_id:\s*(\S+)", item) |
| 37 | + if m: |
| 38 | + current["rule_id"] = m.group(1) |
| 39 | + m = re.search(r"expires:\s*(\S+)", item) |
| 40 | + if m: |
| 41 | + current["expires"] = m.group(1) |
| 42 | + continue |
| 43 | + if current is None: |
| 44 | + continue |
| 45 | + m = re.match(r"expires:\s*(\S+)", stripped) |
| 46 | + if m: |
| 47 | + current["expires"] = m.group(1) |
| 48 | + m = re.match(r"rule_id:\s*(\S+)", stripped) |
| 49 | + if m: |
| 50 | + current["rule_id"] = m.group(1) |
| 51 | +if current: |
| 52 | + entries.append(current) |
| 53 | +
|
| 54 | +today = datetime.date.today() |
| 55 | +expired = [] |
| 56 | +for idx, entry in enumerate(entries): |
| 57 | + expires_raw = entry.get("expires") |
| 58 | + if not expires_raw: |
| 59 | + print( |
| 60 | + f"{path}: allowlist[{idx}] missing expires date " |
| 61 | + "(required for security on-call approval model)", |
| 62 | + file=sys.stderr, |
| 63 | + ) |
| 64 | + sys.exit(1) |
| 65 | + try: |
| 66 | + expires = datetime.date.fromisoformat(str(expires_raw)) |
| 67 | + except ValueError: |
| 68 | + print( |
| 69 | + f"{path}: allowlist[{idx}] has invalid expires date: {expires_raw!r}", |
| 70 | + file=sys.stderr, |
| 71 | + ) |
| 72 | + sys.exit(1) |
| 73 | + if expires < today: |
| 74 | + rule_id = entry.get("rule_id", "<unknown>") |
| 75 | + expired.append(f"{rule_id} (expired {expires.isoformat()})") |
| 76 | +
|
| 77 | +if expired: |
| 78 | + print("Allowlist expired; contact security on-call to extend or remove:", file=sys.stderr) |
| 79 | + for item in expired: |
| 80 | + print(f" - {item}", file=sys.stderr) |
| 81 | + sys.exit(1) |
| 82 | +
|
| 83 | +print(f"PASS: {len(entries)} allowlist entries are current.") |
| 84 | +PY |
0 commit comments