-
Notifications
You must be signed in to change notification settings - Fork 0
363 lines (319 loc) · 14.6 KB
/
code-quality.yml
File metadata and controls
363 lines (319 loc) · 14.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
name: Code Quality & Security
on:
push:
branches: [ main, master, develop ]
pull_request:
branches: [ main, master ]
schedule:
- cron: '0 6 * * 1' # Weekly on Monday at 6 AM
jobs:
shellcheck:
name: ShellCheck Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install ShellCheck
run: |
sudo apt-get update
sudo apt-get install -y shellcheck
- name: Run ShellCheck with different severity levels
run: |
echo "## ShellCheck Results" > shellcheck_report.md
echo "" >> shellcheck_report.md
# Run shellcheck with different formats
echo "### Error Level Issues" >> shellcheck_report.md
if ! shellcheck -S error cert_manager.sh > shellcheck_errors.txt 2>&1; then
echo "❌ Errors found:" >> shellcheck_report.md
echo '```' >> shellcheck_report.md
cat shellcheck_errors.txt >> shellcheck_report.md
echo '```' >> shellcheck_report.md
else
echo "✅ No errors found" >> shellcheck_report.md
fi
echo "" >> shellcheck_report.md
echo "### Warning Level Issues" >> shellcheck_report.md
if ! shellcheck -S warning cert_manager.sh > shellcheck_warnings.txt 2>&1; then
echo "⚠️ Warnings found:" >> shellcheck_report.md
echo '```' >> shellcheck_report.md
cat shellcheck_warnings.txt >> shellcheck_report.md
echo '```' >> shellcheck_report.md
else
echo "✅ No warnings found" >> shellcheck_report.md
fi
echo "" >> shellcheck_report.md
echo "### Info Level Issues" >> shellcheck_report.md
if ! shellcheck -S info cert_manager.sh > shellcheck_info.txt 2>&1; then
echo "ℹ️ Info issues found:" >> shellcheck_report.md
echo '```' >> shellcheck_report.md
cat shellcheck_info.txt >> shellcheck_report.md
echo '```' >> shellcheck_report.md
else
echo "✅ No info issues found" >> shellcheck_report.md
fi
- name: Check critical ShellCheck errors
run: |
# Fail the build if there are error-level issues
echo "🔍 Checking for critical errors..."
if ! shellcheck -S error cert_manager.sh; then
echo "❌ Critical ShellCheck errors found!"
echo "Please fix the errors shown above before proceeding."
exit 1
fi
echo "✅ No critical ShellCheck errors found"
- name: Upload ShellCheck report
uses: actions/upload-artifact@v4
if: always()
with:
name: shellcheck-report
path: |
shellcheck_report.md
shellcheck_*.txt
retention-days: 7
security-scan:
name: Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Security scan for sensitive data
run: |
echo "## Security Scan Results" > security_report.md
echo "" >> security_report.md
# Check for potential security issues
echo "### Checking for hardcoded credentials..." >> security_report.md
if grep -nE "(password|passwd|secret|token|key).*=" cert_manager.sh | grep -v -E "(API.*key|your.*key|user.*input|read.*-p)"; then
echo "❌ Potential hardcoded credentials found:" >> security_report.md
echo '```' >> security_report.md
grep -nE "(password|passwd|secret|token|key).*=" cert_manager.sh | grep -v -E "(API.*key|your.*key|user.*input|read.*-p)" >> security_report.md || true
echo '```' >> security_report.md
else
echo "✅ No hardcoded credentials detected" >> security_report.md
fi
echo "" >> security_report.md
echo "### Checking for dangerous commands..." >> security_report.md
DANGEROUS_PATTERNS="rm -rf /|chmod 777|> /etc/passwd|eval.*\$|bash.*\$"
if grep -nE "$DANGEROUS_PATTERNS" cert_manager.sh >/dev/null; then
echo "⚠️ Potentially dangerous commands found:" >> security_report.md
echo '```' >> security_report.md
grep -nE "$DANGEROUS_PATTERNS" cert_manager.sh >> security_report.md || true
echo '```' >> security_report.md
else
echo "✅ No dangerous command patterns detected" >> security_report.md
fi
echo "" >> security_report.md
echo "### Checking curl/wget security..." >> security_report.md
if grep -nE "curl.*http://|wget.*http://" cert_manager.sh >/dev/null; then
echo "⚠️ HTTP downloads detected (should use HTTPS):" >> security_report.md
echo '```' >> security_report.md
grep -nE "curl.*http://|wget.*http://" cert_manager.sh >> security_report.md || true
echo '```' >> security_report.md
else
echo "✅ All downloads use HTTPS or are locally validated" >> security_report.md
fi
- name: Check privilege escalation
run: |
echo "" >> security_report.md
echo "### Checking privilege requirements..." >> security_report.md
if grep -nE "\\\$EUID|\\\$UID|whoami|id -u" cert_manager.sh >/dev/null; then
echo "✅ Script checks user privileges:" >> security_report.md
echo '```' >> security_report.md
grep -nE "\\\$EUID|\\\$UID|whoami|id -u" cert_manager.sh >> security_report.md || true
echo '```' >> security_report.md
else
echo "⚠️ No privilege checks detected" >> security_report.md
fi
- name: Upload security report
uses: actions/upload-artifact@v4
with:
name: security-report
path: security_report.md
retention-days: 30
code-style:
name: Code Style Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Check coding standards
run: |
echo "## Code Style Analysis" > style_report.md
echo "" >> style_report.md
# Check shebang
echo "### Shebang Check" >> style_report.md
if head -1 cert_manager.sh | grep -q "#!/bin/bash"; then
echo "✅ Correct shebang found: \`#!/bin/bash\`" >> style_report.md
else
echo "❌ Missing or incorrect shebang" >> style_report.md
fi
# Check for functions
echo "" >> style_report.md
echo "### Function Definition Check" >> style_report.md
FUNCTION_COUNT=$(grep -cE "^[a-zA-Z_][a-zA-Z0-9_]*\(\)" cert_manager.sh || echo "0")
echo "Found $FUNCTION_COUNT function definitions" >> style_report.md
if [ "$FUNCTION_COUNT" -gt 0 ]; then
echo "✅ Script uses functions for organization" >> style_report.md
echo "Functions found:" >> style_report.md
echo '```' >> style_report.md
grep -nE "^[a-zA-Z_][a-zA-Z0-9_]*\(\)" cert_manager.sh >> style_report.md || true
echo '```' >> style_report.md
fi
# Check for error handling
echo "" >> style_report.md
echo "### Error Handling Check" >> style_report.md
if grep -qE "set -e|exit [0-9]|return [0-9]|\|\| exit" cert_manager.sh; then
echo "✅ Error handling patterns found" >> style_report.md
else
echo "⚠️ Limited error handling detected" >> style_report.md
fi
# Check variable quoting
echo "" >> style_report.md
echo "### Variable Quoting Check" >> style_report.md
UNQUOTED_VARS=$(grep -cE '\$[a-zA-Z_][a-zA-Z0-9_]*[^"]' cert_manager.sh || echo "0")
if [ "$UNQUOTED_VARS" -gt 10 ]; then
echo "⚠️ Many unquoted variables found ($UNQUOTED_VARS)" >> style_report.md
echo "Consider using quotes around variables to prevent word splitting" >> style_report.md
else
echo "✅ Variable quoting looks reasonable" >> style_report.md
fi
- name: Check documentation
run: |
echo "" >> style_report.md
echo "### Documentation Check" >> style_report.md
# Check for comments
COMMENT_LINES=$(grep -cE "^\s*#" cert_manager.sh || echo "0")
TOTAL_LINES=$(wc -l < cert_manager.sh)
COMMENT_RATIO=$((COMMENT_LINES * 100 / TOTAL_LINES))
echo "Comment ratio: $COMMENT_RATIO% ($COMMENT_LINES/$TOTAL_LINES lines)" >> style_report.md
if [ "$COMMENT_RATIO" -gt 10 ]; then
echo "✅ Good comment coverage" >> style_report.md
else
echo "⚠️ Consider adding more comments for complex logic" >> style_report.md
fi
- name: Upload style report
uses: actions/upload-artifact@v4
with:
name: style-report
path: style_report.md
retention-days: 7
dependency-analysis:
name: Dependency Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Analyze dependencies
run: |
echo "## Dependency Analysis" > dependency_report.md
echo "" >> dependency_report.md
echo "### External Commands Used" >> dependency_report.md
echo "Analyzing external commands called by the script:" >> dependency_report.md
echo '```' >> dependency_report.md
# Extract commands (basic analysis)
grep -oE '\b(curl|wget|apt-get|yum|dnf|pacman|zypper|systemctl|crontab|acme\.sh)\b' cert_manager.sh | sort | uniq -c | sort -nr >> dependency_report.md || true
echo '```' >> dependency_report.md
echo "" >> dependency_report.md
echo "### Package Managers Detected" >> dependency_report.md
if grep -q "apt-get\|apt " cert_manager.sh; then
echo "- ✅ APT (Ubuntu/Debian)" >> dependency_report.md
fi
if grep -q "yum\|dnf" cert_manager.sh; then
echo "- ✅ YUM/DNF (CentOS/RHEL/Fedora)" >> dependency_report.md
fi
if grep -q "pacman" cert_manager.sh; then
echo "- ✅ Pacman (Arch Linux)" >> dependency_report.md
fi
if grep -q "zypper" cert_manager.sh; then
echo "- ✅ Zypper (openSUSE)" >> dependency_report.md
fi
echo "" >> dependency_report.md
echo "### Network Dependencies" >> dependency_report.md
if grep -qE "curl|wget" cert_manager.sh; then
echo "⚠️ Script requires internet connectivity" >> dependency_report.md
echo "External URLs accessed:" >> dependency_report.md
echo '```' >> dependency_report.md
grep -oE 'https?://[^"'\''[:space:]]+' cert_manager.sh | sort | uniq >> dependency_report.md || true
echo '```' >> dependency_report.md
fi
- name: Upload dependency report
uses: actions/upload-artifact@v4
with:
name: dependency-report
path: dependency_report.md
retention-days: 7
final-report:
name: Generate Final Quality Report
runs-on: ubuntu-latest
needs: [shellcheck, security-scan, code-style, dependency-analysis]
if: always()
steps:
- name: Download all reports
uses: actions/download-artifact@v4
with:
path: reports/
- name: Generate combined report
run: |
echo "# TLScript Code Quality Report" > final_report.md
echo "" >> final_report.md
echo "Generated on: $(date)" >> final_report.md
echo "" >> final_report.md
echo "## Summary" >> final_report.md
echo "| Check | Status |" >> final_report.md
echo "|-------|--------|" >> final_report.md
if [ "${{ needs.shellcheck.result }}" = "success" ]; then
echo "| ShellCheck | ✅ Pass |" >> final_report.md
else
echo "| ShellCheck | ❌ Fail |" >> final_report.md
fi
if [ "${{ needs.security-scan.result }}" = "success" ]; then
echo "| Security Scan | ✅ Pass |" >> final_report.md
else
echo "| Security Scan | ❌ Fail |" >> final_report.md
fi
if [ "${{ needs.code-style.result }}" = "success" ]; then
echo "| Code Style | ✅ Pass |" >> final_report.md
else
echo "| Code Style | ❌ Fail |" >> final_report.md
fi
if [ "${{ needs.dependency-analysis.result }}" = "success" ]; then
echo "| Dependency Analysis | ✅ Pass |" >> final_report.md
else
echo "| Dependency Analysis | ❌ Fail |" >> final_report.md
fi
echo "" >> final_report.md
# Combine individual reports if they exist
for report_dir in reports/*/; do
if [ -d "$report_dir" ]; then
for report_file in "$report_dir"*.md; do
if [ -f "$report_file" ]; then
echo "" >> final_report.md
echo "---" >> final_report.md
echo "" >> final_report.md
cat "$report_file" >> final_report.md
fi
done
fi
done
- name: Upload final report
uses: actions/upload-artifact@v4
with:
name: final-quality-report
path: final_report.md
retention-days: 30
- name: Comment on PR (if applicable)
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
const fs = require('fs');
try {
const report = fs.readFileSync('final_report.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: '## 📊 Code Quality Report\n\n' + report
});
} catch (error) {
console.log('Could not post comment:', error);
}