diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 3d2cd15b..c2271923 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -5,6 +5,11 @@ "version": "v8", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, + "github/gh-aw-actions/setup@v0.61.0": { + "repo": "github/gh-aw-actions/setup", + "version": "v0.61.0", + "sha": "df014dd7d03b638e860b2aeca95c833fd97c8cf1" + }, "github/gh-aw/actions/setup@v0.43.23": { "repo": "github/gh-aw/actions/setup", "version": "v0.43.23", diff --git a/.github/toolchain-inventory.yml b/.github/toolchain-inventory.yml new file mode 100644 index 00000000..ed72ff1d --- /dev/null +++ b/.github/toolchain-inventory.yml @@ -0,0 +1,52 @@ +# MSDO Toolchain Inventory +# Source of truth for tools monitored by the breach monitor workflow +# Derived from src/msdo-helpers.ts Tools enum +# +# All versions are noted as "latest (runtime-resolved)" because the MSDO CLI +# resolves tool versions dynamically via NuGet at runtime. + +tools: + - name: bandit + description: Python security linter (finds common security issues in Python code) + ecosystem: pypi + version: latest (runtime-resolved) + + - name: binskim + description: Binary static analysis tool for Windows/Linux binaries + ecosystem: nuget + version: latest (runtime-resolved) + + - name: checkov + description: Infrastructure-as-code security scanner + ecosystem: pypi + version: latest (runtime-resolved) + + - name: container-mapping + description: Container image mapping and inventory + ecosystem: nuget + version: latest (runtime-resolved) + + - name: eslint + description: JavaScript/TypeScript linter with security rules + ecosystem: npm + version: latest (runtime-resolved) + + - name: templateanalyzer + description: ARM/Bicep template security analyzer + ecosystem: nuget + version: latest (runtime-resolved) + + - name: terrascan + description: Terraform/IaC security scanner + ecosystem: github + version: latest (runtime-resolved) + + - name: trivy + description: Comprehensive vulnerability scanner (containers, filesystems, repos) + ecosystem: github + version: latest (runtime-resolved) + + - name: antimalware + description: Windows antimalware scanner (Windows runners only) + platform: windows-only + version: latest (runtime-resolved) diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml new file mode 100644 index 00000000..1f0fab42 --- /dev/null +++ b/.github/workflows/ci-doctor.lock.yml @@ -0,0 +1,1172 @@ +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by gh-aw (v0.61.0). DO NOT EDIT. +# +# To update this file, edit the corresponding .md file and run: +# gh aw compile +# Not all edits will cause changes to this file. +# +# For more information: https://github.github.com/gh-aw/introduction/overview/ +# +# +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e0a10012ec11f9360eb65d497093ec0ba53c0a1f14cfbb5e21200dcc08055474","compiler_version":"v0.61.0","strict":true} + +name: "CI Doctor" +"on": + # roles: # Roles processed as role check in pre-activation job + # - write # Roles processed as role check in pre-activation job + workflow_dispatch: + workflow_run: + # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation + branches: + - main + - release/** + types: + - completed + workflows: + - CI + +permissions: {} + +concurrency: + group: "gh-aw-${{ github.workflow }}" + +run-name: "CI Doctor" + +jobs: + activation: + needs: pre_activation + # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation + if: > + (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'workflow_run') || ((github.event.workflow_run.repository.id == github.repository_id) && + (!(github.event.workflow_run.repository.fork)))) + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + comment_id: "" + comment_repo: "" + model: ${{ steps.generate_aw_info.outputs.model }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Generate agentic run info + id: generate_aw_info + env: + GH_AW_INFO_ENGINE_ID: "copilot" + GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" + GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_INFO_VERSION: "" + GH_AW_INFO_AGENT_VERSION: "latest" + GH_AW_INFO_CLI_VERSION: "v0.61.0" + GH_AW_INFO_WORKFLOW_NAME: "CI Doctor" + GH_AW_INFO_EXPERIMENTAL: "false" + GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" + GH_AW_INFO_STAGED: "false" + GH_AW_INFO_ALLOWED_DOMAINS: '["github"]' + GH_AW_INFO_FIREWALL_ENABLED: "true" + GH_AW_INFO_AWF_VERSION: "v0.24.2" + GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + await main(core, context); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Checkout .github and .agents folders + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + sparse-checkout: | + .github + .agents + sparse-checkout-cone-mode: true + fetch-depth: 1 + - name: Check workflow file timestamps + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_WORKFLOW_FILE: "ci-doctor.lock.yml" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + await main(); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + { + cat << 'GH_AW_PROMPT_EOF' + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/xpia.md" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" + cat "/opt/gh-aw/prompts/markdown.md" + cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat << 'GH_AW_PROMPT_EOF' + + Tools: add_comment, create_issue, create_pull_request, add_labels, missing_tool, missing_data, noop + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat << 'GH_AW_PROMPT_EOF' + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat << 'GH_AW_PROMPT_EOF' + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + {{#runtime-import .github/workflows/ci-doctor.md}} + GH_AW_PROMPT_EOF + } > "$GH_AW_PROMPT" + - name: Interpolate variables and render templates + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Substitute placeholders + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED + } + }); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Upload activation artifact + if: success() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: activation + path: | + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/aw-prompts/prompt.txt + retention-days: 1 + + agent: + needs: activation + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + issues: read + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_WORKFLOW_ID_SANITIZED: cidoctor + outputs: + checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} + detection_success: ${{ steps.detection_conclusion.outputs.success }} + has_patch: ${{ steps.collect_output.outputs.has_patch }} + inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }} + model: ${{ needs.activation.outputs.model }} + output: ${{ steps.collect_output.outputs.output }} + output_types: ${{ steps.collect_output.outputs.output_types }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Create gh-aw temp directory + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Configure gh CLI for GitHub Enterprise + run: bash /opt/gh-aw/actions/configure_gh_for_ghe.sh + env: + GH_TOKEN: ${{ github.token }} + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + git config --global am.keepcr true + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Checkout PR branch + id: checkout-pr + if: | + (github.event.pull_request) || (github.event.issue.pull_request) + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + await main(); + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh latest + env: + GH_HOST: github.com + - name: Install AWF binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.2 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + with: + script: | + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + - name: Write Safe Outputs Config + run: | + mkdir -p /opt/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs + cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + {"add_comment":{"max":1},"add_labels":{"allowed":["ci-failure","flaky-test","build-failure","dependency-issue","needs-maintainer"],"max":3},"create_issue":{"max":1},"create_pull_request":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + GH_AW_SAFE_OUTPUTS_CONFIG_EOF + - name: Write Safe Outputs Tools + run: | + cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + { + "description_suffixes": { + "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", + "add_labels": " CONSTRAINTS: Only these labels are allowed: [\"ci-failure\" \"flaky-test\" \"build-failure\" \"dependency-issue\" \"needs-maintainer\"].", + "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created.", + "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created." + }, + "repo_params": {}, + "dynamic_tools": [] + } + GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF + cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + { + "add_comment": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "item_number": { + "issueOrPRNumber": true + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, + "add_labels": { + "defaultMax": 5, + "fields": { + "item_number": { + "issueNumberOrTemporaryId": true + }, + "labels": { + "required": true, + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, + "create_issue": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "labels": { + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "parent": { + "issueOrPRNumber": true + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "temporary_id": { + "type": "string" + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "create_pull_request": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "branch": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "draft": { + "type": "boolean" + }, + "labels": { + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "missing_data": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "context": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "data_type": { + "type": "string", + "sanitize": true, + "maxLength": 128 + }, + "reason": { + "type": "string", + "sanitize": true, + "maxLength": 256 + } + } + }, + "missing_tool": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 512 + }, + "reason": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "tool": { + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + } + } + GH_AW_SAFE_OUTPUTS_VALIDATION_EOF + node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + # Mask immediately to prevent timing vulnerabilities + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${API_KEY}" + + PORT=3001 + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + DEBUG: '*' + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export DEBUG + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP Gateway + id: start-mcp-gateway + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }} + GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + set -eo pipefail + mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export MCP_GATEWAY_API_KEY + export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" + mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" + export DEBUG="*" + + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' + + mkdir -p /home/runner/.copilot + cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + { + "mcpServers": { + "github": { + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.32.0", + "env": { + "GITHUB_HOST": "\${GITHUB_SERVER_URL}", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "issues,actions" + }, + "guard-policies": { + "allow-only": { + "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", + "repos": "$GITHUB_MCP_GUARD_REPOS" + } + } + }, + "safeoutputs": { + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } + } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}", + "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" + } + } + GH_AW_MCP_CONFIG_EOF + - name: Download activation artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: activation + path: /tmp/gh-aw + - name: Clean git credentials + continue-on-error: true + run: bash /opt/gh-aw/actions/clean_git_credentials.sh + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + timeout-minutes: 20 + run: | + set -o pipefail + touch /tmp/gh-aw/agent-step-summary.md + # shellcheck disable=SC1003 + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_PHASE: agent + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_VERSION: v0.61.0 + GITHUB_API_URL: ${{ github.api_url }} + GITHUB_AW: true + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md + GITHUB_WORKSPACE: ${{ github.workspace }} + GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_AUTHOR_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + XDG_CONFIG_HOME: /home/runner + - name: Detect inference access error + id: detect-inference-error + if: always() + continue-on-error: true + run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + git config --global am.keepcr true + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Copy Copilot session state files to logs + if: always() + continue-on-error: true + run: | + # Copy Copilot session state files to logs folder for artifact collection + # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them + SESSION_STATE_DIR="$HOME/.copilot/session-state" + LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" + + if [ -d "$SESSION_STATE_DIR" ]; then + echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" + mkdir -p "$LOGS_DIR" + cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true + echo "Session state files copied successfully" + else + echo "No session-state directory found at $SESSION_STATE_DIR" + fi + - name: Stop MCP Gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + - name: Redact secrets in logs + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + await main(); + env: + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Append agent step summary + if: always() + run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + - name: Copy Safe Outputs + if: always() + run: | + mkdir -p /tmp/gh-aw + cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true + - name: Ingest agent output + id: collect_output + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + await main(); + - name: Parse agent logs for step summary + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + await main(); + - name: Parse MCP Gateway logs for step summary + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs + if: always() + continue-on-error: true + env: + AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) + if command -v awf &> /dev/null; then + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + else + echo 'AWF binary not installed, skipping firewall log summary' + fi + - name: Upload agent artifacts + if: always() + continue-on-error: true + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: agent + path: | + /tmp/gh-aw/aw-prompts/prompt.txt + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log + /tmp/gh-aw/mcp-logs/ + /tmp/gh-aw/sandbox/firewall/logs/ + /tmp/gh-aw/agent-stdio.log + /tmp/gh-aw/agent/ + /tmp/gh-aw/safeoutputs.jsonl + /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch + if-no-files-found: ignore + # --- Threat Detection (inline) --- + - name: Check if detection needed + id: detection_guard + if: always() + env: + OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }} + HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} + run: | + if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then + echo "run_detection=true" >> "$GITHUB_OUTPUT" + echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH" + else + echo "run_detection=false" >> "$GITHUB_OUTPUT" + echo "Detection skipped: no agent outputs or patches to analyze" + fi + - name: Clear MCP configuration for detection + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + rm -f /tmp/gh-aw/mcp-config/mcp-servers.json + rm -f /home/runner/.copilot/mcp-config.json + rm -f "$GITHUB_WORKSPACE/.gemini/settings.json" + - name: Prepare threat detection files + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + mkdir -p /tmp/gh-aw/threat-detection/aw-prompts + cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true + cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true + for f in /tmp/gh-aw/aw-*.patch; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done + echo "Prepared threat detection files:" + ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true + - name: Setup threat detection + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + WORKFLOW_NAME: "CI Doctor" + WORKFLOW_DESCRIPTION: "No description provided" + HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Execute GitHub Copilot CLI + if: always() && steps.detection_guard.outputs.run_detection == 'true' + id: detection_agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + touch /tmp/gh-aw/agent-step-summary.md + # shellcheck disable=SC1003 + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PHASE: detection + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_VERSION: v0.61.0 + GITHUB_API_URL: ${{ github.api_url }} + GITHUB_AW: true + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md + GITHUB_WORKSPACE: ${{ github.workspace }} + GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_AUTHOR_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_detection_results + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: detection + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + - name: Set detection conclusion + id: detection_conclusion + if: always() + env: + RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }} + DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }} + run: | + if [[ "$RUN_DETECTION" != "true" ]]; then + echo "conclusion=skipped" >> "$GITHUB_OUTPUT" + echo "success=true" >> "$GITHUB_OUTPUT" + echo "Detection was not needed, marking as skipped" + elif [[ "$DETECTION_SUCCESS" == "true" ]]; then + echo "conclusion=success" >> "$GITHUB_OUTPUT" + echo "success=true" >> "$GITHUB_OUTPUT" + echo "Detection passed successfully" + else + echo "conclusion=failure" >> "$GITHUB_OUTPUT" + echo "success=false" >> "$GITHUB_OUTPUT" + echo "Detection found issues" + fi + + conclusion: + needs: + - activation + - agent + - safe_outputs + if: (always()) && (needs.agent.result != 'skipped') + runs-on: ubuntu-slim + permissions: + contents: write + discussions: write + issues: write + pull-requests: write + concurrency: + group: "gh-aw-conclusion-ci-doctor" + cancel-in-progress: false + outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} + tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} + total_count: ${{ steps.missing_tool.outputs.total_count }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + id: download-agent-output + continue-on-error: true + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: agent + path: /tmp/gh-aw/ + - name: Setup agent output environment variable + if: steps.download-agent-output.outcome == 'success' + run: | + mkdir -p /tmp/gh-aw/ + find "/tmp/gh-aw/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: "1" + GH_AW_WORKFLOW_NAME: "CI Doctor" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); + - name: Record Missing Tool + id: missing_tool + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "CI Doctor" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "CI Doctor" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_WORKFLOW_ID: "ci-doctor" + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} + GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} + GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} + GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "false" + GH_AW_TIMEOUT_MINUTES: "20" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle No-Op Message + id: handle_noop_message + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "CI Doctor" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} + GH_AW_NOOP_REPORT_AS_ISSUE: "false" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + await main(); + - name: Handle Create Pull Request Error + id: handle_create_pr_error + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "CI Doctor" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + await main(); + + pre_activation: + runs-on: ubuntu-slim + outputs: + activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} + matched_command: '' + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Check team membership for workflow + id: check_membership + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_REQUIRED_ROLES: write + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + await main(); + + safe_outputs: + needs: + - activation + - agent + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true') + runs-on: ubuntu-slim + permissions: + contents: write + discussions: write + issues: write + pull-requests: write + timeout-minutes: 15 + env: + GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-doctor" + GH_AW_ENGINE_ID: "copilot" + GH_AW_WORKFLOW_ID: "ci-doctor" + GH_AW_WORKFLOW_NAME: "CI Doctor" + outputs: + code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} + code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} + comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }} + comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }} + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} + created_issue_number: ${{ steps.process_safe_outputs.outputs.created_issue_number }} + created_issue_url: ${{ steps.process_safe_outputs.outputs.created_issue_url }} + created_pr_number: ${{ steps.process_safe_outputs.outputs.created_pr_number }} + created_pr_url: ${{ steps.process_safe_outputs.outputs.created_pr_url }} + process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} + process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + id: download-agent-output + continue-on-error: true + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: agent + path: /tmp/gh-aw/ + - name: Setup agent output environment variable + if: steps.download-agent-output.outcome == 'success' + run: | + mkdir -p /tmp/gh-aw/ + find "/tmp/gh-aw/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: agent + path: /tmp/gh-aw/ + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.base_ref || github.event.pull_request.base.ref || github.ref_name || github.event.repository.default_branch }} + token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + persist-credentials: false + fetch-depth: 1 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + GIT_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + git config --global am.keepcr true + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Process Safe Outputs + id: process_safe_outputs + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"ci-failure\",\"flaky-test\",\"build-failure\",\"dependency-issue\",\"needs-maintainer\"]},\"create_issue\":{\"max\":1},\"create_pull_request\":{\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"]},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + await main(); + - name: Upload Safe Output Items Manifest + if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: safe-output-items + path: /tmp/safe-output-items.jsonl + if-no-files-found: warn + diff --git a/.github/workflows/ci-doctor.md b/.github/workflows/ci-doctor.md new file mode 100644 index 00000000..e4772f77 --- /dev/null +++ b/.github/workflows/ci-doctor.md @@ -0,0 +1,104 @@ +--- +# CI Doctor - GitHub Agentic Workflow +# Investigates failed CI workflows and opens diagnostic issues +# +# MAINTENANCE NOTE: after running `gh aw compile` with gh-aw v0.61.0, verify +# that the `actions/github-script` SHA in the generated .lock.yml stays pinned +# to v9.0.0 (`3a2844b7e9c422d3c10d287c895573f7108da1b3`). v0.61.0's bundled +# scaffolding emits the older v8 SHA and would silently revert PR #244. See +# PR #252 for context. + +on: + workflow_run: + workflows: ["CI"] + types: [completed] + branches: [main, 'release/**'] + workflow_dispatch: + roles: [write] + +engine: + id: copilot + +permissions: + contents: read + actions: read + issues: read + +network: + allowed: + - github + +tools: + github: + lockdown: false + toolsets: [issues, actions] + fetch: + allowed: [] + +safe-outputs: + noop: + report-as-issue: false + report-failure-as-issue: false + create-issue: + max: 1 + add-labels: + allowed: [ci-failure, flaky-test, build-failure, dependency-issue, needs-maintainer] + add-comment: null + create-pull-request: null + +--- + +# CI Doctor + +You are a CI failure investigator for the **Microsoft Security DevOps Action** repository (`microsoft/security-devops-action`). + +## Context + +This is a TypeScript GitHub Action that wraps the MSDO CLI. The CI workflow runs `npm run build`, `npm run buildTests`, and `npm test` using mocha. Tests exercise the `ContainerMapping` class (pre-job and post-job lifecycle). + +## Your Task + +When the CI workflow fails on `main` or `release/**` branches, investigate the failure and open a diagnostic issue. + +### Step 1: Verify Failure + +- Confirm the workflow run conclusion is `failure` +- If the workflow succeeded, do nothing (noop) + +### Step 2: Investigate + +- Download and analyze logs from all failed jobs +- Identify the specific step that failed (build, buildTests, or test) +- Extract error messages, stack traces, and relevant context +- Categorize the root cause: + - **build-failure**: TypeScript compilation errors, missing dependencies + - **flaky-test**: Intermittent test failures, timing issues + - **dependency-issue**: npm install failures, version conflicts + - **ci-failure**: Infrastructure issues, runner problems + +### Step 3: Check for Duplicates + +- Search open issues with the same failure label +- If a similar issue already exists, do not create a duplicate — noop instead + +### Step 4: Open Diagnostic Issue + +Create an issue with this structure: + +**Title:** `[CI Doctor] : ` + +**Body:** +- **Summary**: 1-2 sentence description of what failed +- **Failed workflow run**: Link to the run +- **Root cause**: What went wrong and why +- **Error output**: Key error lines (max 20 lines) +- **Suggested fix**: Concrete steps to resolve +- **Label**: Apply the appropriate label from the allowed list + +## Important Rules + +1. Only investigate `failure` conclusions — skip `success`, `cancelled`, `skipped` +2. Never create more than 1 issue per workflow run +3. Do not create duplicate issues — always check for existing open issues first +4. Keep issue bodies concise (under 300 words) +5. Focus on actionable diagnosis, not just log dumps diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..d738944d --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,34 @@ +name: CI + +on: + push: + branches: ['**'] + pull_request: + branches: [main, 'release/**'] + +permissions: + contents: read + +jobs: + build-and-test: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6.0.2 + + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version: '24' + + - name: Install dependencies + run: npm install + + - name: Build + run: npm run build + + - name: Build tests + run: npm run buildTests + + - name: Run tests + run: npm test diff --git a/.github/workflows/msdo-breach-monitor.lock.yml b/.github/workflows/msdo-breach-monitor.lock.yml new file mode 100644 index 00000000..948c0df6 --- /dev/null +++ b/.github/workflows/msdo-breach-monitor.lock.yml @@ -0,0 +1,1017 @@ +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by gh-aw (v0.61.0). DO NOT EDIT. +# +# To update this file, edit the corresponding .md file and run: +# gh aw compile +# Not all edits will cause changes to this file. +# +# For more information: https://github.github.com/gh-aw/introduction/overview/ +# +# +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"73ddd2b5a2fc15ff120245519bd10f342dd3d1a0925df30be6453378664b4c29","compiler_version":"v0.61.0","strict":true} + +name: "MSDO Toolchain Breach Monitor" +"on": + # roles: # Roles processed as role check in pre-activation job + # - write # Roles processed as role check in pre-activation job + workflow_dispatch: + +permissions: {} + +concurrency: + group: "gh-aw-${{ github.workflow }}" + +run-name: "MSDO Toolchain Breach Monitor" + +jobs: + activation: + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + comment_id: "" + comment_repo: "" + model: ${{ steps.generate_aw_info.outputs.model }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Generate agentic run info + id: generate_aw_info + env: + GH_AW_INFO_ENGINE_ID: "copilot" + GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" + GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_INFO_VERSION: "" + GH_AW_INFO_AGENT_VERSION: "latest" + GH_AW_INFO_CLI_VERSION: "v0.61.0" + GH_AW_INFO_WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + GH_AW_INFO_EXPERIMENTAL: "false" + GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" + GH_AW_INFO_STAGED: "false" + GH_AW_INFO_ALLOWED_DOMAINS: '["github","python","dotnet","nvd.nist.gov","osv.dev"]' + GH_AW_INFO_FIREWALL_ENABLED: "true" + GH_AW_INFO_AWF_VERSION: "v0.24.2" + GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + await main(core, context); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Checkout .github and .agents folders + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + sparse-checkout: | + .github + .agents + sparse-checkout-cone-mode: true + fetch-depth: 1 + - name: Check workflow file timestamps + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_WORKFLOW_FILE: "msdo-breach-monitor.lock.yml" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + await main(); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + { + cat << 'GH_AW_PROMPT_EOF' + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/xpia.md" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" + cat "/opt/gh-aw/prompts/markdown.md" + cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat << 'GH_AW_PROMPT_EOF' + + Tools: create_issue, add_labels, missing_tool, missing_data, noop + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat << 'GH_AW_PROMPT_EOF' + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + {{#runtime-import .github/workflows/msdo-breach-monitor.md}} + GH_AW_PROMPT_EOF + } > "$GH_AW_PROMPT" + - name: Interpolate variables and render templates + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Substitute placeholders + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE + } + }); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Upload activation artifact + if: success() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: activation + path: | + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/aw-prompts/prompt.txt + retention-days: 1 + + agent: + needs: activation + runs-on: ubuntu-latest + permissions: + contents: read + issues: read + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_WORKFLOW_ID_SANITIZED: msdobreachmonitor + outputs: + checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} + detection_success: ${{ steps.detection_conclusion.outputs.success }} + has_patch: ${{ steps.collect_output.outputs.has_patch }} + inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }} + model: ${{ needs.activation.outputs.model }} + output: ${{ steps.collect_output.outputs.output }} + output_types: ${{ steps.collect_output.outputs.output_types }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Create gh-aw temp directory + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Configure gh CLI for GitHub Enterprise + run: bash /opt/gh-aw/actions/configure_gh_for_ghe.sh + env: + GH_TOKEN: ${{ github.token }} + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + git config --global am.keepcr true + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Checkout PR branch + id: checkout-pr + if: | + (github.event.pull_request) || (github.event.issue.pull_request) + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + await main(); + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh latest + env: + GH_HOST: github.com + - name: Install AWF binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.2 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + with: + script: | + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + - name: Write Safe Outputs Config + run: | + mkdir -p /opt/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs + cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + {"add_labels":{"allowed":["security-breach","supply-chain","toolchain-alert","critical","high","medium"],"max":3},"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + GH_AW_SAFE_OUTPUTS_CONFIG_EOF + - name: Write Safe Outputs Tools + run: | + cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + { + "description_suffixes": { + "add_labels": " CONSTRAINTS: Only these labels are allowed: [\"security-breach\" \"supply-chain\" \"toolchain-alert\" \"critical\" \"high\" \"medium\"].", + "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created." + }, + "repo_params": {}, + "dynamic_tools": [] + } + GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF + cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + { + "add_labels": { + "defaultMax": 5, + "fields": { + "item_number": { + "issueNumberOrTemporaryId": true + }, + "labels": { + "required": true, + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, + "create_issue": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "labels": { + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "parent": { + "issueOrPRNumber": true + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "temporary_id": { + "type": "string" + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "missing_data": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "context": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "data_type": { + "type": "string", + "sanitize": true, + "maxLength": 128 + }, + "reason": { + "type": "string", + "sanitize": true, + "maxLength": 256 + } + } + }, + "missing_tool": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 512 + }, + "reason": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "tool": { + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + } + } + GH_AW_SAFE_OUTPUTS_VALIDATION_EOF + node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + # Mask immediately to prevent timing vulnerabilities + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${API_KEY}" + + PORT=3001 + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + DEBUG: '*' + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export DEBUG + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP Gateway + id: start-mcp-gateway + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }} + GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + set -eo pipefail + mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export MCP_GATEWAY_API_KEY + export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" + mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" + export DEBUG="*" + + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' + + mkdir -p /home/runner/.copilot + cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + { + "mcpServers": { + "github": { + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.32.0", + "env": { + "GITHUB_HOST": "\${GITHUB_SERVER_URL}", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "issues" + }, + "guard-policies": { + "allow-only": { + "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", + "repos": "$GITHUB_MCP_GUARD_REPOS" + } + } + }, + "safeoutputs": { + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } + } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}", + "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" + } + } + GH_AW_MCP_CONFIG_EOF + - name: Download activation artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: activation + path: /tmp/gh-aw + - name: Clean git credentials + continue-on-error: true + run: bash /opt/gh-aw/actions/clean_git_credentials.sh + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + timeout-minutes: 20 + run: | + set -o pipefail + touch /tmp/gh-aw/agent-step-summary.md + # shellcheck disable=SC1003 + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,*.pythonhosted.org,*.vsblob.vsassets.io,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.nuget.org,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crates.io,dc.services.visualstudio.com,dist.nuget.org,docs.github.com,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,files.pythonhosted.org,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,index.crates.io,lfs.github.com,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,nvd.nist.gov,objects.githubusercontent.com,oneocsp.microsoft.com,osv.dev,pip.pypa.io,pkgs.dev.azure.com,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,static.crates.io,telemetry.enterprise.githubcopilot.com,www.microsoft.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_PHASE: agent + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_VERSION: v0.61.0 + GITHUB_API_URL: ${{ github.api_url }} + GITHUB_AW: true + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md + GITHUB_WORKSPACE: ${{ github.workspace }} + GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_AUTHOR_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + XDG_CONFIG_HOME: /home/runner + - name: Detect inference access error + id: detect-inference-error + if: always() + continue-on-error: true + run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + git config --global am.keepcr true + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Copy Copilot session state files to logs + if: always() + continue-on-error: true + run: | + # Copy Copilot session state files to logs folder for artifact collection + # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them + SESSION_STATE_DIR="$HOME/.copilot/session-state" + LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" + + if [ -d "$SESSION_STATE_DIR" ]; then + echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" + mkdir -p "$LOGS_DIR" + cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true + echo "Session state files copied successfully" + else + echo "No session-state directory found at $SESSION_STATE_DIR" + fi + - name: Stop MCP Gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + - name: Redact secrets in logs + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + await main(); + env: + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Append agent step summary + if: always() + run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + - name: Copy Safe Outputs + if: always() + run: | + mkdir -p /tmp/gh-aw + cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true + - name: Ingest agent output + id: collect_output + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.pythonhosted.org,*.vsblob.vsassets.io,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.nuget.org,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crates.io,dc.services.visualstudio.com,dist.nuget.org,docs.github.com,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,files.pythonhosted.org,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,index.crates.io,lfs.github.com,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,nvd.nist.gov,objects.githubusercontent.com,oneocsp.microsoft.com,osv.dev,pip.pypa.io,pkgs.dev.azure.com,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,static.crates.io,telemetry.enterprise.githubcopilot.com,www.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + await main(); + - name: Parse agent logs for step summary + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + await main(); + - name: Parse MCP Gateway logs for step summary + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs + if: always() + continue-on-error: true + env: + AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) + if command -v awf &> /dev/null; then + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + else + echo 'AWF binary not installed, skipping firewall log summary' + fi + - name: Upload agent artifacts + if: always() + continue-on-error: true + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: agent + path: | + /tmp/gh-aw/aw-prompts/prompt.txt + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log + /tmp/gh-aw/mcp-logs/ + /tmp/gh-aw/sandbox/firewall/logs/ + /tmp/gh-aw/agent-stdio.log + /tmp/gh-aw/agent/ + /tmp/gh-aw/safeoutputs.jsonl + /tmp/gh-aw/agent_output.json + if-no-files-found: ignore + # --- Threat Detection (inline) --- + - name: Check if detection needed + id: detection_guard + if: always() + env: + OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }} + HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} + run: | + if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then + echo "run_detection=true" >> "$GITHUB_OUTPUT" + echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH" + else + echo "run_detection=false" >> "$GITHUB_OUTPUT" + echo "Detection skipped: no agent outputs or patches to analyze" + fi + - name: Clear MCP configuration for detection + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + rm -f /tmp/gh-aw/mcp-config/mcp-servers.json + rm -f /home/runner/.copilot/mcp-config.json + rm -f "$GITHUB_WORKSPACE/.gemini/settings.json" + - name: Prepare threat detection files + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + mkdir -p /tmp/gh-aw/threat-detection/aw-prompts + cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true + cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true + for f in /tmp/gh-aw/aw-*.patch; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done + echo "Prepared threat detection files:" + ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true + - name: Setup threat detection + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + WORKFLOW_DESCRIPTION: "No description provided" + HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Execute GitHub Copilot CLI + if: always() && steps.detection_guard.outputs.run_detection == 'true' + id: detection_agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + touch /tmp/gh-aw/agent-step-summary.md + # shellcheck disable=SC1003 + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PHASE: detection + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_VERSION: v0.61.0 + GITHUB_API_URL: ${{ github.api_url }} + GITHUB_AW: true + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md + GITHUB_WORKSPACE: ${{ github.workspace }} + GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_AUTHOR_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_detection_results + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: detection + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + - name: Set detection conclusion + id: detection_conclusion + if: always() + env: + RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }} + DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }} + run: | + if [[ "$RUN_DETECTION" != "true" ]]; then + echo "conclusion=skipped" >> "$GITHUB_OUTPUT" + echo "success=true" >> "$GITHUB_OUTPUT" + echo "Detection was not needed, marking as skipped" + elif [[ "$DETECTION_SUCCESS" == "true" ]]; then + echo "conclusion=success" >> "$GITHUB_OUTPUT" + echo "success=true" >> "$GITHUB_OUTPUT" + echo "Detection passed successfully" + else + echo "conclusion=failure" >> "$GITHUB_OUTPUT" + echo "success=false" >> "$GITHUB_OUTPUT" + echo "Detection found issues" + fi + + conclusion: + needs: + - activation + - agent + - safe_outputs + if: (always()) && (needs.agent.result != 'skipped') + runs-on: ubuntu-slim + permissions: + contents: read + issues: write + pull-requests: write + concurrency: + group: "gh-aw-conclusion-msdo-breach-monitor" + cancel-in-progress: false + outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} + tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} + total_count: ${{ steps.missing_tool.outputs.total_count }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + id: download-agent-output + continue-on-error: true + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: agent + path: /tmp/gh-aw/ + - name: Setup agent output environment variable + if: steps.download-agent-output.outcome == 'success' + run: | + mkdir -p /tmp/gh-aw/ + find "/tmp/gh-aw/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: "1" + GH_AW_WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); + - name: Record Missing Tool + id: missing_tool + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_WORKFLOW_ID: "msdo-breach-monitor" + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} + GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "false" + GH_AW_TIMEOUT_MINUTES: "20" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle No-Op Message + id: handle_noop_message + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} + GH_AW_NOOP_REPORT_AS_ISSUE: "false" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + await main(); + + safe_outputs: + needs: agent + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true') + runs-on: ubuntu-slim + permissions: + contents: read + issues: write + pull-requests: write + timeout-minutes: 15 + env: + GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/msdo-breach-monitor" + GH_AW_ENGINE_ID: "copilot" + GH_AW_WORKFLOW_ID: "msdo-breach-monitor" + GH_AW_WORKFLOW_NAME: "MSDO Toolchain Breach Monitor" + outputs: + code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} + code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} + created_issue_number: ${{ steps.process_safe_outputs.outputs.created_issue_number }} + created_issue_url: ${{ steps.process_safe_outputs.outputs.created_issue_url }} + process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} + process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} + steps: + - name: Setup Scripts + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + id: download-agent-output + continue-on-error: true + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: agent + path: /tmp/gh-aw/ + - name: Setup agent output environment variable + if: steps.download-agent-output.outcome == 'success' + run: | + mkdir -p /tmp/gh-aw/ + find "/tmp/gh-aw/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" + - name: Process Safe Outputs + id: process_safe_outputs + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.pythonhosted.org,*.vsblob.vsassets.io,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.nuget.org,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crates.io,dc.services.visualstudio.com,dist.nuget.org,docs.github.com,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,files.pythonhosted.org,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,index.crates.io,lfs.github.com,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,nvd.nist.gov,objects.githubusercontent.com,oneocsp.microsoft.com,osv.dev,pip.pypa.io,pkgs.dev.azure.com,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,static.crates.io,telemetry.enterprise.githubcopilot.com,www.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_labels\":{\"allowed\":[\"security-breach\",\"supply-chain\",\"toolchain-alert\",\"critical\",\"high\",\"medium\"]},\"create_issue\":{\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + await main(); + - name: Upload Safe Output Items Manifest + if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: safe-output-items + path: /tmp/safe-output-items.jsonl + if-no-files-found: warn + diff --git a/.github/workflows/msdo-breach-monitor.md b/.github/workflows/msdo-breach-monitor.md new file mode 100644 index 00000000..2607ea3c --- /dev/null +++ b/.github/workflows/msdo-breach-monitor.md @@ -0,0 +1,215 @@ +--- +# MSDO Toolchain Breach Monitor - GitHub Agentic Workflow +# Nightly supply chain breach monitor for MSDO toolchain dependencies +# +# MAINTENANCE NOTE: after running `gh aw compile` with gh-aw v0.61.0, verify +# that the `actions/github-script` SHA in the generated .lock.yml stays pinned +# to v9.0.0 (`3a2844b7e9c422d3c10d287c895573f7108da1b3`). v0.61.0's bundled +# scaffolding emits the older v8 SHA and would silently revert PR #244. See +# PR #252 for context. + +on: + workflow_dispatch: + # Triggered by toolchain-version-probe after committing fresh versions. + # No schedule here — the probe owns the daily cadence and guarantees + # toolchain-versions.json is fresh before this workflow reads it. + roles: [write] + +engine: + id: copilot + +permissions: + contents: read + issues: read + +network: + allowed: + - github + - python + - dotnet + - nvd.nist.gov + - osv.dev + +tools: + github: + lockdown: false + toolsets: [issues] + fetch: + allowed: + - raw.githubusercontent.com + - nvd.nist.gov + - services.nvd.nist.gov + - osv.dev + - pypi.org + - api.nuget.org + - registry.npmjs.org + +safe-outputs: + noop: + report-as-issue: false + report-failure-as-issue: false + create-issue: + max: 1 + add-labels: + allowed: [security-breach, supply-chain, toolchain-alert, critical, high, medium] + +--- + +# MSDO Toolchain Breach Monitor + +You are a supply chain security monitor for the **Microsoft Security DevOps Action** repository (`microsoft/security-devops-action`). + +## Your Toolchain + +The MSDO CLI resolves tool versions dynamically at runtime. The tools and their package registries are: + +| Tool | Ecosystem | Upstream repo | +|------|-----------|---------------| +| bandit | PyPI (`bandit`) | PyCQA/bandit | +| binskim | NuGet (`Microsoft.CST.BinSkim`) | microsoft/binskim | +| checkov | PyPI (`checkov`) | bridgecrewio/checkov | +| container-mapping | NuGet (internal) | microsoft internal | +| eslint | npm (`eslint`) | eslint/eslint | +| templateanalyzer | NuGet (`Microsoft.Azure.Templates.Analyzer`) | Azure/template-analyzer | +| terrascan | GitHub releases | tenable/terrascan | +| trivy | GitHub releases | aquasecurity/trivy | +| antimalware | Windows Defender (built-in) | N/A | + +## Your Task + +Monitor for supply chain security incidents affecting any tool in the MSDO toolchain. + +### Step 0: Load resolved tool versions + +The `toolchain-version-probe` workflow runs weekly, installs every tool through the real MSDO CLI, and records exactly which package version was resolved into `.github/toolchain-versions.json`. These are the versions MSDO users actually download — not registry "latest", but the version pinned in MSDO's `.gdntool` configs. + +**Read the file from this repository (the probe pushes to a dedicated branch to avoid branch protection on main):** +``` +GET https://api.github.com/repos/microsoft/security-devops-action/contents/.github/toolchain-versions.json?ref=bot/toolchain-versions +``` +Decode the base64 `content` field. The `tools` object maps each tool name to its resolved version. The `generated_at` field tells you when the probe last ran. + +**If the file is missing or older than 14 days**, fall back to registry queries: +- **trivy**: `GET https://api.github.com/repos/aquasecurity/trivy/releases/latest` → `.tag_name` +- **terrascan**: `GET https://api.github.com/repos/tenable/terrascan/releases/latest` → `.tag_name` +- **bandit**: `GET https://pypi.org/pypi/bandit/json` → `.info.version` +- **checkov**: `GET https://pypi.org/pypi/checkov/json` → `.info.version` +- **eslint**: `GET https://registry.npmjs.org/eslint/latest` → `.version` +- **binskim**: `GET https://api.nuget.org/v3/registration5/microsoft.codeanalysis.binskim/index.json` → last page, last item `.catalogEntry.version` +- **templateanalyzer**: `GET https://api.nuget.org/v3/registration5/microsoft.azure.templates.analyzer/index.json` → last page, last item `.catalogEntry.version` + +Record the resolved versions — you will reference them in your advisory checks below. + +### Step 1: Check advisories — use the exact API endpoints below + +Search each ecosystem's advisory database using the **resolved version** from Step 0. Look for vulnerabilities that affect that specific version or any version within the last 7 days. + +**GitHub Advisory Database (REQUIRED for each ecosystem):** +``` +GET https://api.github.com/advisories?type=reviewed&ecosystem=pip&per_page=30 +GET https://api.github.com/advisories?type=reviewed&ecosystem=go&per_page=30 +GET https://api.github.com/advisories?type=reviewed&ecosystem=npm&per_page=30 +GET https://api.github.com/advisories?type=reviewed&ecosystem=nuget&per_page=30 +``` +Filter results by date (last 7 days) and check if any advisory mentions the tool name or its resolved version. + +**Also check the upstream repos directly for recent security advisories:** +``` +GET https://api.github.com/repos/aquasecurity/trivy/security-advisories?per_page=10 +GET https://api.github.com/repos/tenable/terrascan/security-advisories?per_page=10 +``` + +**OSV Database:** +``` +POST https://api.osv.dev/v1/query body: {"package":{"name":"trivy","ecosystem":"Go"}} +POST https://api.osv.dev/v1/query body: {"package":{"name":"checkov","ecosystem":"PyPI"}} +POST https://api.osv.dev/v1/query body: {"package":{"name":"bandit","ecosystem":"PyPI"}} +``` + +**NVD — search for recent CVEs (last 7 days):** +``` +GET https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=trivy&pubStartDate=<7-days-ago>T00:00:00.000 +GET https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=terrascan&pubStartDate=<7-days-ago>T00:00:00.000 +``` + +### Step 2: Check repository health (maintenance and archival) + +For each tool with a public GitHub repo, check its maintenance status: + +``` +GET https://api.github.com/repos/tenable/terrascan +GET https://api.github.com/repos/aquasecurity/trivy +GET https://api.github.com/repos/bridgecrewio/checkov +GET https://api.github.com/repos/PyCQA/bandit +GET https://api.github.com/repos/eslint/eslint +GET https://api.github.com/repos/microsoft/binskim +GET https://api.github.com/repos/Azure/template-analyzer +``` + +Flag a tool if **any** of the following are true: +- `archived: true` — repo is archived (immediately flag as HIGH regardless of age) +- `pushed_at` is more than 6 months ago — no recent activity +- Latest release is more than 12 months old + +### Step 3: Assess impact + +For each finding, determine severity using the resolved version from Step 0 and the advisory's affected range: + +- **CRITICAL** — our pinned version exactly equals a known-bad version (e.g. the advisory names `trivy 0.69.3` and we have `0.69.3`), OR the supply chain was directly compromised (hijacked package, malicious release artifact). +- **HIGH** — our pinned version falls within the advisory's affected range but is not the exact named version (e.g. advisory says `>= 0.68.0, < 0.69.4` and we have `0.69.3`); or our pinned version is older than the version where the fix was released, even if no exact match. +- **MEDIUM** — theoretical / low-exploitability / version not confirmed in range. + +Also determine: +- **Triage — are we actually exposed?** Cross-reference the advisory description with how MSDO uses the tool. Note whether the vulnerable code path (e.g. a specific CLI flag, network listener, or parser) is reachable via normal MSDO execution. +- **Impact on MSDO**: Does this affect users of `microsoft/security-devops-action`? +- **Exploitability**: Active exploitation, PoC available, or theoretical? + +### Step 4: Check for duplicate issues before reporting + +Search for existing issues in this repository: +``` +GET https://api.github.com/repos/microsoft/security-devops-action/issues?labels=toolchain-alert&state=open +GET https://api.github.com/repos/microsoft/security-devops-action/issues?labels=toolchain-alert&state=closed&since=<30-days-ago> +``` + +For each finding, check whether the **specific CVE ID or GHSA ID** appears in any open or recently-closed (last 30 days) issue title or body. If it does, **skip that finding** — it has already been reported. + +### Step 5: Report or stay silent + +**If NO new incidents are found (or all are already reported):** +- Call `noop` with a one-line summary of what was checked. Silence means everything is clean. + +**If a new incident IS found:** +- Create exactly ONE issue combining all new findings. + +**Issue format:** + +**Title:** `[Toolchain Alert] : ` + +**Body:** +- **Affected tool(s)**: Name and resolved version from Step 0 +- **Severity**: Critical / High / Medium (with rationale — exact match vs. range match) +- **Summary**: What happened (2–3 sentences) +- **CVE/Advisory IDs**: GHSA-XXXX or CVE-XXXX — include full NVD link and CVSS base score +- **Vulnerability description**: What the CVE actually does — attack vector, what an attacker can achieve +- **Vulnerable version range**: Which versions are affected and which version contains the fix +- **Triage — are MSDO users exposed?**: Explain whether the vulnerable code path is reachable via normal MSDO usage. State explicitly: *"Exposed"* / *"Likely not exposed"* / *"Cannot determine"* with reasoning. +- **Impact on MSDO**: How this affects users of `microsoft/security-devops-action` +- **Recommended action**: Concrete steps for maintainers (e.g. bump pinned version in `.gdntool`, block the release) +- **Sources**: Links to advisories, NVD entries, upstream repo issues + +**Labels:** +- `security-breach` — confirmed supply chain compromise (hijacked package, malicious release, tag force-push) +- `supply-chain` — dependency-related incident (dependency confusion, typosquatting) +- `toolchain-alert` — ALWAYS applied +- Severity: `critical`, `high`, or `medium` + +## Rules + +1. **Stay silent when clean** — noop if nothing new found +2. **One issue per run** — combine all findings into one issue +3. **No re-reporting** — skip any finding whose CVE/GHSA ID already appears in an open or recently-closed (30 days) issue +4. **Ongoing = always report** — if a prior issue is open and the incident is still unresolved (C2 still active, malicious package still up), do NOT noop just because the original event was > 7 days ago +5. **Archived repo = always flag** — flag any archived tool repo as HIGH, regardless of when it was archived +6. **False positive discipline** — not every CVE warrants an alert; focus on incidents where the resolved version from Step 0 falls within the vulnerable range, or where the supply chain (package index, release artifact, repo tags) was directly compromised +7. **Be specific** — include CVE/GHSA IDs, exact version numbers, and advisory links diff --git a/.github/workflows/msdo-issue-assistant.lock.yml b/.github/workflows/msdo-issue-assistant.lock.yml index 58d24564..e412326d 100644 --- a/.github/workflows/msdo-issue-assistant.lock.yml +++ b/.github/workflows/msdo-issue-assistant.lock.yml @@ -1,4 +1,3 @@ -# # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -13,7 +12,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.43.23). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.61.0). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -22,7 +21,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# frontmatter-hash: ec5b4527a6199a05f3a36752477dac71dd9eaaa688d63482f19275f580ae9b5f +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ad862ac3404b6a5b9235e75266770d3df954d43cd43d766661be878e414e622b","compiler_version":"v0.61.0","strict":true} name: "MSDO Issue Triage Assistant" "on": @@ -32,12 +31,13 @@ name: "MSDO Issue Triage Assistant" issues: types: - opened + # roles: all # Roles processed as role check in pre-activation job workflow_dispatch: permissions: {} concurrency: - group: "gh-aw-${{ github.workflow }}-${{ github.event.issue.number }}" + group: "gh-aw-${{ github.workflow }}-${{ github.event.issue.number || github.run_id }}" run-name: "MSDO Issue Triage Assistant" @@ -47,15 +47,58 @@ jobs: permissions: contents: read outputs: + body: ${{ steps.sanitized.outputs.body }} comment_id: "" comment_repo: "" + model: ${{ steps.generate_aw_info.outputs.model }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + text: ${{ steps.sanitized.outputs.text }} + title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23 + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 with: destination: /opt/gh-aw/actions + - name: Generate agentic run info + id: generate_aw_info + env: + GH_AW_INFO_ENGINE_ID: "copilot" + GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" + GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_INFO_VERSION: "" + GH_AW_INFO_AGENT_VERSION: "latest" + GH_AW_INFO_CLI_VERSION: "v0.61.0" + GH_AW_INFO_WORKFLOW_NAME: "MSDO Issue Triage Assistant" + GH_AW_INFO_EXPERIMENTAL: "false" + GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" + GH_AW_INFO_STAGED: "false" + GH_AW_INFO_ALLOWED_DOMAINS: '["github"]' + GH_AW_INFO_FIREWALL_ENABLED: "true" + GH_AW_INFO_AWF_VERSION: "v0.24.2" + GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + await main(core, context); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Checkout .github and .agents folders + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + sparse-checkout: | + .github + .agents + sparse-checkout-cone-mode: true + fetch-depth: 1 - name: Check workflow file timestamps - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_FILE: "msdo-issue-assistant.lock.yml" with: @@ -64,6 +107,144 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); + - name: Compute current body text + id: sanitized + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + await main(); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + { + cat << 'GH_AW_PROMPT_EOF' + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/xpia.md" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" + cat "/opt/gh-aw/prompts/markdown.md" + cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat << 'GH_AW_PROMPT_EOF' + + Tools: add_comment, add_labels, missing_tool, missing_data, noop + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then + cat "/opt/gh-aw/prompts/pr_context_prompt.md" + fi + cat << 'GH_AW_PROMPT_EOF' + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + {{#runtime-import .github/workflows/msdo-issue-assistant.md}} + GH_AW_PROMPT_EOF + } > "$GH_AW_PROMPT" + - name: Interpolate variables and render templates + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Substitute placeholders + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, + GH_AW_IS_PR_COMMENT: process.env.GH_AW_IS_PR_COMMENT + } + }); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Upload activation artifact + if: success() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: activation + path: | + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/aw-prompts/prompt.txt + retention-days: 1 agent: needs: activation @@ -83,14 +264,16 @@ jobs: GH_AW_WORKFLOW_ID_SANITIZED: msdoissueassistant outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} + detection_success: ${{ steps.detection_conclusion.outputs.success }} has_patch: ${{ steps.collect_output.outputs.has_patch }} - model: ${{ steps.generate_aw_info.outputs.model }} + inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }} + model: ${{ needs.activation.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} - secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23 + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -99,6 +282,10 @@ jobs: persist-credentials: false - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Configure gh CLI for GitHub Enterprise + run: bash /opt/gh-aw/actions/configure_gh_for_ghe.sh + env: + GH_TOKEN: ${{ github.token }} - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -106,6 +293,7 @@ jobs: run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" + git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" @@ -113,8 +301,8 @@ jobs: - name: Checkout PR branch id: checkout-pr if: | - github.event.pull_request - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + (github.event.pull_request) || (github.event.issue.pull_request) + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: @@ -124,168 +312,44 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - - name: Generate agentic run info - id: generate_aw_info - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh latest + env: + GH_HOST: github.com + - name: Install AWF binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.2 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const fs = require('fs'); - - const awInfo = { - engine_id: "copilot", - engine_name: "GitHub Copilot CLI", - model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", - version: "", - agent_version: "0.0.409", - cli_version: "v0.43.23", - workflow_name: "MSDO Issue Triage Assistant", - experimental: false, - supports_tools_allowlist: true, - supports_http_transport: true, - run_id: context.runId, - run_number: context.runNumber, - run_attempt: process.env.GITHUB_RUN_ATTEMPT, - repository: context.repo.owner + '/' + context.repo.repo, - ref: context.ref, - sha: context.sha, - actor: context.actor, - event_name: context.eventName, - staged: false, - allowed_domains: ["github"], - firewall_enabled: true, - awf_version: "v0.17.0", - awmg_version: "", - steps: { - firewall: "squid" - }, - created_at: new Date().toISOString() - }; - - // Write to /tmp/gh-aw directory to avoid inclusion in PR - const tmpPath = '/tmp/gh-aw/aw_info.json'; - fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); - console.log('Generated aw_info.json at:', tmpPath); - console.log(JSON.stringify(awInfo, null, 2)); - - // Set model as output for reuse in other steps/jobs - core.setOutput('model', awInfo.model); - - name: Validate COPILOT_GITHUB_TOKEN secret - id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default - env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.409 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.17.0 + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.17.0 ghcr.io/github/gh-aw-firewall/squid:0.17.0 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' - {"add_comment":{"max":4},"add_labels":{"allowed":["type:bug","type:feature","type:docs","type:question","type:security","type:maintenance","status:triage","status:waiting-on-author","status:repro-needed","status:team-review"],"max":3},"missing_data":{},"missing_tool":{}} + {"add_comment":{"max":4},"add_labels":{"allowed":["type:bug","type:feature","type:docs","type:question","type:security","type:maintenance","status:triage","status:waiting-on-author","status:repro-needed","status:team-review","area:action","area:msdo-cli","area:ci","area:container-mapping"],"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' - [ - { - "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 4 comment(s) can be added.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "body": { - "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation.", - "type": "string" - }, - "item_number": { - "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool will attempt to resolve the target from the current workflow context (triggering issue, PR, or discussion).", - "type": "number" - } - }, - "required": [ - "body" - ], - "type": "object" - }, - "name": "add_comment" - }, - { - "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead. CONSTRAINTS: Only these labels are allowed: [type:bug type:feature type:docs type:question type:security type:maintenance status:triage status:waiting-on-author status:repro-needed status:team-review].", - "inputSchema": { - "additionalProperties": false, - "properties": { - "item_number": { - "description": "Issue or PR number to add labels to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/issues/456). If omitted, adds labels to the item that triggered this workflow.", - "type": "number" - }, - "labels": { - "description": "Label names to add (e.g., ['bug', 'priority-high']). Labels must exist in the repository.", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "name": "add_labels" - }, - { - "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "alternatives": { - "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", - "type": "string" - }, - "reason": { - "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", - "type": "string" - }, - "tool": { - "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", - "type": "string" - } - }, - "required": [ - "reason" - ], - "type": "object" - }, - "name": "missing_tool" + - name: Write Safe Outputs Tools + run: | + cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + { + "description_suffixes": { + "add_comment": " CONSTRAINTS: Maximum 4 comment(s) can be added.", + "add_labels": " CONSTRAINTS: Only these labels are allowed: [\"type:bug\" \"type:feature\" \"type:docs\" \"type:question\" \"type:security\" \"type:maintenance\" \"status:triage\" \"status:waiting-on-author\" \"status:repro-needed\" \"status:team-review\" \"area:action\" \"area:msdo-cli\" \"area:ci\" \"area:container-mapping\"]." }, - { - "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "alternatives": { - "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", - "type": "string" - }, - "context": { - "description": "Additional context about the missing data or where it should come from (max 256 characters).", - "type": "string" - }, - "data_type": { - "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", - "type": "string" - }, - "reason": { - "description": "Explanation of why this data is needed to complete the task (max 256 characters).", - "type": "string" - } - }, - "required": [], - "type": "object" - }, - "name": "missing_data" - } - ] - GH_AW_SAFE_OUTPUTS_TOOLS_EOF + "repo_params": {}, + "dynamic_tools": [] + } + GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { @@ -299,6 +363,10 @@ jobs: }, "item_number": { "issueOrPRNumber": true + }, + "repo": { + "type": "string", + "maxLength": 256 } } }, @@ -306,7 +374,7 @@ jobs: "defaultMax": 5, "fields": { "item_number": { - "issueOrPRNumber": true + "issueNumberOrTemporaryId": true }, "labels": { "required": true, @@ -314,6 +382,35 @@ jobs: "itemType": "string", "itemSanitize": true, "itemMaxLength": 128 + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, + "missing_data": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "context": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "data_type": { + "type": "string", + "sanitize": true, + "maxLength": 128 + }, + "reason": { + "type": "string", + "sanitize": true, + "maxLength": 256 } } }, @@ -337,9 +434,21 @@ jobs: "maxLength": 128 } } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF + node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -378,12 +487,14 @@ jobs: bash /opt/gh-aw/actions/start_safe_outputs_server.sh - - name: Start MCP gateway + - name: Start MCP Gateway id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }} + GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | set -eo pipefail @@ -397,10 +508,11 @@ jobs: export MCP_GATEWAY_API_KEY export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.4' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -408,11 +520,18 @@ jobs: "mcpServers": { "github": { "type": "stdio", - "container": "ghcr.io/github/github-mcp-server:v0.30.3", + "container": "ghcr.io/github/github-mcp-server:v0.32.0", "env": { + "GITHUB_HOST": "\${GITHUB_SERVER_URL}", "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", "GITHUB_READ_ONLY": "1", "GITHUB_TOOLSETS": "issues" + }, + "guard-policies": { + "allow-only": { + "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", + "repos": "$GITHUB_MCP_GUARD_REPOS" + } } }, "safeoutputs": { @@ -420,6 +539,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, @@ -431,151 +557,13 @@ jobs: } } GH_AW_MCP_CONFIG_EOF - - name: Generate workflow overview - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + - name: Download activation artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - script: | - const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); - await generateWorkflowOverview(core); - - name: Create prompt with built-in context - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} - run: | - bash /opt/gh-aw/actions/create_prompt_first.sh - cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" - - GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" - cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" - - GitHub API Access Instructions - - The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. - - - To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - - Temporary IDs: Some safe output tools support a temporary ID field (usually named temporary_id) so you can reference newly-created items elsewhere in the SAME agent output (for example, using #aw_abc1 in a later body). - - **IMPORTANT - temporary_id format rules:** - - If you DON'T need to reference the item later, OMIT the temporary_id field entirely (it will be auto-generated if needed) - - If you DO need cross-references/chaining, you MUST match this EXACT validation regex: /^aw_[A-Za-z0-9]{3,8}$/i - - Format: aw_ prefix followed by 3 to 8 alphanumeric characters (A-Z, a-z, 0-9, case-insensitive) - - Valid alphanumeric characters: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 - - INVALID examples: aw_ab (too short), aw_123456789 (too long), aw_test-id (contains hyphen), aw_id_123 (contains underscore) - - VALID examples: aw_abc, aw_abc1, aw_Test123, aw_A1B2C3D4, aw_12345678 - - To generate valid IDs: use 3-8 random alphanumeric characters or omit the field to let the system auto-generate - - Do NOT invent other aw_* formats — downstream steps will reject them with validation errors matching against /^aw_[A-Za-z0-9]{3,8}$/i. - - Discover available tools from the safeoutputs MCP server. - - **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - - **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. - - - - The following GitHub context information is available for this workflow: - {{#if __GH_AW_GITHUB_ACTOR__ }} - - **actor**: __GH_AW_GITHUB_ACTOR__ - {{/if}} - {{#if __GH_AW_GITHUB_REPOSITORY__ }} - - **repository**: __GH_AW_GITHUB_REPOSITORY__ - {{/if}} - {{#if __GH_AW_GITHUB_WORKSPACE__ }} - - **workspace**: __GH_AW_GITHUB_WORKSPACE__ - {{/if}} - {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} - - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ - {{/if}} - {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} - - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ - {{/if}} - {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} - - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ - {{/if}} - {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} - - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ - {{/if}} - {{#if __GH_AW_GITHUB_RUN_ID__ }} - - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ - {{/if}} - - - GH_AW_PROMPT_EOF - if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - fi - cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" - - GH_AW_PROMPT_EOF - cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" - {{#runtime-import .github/workflows/msdo-issue-assistant.md}} - GH_AW_PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, - GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, - GH_AW_IS_PR_COMMENT: process.env.GH_AW_IS_PR_COMMENT - } - }); - - name: Interpolate variables and render templates - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - with: - script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); - await main(); - - name: Validate prompt placeholders - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - - name: Print prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + name: activation + path: /tmp/gh-aw - name: Clean git credentials + continue-on-error: true run: bash /opt/gh-aw/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution @@ -583,21 +571,37 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.17.0 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ - 2>&1 | tee /tmp/gh-aw/agent-stdio.log + touch /tmp/gh-aw/agent-step-summary.md + # shellcheck disable=SC1003 + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json - GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_PHASE: agent GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_VERSION: v0.61.0 + GITHUB_API_URL: ${{ github.api_url }} + GITHUB_AW: true GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} - GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md GITHUB_WORKSPACE: ${{ github.workspace }} + GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_AUTHOR_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] XDG_CONFIG_HOME: /home/runner + - name: Detect inference access error + id: detect-inference-error + if: always() + continue-on-error: true + run: bash /opt/gh-aw/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -605,6 +609,7 @@ jobs: run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" + git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" @@ -626,7 +631,7 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi - - name: Stop MCP gateway + - name: Stop MCP Gateway if: always() continue-on-error: true env: @@ -637,7 +642,7 @@ jobs: bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); @@ -650,19 +655,21 @@ jobs: SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Upload Safe Outputs + - name: Append agent step summary if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: safe-output - path: ${{ env.GH_AW_SAFE_OUTPUTS }} - if-no-files-found: warn + run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + - name: Copy Safe Outputs + if: always() + run: | + mkdir -p /tmp/gh-aw + cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true - name: Ingest agent output id: collect_output - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -671,24 +678,9 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - - name: Upload sanitized agent output - if: always() && env.GH_AW_AGENT_OUTPUT - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: agent-output - path: ${{ env.GH_AW_AGENT_OUTPUT }} - if-no-files-found: warn - - name: Upload engine output files - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: agent_outputs - path: | - /tmp/gh-aw/sandbox/agent/logs/ - /tmp/gh-aw/redacted-urls.log - if-no-files-found: ignore - name: Parse agent logs for step summary if: always() - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: @@ -697,9 +689,9 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Parse MCP gateway logs for step summary + - name: Parse MCP Gateway logs for step summary if: always() - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); @@ -715,27 +707,158 @@ jobs: # Fix permissions on firewall logs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) + if command -v awf &> /dev/null; then + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + else + echo 'AWF binary not installed, skipping firewall log summary' + fi - name: Upload agent artifacts if: always() continue-on-error: true - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: - name: agent-artifacts + name: agent path: | /tmp/gh-aw/aw-prompts/prompt.txt - /tmp/gh-aw/aw_info.json + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ + /tmp/gh-aw/safeoutputs.jsonl + /tmp/gh-aw/agent_output.json if-no-files-found: ignore + # --- Threat Detection (inline) --- + - name: Check if detection needed + id: detection_guard + if: always() + env: + OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }} + HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} + run: | + if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then + echo "run_detection=true" >> "$GITHUB_OUTPUT" + echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH" + else + echo "run_detection=false" >> "$GITHUB_OUTPUT" + echo "Detection skipped: no agent outputs or patches to analyze" + fi + - name: Clear MCP configuration for detection + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + rm -f /tmp/gh-aw/mcp-config/mcp-servers.json + rm -f /home/runner/.copilot/mcp-config.json + rm -f "$GITHUB_WORKSPACE/.gemini/settings.json" + - name: Prepare threat detection files + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + mkdir -p /tmp/gh-aw/threat-detection/aw-prompts + cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true + cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true + for f in /tmp/gh-aw/aw-*.patch; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done + echo "Prepared threat detection files:" + ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true + - name: Setup threat detection + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + WORKFLOW_NAME: "MSDO Issue Triage Assistant" + WORKFLOW_DESCRIPTION: "No description provided" + HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + if: always() && steps.detection_guard.outputs.run_detection == 'true' + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Execute GitHub Copilot CLI + if: always() && steps.detection_guard.outputs.run_detection == 'true' + id: detection_agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + touch /tmp/gh-aw/agent-step-summary.md + # shellcheck disable=SC1003 + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PHASE: detection + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_VERSION: v0.61.0 + GITHUB_API_URL: ${{ github.api_url }} + GITHUB_AW: true + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md + GITHUB_WORKSPACE: ${{ github.workspace }} + GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_AUTHOR_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_detection_results + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() && steps.detection_guard.outputs.run_detection == 'true' + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: detection + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + - name: Set detection conclusion + id: detection_conclusion + if: always() + env: + RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }} + DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }} + run: | + if [[ "$RUN_DETECTION" != "true" ]]; then + echo "conclusion=skipped" >> "$GITHUB_OUTPUT" + echo "success=true" >> "$GITHUB_OUTPUT" + echo "Detection was not needed, marking as skipped" + elif [[ "$DETECTION_SUCCESS" == "true" ]]; then + echo "conclusion=success" >> "$GITHUB_OUTPUT" + echo "success=true" >> "$GITHUB_OUTPUT" + echo "Detection passed successfully" + else + echo "conclusion=failure" >> "$GITHUB_OUTPUT" + echo "success=false" >> "$GITHUB_OUTPUT" + echo "Detection found issues" + fi conclusion: needs: - activation - agent - - detection - safe_outputs if: (always()) && (needs.agent.result != 'skipped') runs-on: ubuntu-slim @@ -744,28 +867,48 @@ jobs: discussions: write issues: write pull-requests: write + concurrency: + group: "gh-aw-conclusion-msdo-issue-assistant" + cancel-in-progress: false outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23 + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact + id: download-agent-output continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - name: agent-output - path: /tmp/gh-aw/safeoutputs/ + name: agent + path: /tmp/gh-aw/ - name: Setup agent output environment variable + if: steps.download-agent-output.outcome == 'success' run: | - mkdir -p /tmp/gh-aw/safeoutputs/ - find "/tmp/gh-aw/safeoutputs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + mkdir -p /tmp/gh-aw/ + find "/tmp/gh-aw/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: "1" + GH_AW_WORKFLOW_NAME: "MSDO Issue Triage Assistant" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); - name: Record Missing Tool id: missing_tool - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "MSDO Issue Triage Assistant" @@ -778,15 +921,19 @@ jobs: await main(); - name: Handle Agent Failure id: handle_agent_failure - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "MSDO Issue Triage Assistant" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_WORKFLOW_ID: "msdo-issue-assistant" - GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} + GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "false" + GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -796,12 +943,14 @@ jobs: await main(); - name: Handle No-Op Message id: handle_noop_message - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "MSDO Issue Triage Assistant" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} + GH_AW_NOOP_REPORT_AS_ISSUE: "false" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -809,129 +958,10 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); await main(); - - name: Update reaction comment with completion status - id: conclusion - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }} - GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} - GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - GH_AW_WORKFLOW_NAME: "MSDO Issue Triage Assistant" - GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} - GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }} - with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); - await main(); - - detection: - needs: agent - if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest - permissions: {} - timeout-minutes: 10 - outputs: - success: ${{ steps.parse_results.outputs.success }} - steps: - - name: Setup Scripts - uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23 - with: - destination: /opt/gh-aw/actions - - name: Download agent artifacts - continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - with: - name: agent-artifacts - path: /tmp/gh-aw/threat-detection/ - - name: Download agent output artifact - continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - with: - name: agent-output - path: /tmp/gh-aw/threat-detection/ - - name: Echo agent output types - env: - AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} - run: | - echo "Agent output-types: $AGENT_OUTPUT_TYPES" - - name: Setup threat detection - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - WORKFLOW_NAME: "MSDO Issue Triage Assistant" - WORKFLOW_DESCRIPTION: "No description provided" - HAS_PATCH: ${{ needs.agent.outputs.has_patch }} - with: - script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); - await main(); - - name: Ensure threat-detection directory and log - run: | - mkdir -p /tmp/gh-aw/threat-detection - touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate COPILOT_GITHUB_TOKEN secret - id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default - env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.409 - - name: Execute GitHub Copilot CLI - id: agentic_execution - # Copilot CLI tool arguments (sorted): - # --allow-tool shell(cat) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(jq) - # --allow-tool shell(ls) - # --allow-tool shell(tail) - # --allow-tool shell(wc) - timeout-minutes: 20 - run: | - set -o pipefail - COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" - mkdir -p /tmp/ - mkdir -p /tmp/gh-aw/ - mkdir -p /tmp/gh-aw/agent/ - mkdir -p /tmp/gh-aw/sandbox/agent/logs/ - copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log - env: - COPILOT_AGENT_RUNNER_TYPE: STANDALONE - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_REF_NAME: ${{ github.ref_name }} - GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} - GITHUB_WORKSPACE: ${{ github.workspace }} - XDG_CONFIG_HOME: /home/runner - - name: Parse threat detection results - id: parse_results - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); - await main(); - - name: Upload threat detection log - if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: threat-detection.log - path: /tmp/gh-aw/threat-detection/detection.log - if-no-files-found: ignore safe_outputs: - needs: - - agent - - detection - if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') + needs: agent + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true') runs-on: ubuntu-slim permissions: contents: read @@ -940,36 +970,46 @@ jobs: pull-requests: write timeout-minutes: 15 env: + GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/msdo-issue-assistant" GH_AW_ENGINE_ID: "copilot" GH_AW_WORKFLOW_ID: "msdo-issue-assistant" GH_AW_WORKFLOW_NAME: "MSDO Issue Triage Assistant" outputs: + code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} + code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} + comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }} + comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }} create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23 + uses: github/gh-aw-actions/setup@df014dd7d03b638e860b2aeca95c833fd97c8cf1 # v0.61.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact + id: download-agent-output continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - name: agent-output - path: /tmp/gh-aw/safeoutputs/ + name: agent + path: /tmp/gh-aw/ - name: Setup agent output environment variable + if: steps.download-agent-output.outcome == 'success' run: | - mkdir -p /tmp/gh-aw/safeoutputs/ - find "/tmp/gh-aw/safeoutputs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + mkdir -p /tmp/gh-aw/ + find "/tmp/gh-aw/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" - name: Process Safe Outputs id: process_safe_outputs - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":4},\"add_labels\":{\"allowed\":[\"type:bug\",\"type:feature\",\"type:docs\",\"type:question\",\"type:security\",\"type:maintenance\",\"status:triage\",\"status:waiting-on-author\",\"status:repro-needed\",\"status:team-review\"]},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":4},\"add_labels\":{\"allowed\":[\"type:bug\",\"type:feature\",\"type:docs\",\"type:question\",\"type:security\",\"type:maintenance\",\"status:triage\",\"status:waiting-on-author\",\"status:repro-needed\",\"status:team-review\",\"area:action\",\"area:msdo-cli\",\"area:ci\",\"area:container-mapping\"]},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -977,4 +1017,11 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); + - name: Upload Safe Output Items Manifest + if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: safe-output-items + path: /tmp/safe-output-items.jsonl + if-no-files-found: warn diff --git a/.github/workflows/msdo-issue-assistant.md b/.github/workflows/msdo-issue-assistant.md index d1b78d83..8f5ba757 100644 --- a/.github/workflows/msdo-issue-assistant.md +++ b/.github/workflows/msdo-issue-assistant.md @@ -1,6 +1,12 @@ --- # MSDO Issue Assistant - GitHub Agentic Workflow # Automatically triage and respond to issues using wiki knowledge +# +# MAINTENANCE NOTE: after running `gh aw compile` with gh-aw v0.61.0, verify +# that the `actions/github-script` SHA in the generated .lock.yml stays pinned +# to v9.0.0 (`3a2844b7e9c422d3c10d287c895573f7108da1b3`). v0.61.0's bundled +# scaffolding emits the older v8 SHA and would silently revert PR #244. See +# PR #252 for context. on: issues: @@ -8,8 +14,7 @@ on: issue_comment: types: [created] workflow_dispatch: - -roles: all + roles: all engine: id: copilot @@ -27,15 +32,17 @@ tools: lockdown: false toolsets: [issues] fetch: - allowed-domains: + allowed: - raw.githubusercontent.com safe-outputs: - noop: false + noop: + report-as-issue: false + report-failure-as-issue: false add-comment: max: 4 add-labels: - allowed: ["type:bug", "type:feature", "type:docs", "type:question", "type:security", "type:maintenance", "status:triage", "status:waiting-on-author", "status:repro-needed", "status:team-review"] + allowed: ["type:bug", "type:feature", "type:docs", "type:question", "type:security", "type:maintenance", "status:triage", "status:waiting-on-author", "status:repro-needed", "status:team-review", "area:action", "area:msdo-cli", "area:ci", "area:container-mapping"] --- @@ -45,9 +52,10 @@ You are an issue triage assistant for the **Microsoft Security DevOps (MSDO)** C ## Your Knowledge Base -Before responding, fetch wiki content from: +Use the fetch tool to retrieve these wiki pages before responding: - https://raw.githubusercontent.com/wiki/microsoft/security-devops-action/Home.md - https://raw.githubusercontent.com/wiki/microsoft/security-devops-action/FAQ.md +- https://raw.githubusercontent.com/wiki/microsoft/security-devops-action/Tool-Configuration.md MSDO is a command line tool that integrates security analysis tools into CI/CD pipelines. @@ -63,6 +71,77 @@ MSDO is a command line tool that integrates security analysis tools into CI/CD p **Wiki reference:** https://github.com/microsoft/security-devops-action/wiki +## Tool Configuration Reference + +MSDO supports passing arguments to individual tools via environment variables or `.gdnconfig` files. + +**Environment variable pattern:** `GDN__` + +Where `` is uppercase and `` is PascalCase with no separators. + +**Common examples:** + +Checkov: +```yaml +env: + GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true" # download external Terraform modules + GDN_CHECKOV_FRAMEWORK: "terraform" # limit scan to specific framework + GDN_CHECKOV_SKIPCHECK: "CKV_AWS_1,CKV_AWS_2" # skip specific checks + GDN_CHECKOV_CONFIGFILE: ".checkov.yml" # use a checkov config file +``` + +Trivy: +```yaml +env: + GDN_TRIVY_SEVERITIES: "HIGH,CRITICAL" # filter by severity + GDN_TRIVY_IGNOREUNFIXED: "true" # ignore unfixed vulnerabilities + GDN_TRIVY_SCANNERS: "vuln,secret" # specify scanner types +``` + +ESLint: +```yaml +env: + GDN_ESLINT_CONFIGURATIONFILE: ".eslintrc.js" # custom ESLint config + GDN_ESLINT_QUIET: "true" # suppress warnings +``` + +Terrascan: +```yaml +env: + GDN_TERRASCAN_IACTYPE: "terraform" # specify IaC type + GDN_TERRASCAN_SEVERITY: "HIGH" # minimum severity + GDN_TERRASCAN_SKIPRULES: "AC_AWS_001" # skip specific rules +``` + +**`.gdnconfig` alternative** (for complex multi-tool configs): +```json +{ + "fileVersion": "1.0.0", + "jobs": [{ + "tools": [{ + "tool": { "name": "checkov" }, + "arguments": { + "DownloadExternalModules": { "values": ["true"] }, + "Framework": { "values": ["terraform"] } + } + }] + }] +} +``` + +Referenced via: +```yaml +- uses: microsoft/security-devops-action@latest + with: + config: '.msdo.gdnconfig' +``` + +When a user asks about tool-specific flags or arguments: +1. Suggest the environment variable approach first (simplest) +2. Mention `.gdnconfig` as an alternative for complex setups +3. Link to the [Tool Configuration wiki page](https://github.com/microsoft/security-devops-action/wiki/Tool-Configuration) +4. Add the `area:msdo-cli` label since tool configuration is handled by the CLI + ## Your Task When a new issue is opened or a user comments: @@ -107,12 +186,13 @@ Keep responses: - learn.microsoft.com - docs.microsoft.com - aka.ms -3. **Stay on topic** - Only respond to issues related to MSDO, security-devops-action, or the supported security tools. If an issue is unrelated (e.g. general GitHub Actions questions, unrelated security tools, off-topic discussions), do not respond. -4. **Don't respond** if: +3. **Stay on topic** - Only respond to issues related to MSDO, security-devops-action, or the supported security tools. If an issue is unrelated (e.g. general GitHub Actions questions, unrelated security tools, off-topic discussions), call `noop` with a reason — see rule 4. +4. **Call `noop` instead of staying silent** when any of these apply. Pass a one-line reason so the decision is auditable: - The issue is not related to MSDO or security-devops-action + - The issue title starts with `[aw]` or is labeled `agentic-workflows` (auto-generated failure reports, not user issues) - The issue is closed - The commenter is not the issue author (unless it's a new issue) - - You've already responded twice and there is no new technical information in the latest user message + - You have already responded twice and there is no new technical information in the latest user message - The issue has a `status:team-review` label (a maintainer is handling it) 5. **Be honest** - if you don't know something, say so and suggest checking the wiki or waiting for a maintainer @@ -121,19 +201,25 @@ Keep responses: **User asks:** "What tools does MSDO support?" **Response:** MSDO supports these security analysis tools: antimalware (Windows only), bandit, binskim, checkov, eslint, templateanalyzer, terrascan, and trivy. Tools are automatically detected based on your repository content, or you can specify them explicitly. See the [Tools documentation](https://github.com/microsoft/security-devops-action/wiki) for details. +**User asks:** "How do I pass --download-external-modules to checkov?" +**Response:** You can enable this by setting an environment variable in your workflow: `GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"` in the `env:` block of the MSDO action step. MSDO supports passing arguments to tools via the `GDN__` pattern. See the [Tool Configuration](https://github.com/microsoft/security-devops-action/wiki/Tool-Configuration) wiki page for more examples. + **User reports:** "Trivy is failing with container image not found" **Response:** This error typically occurs when Docker isn't available. Trivy requires Docker for container scanning. Please ensure you have `docker/setup-buildx-action@v3` in your workflow before the MSDO action. Can you share your workflow YAML so I can help verify the configuration? -## Do NOT Respond Examples +## Noop Examples **Off-topic issue:** "How do I set up GitHub Actions for deploying to AWS?" -→ Do not respond. This is unrelated to MSDO. +→ Call `noop` with reason "off-topic — unrelated to MSDO". **Issue labeled `status:team-review`:** Any issue with this label. -→ Do not respond. A maintainer is already handling it. +→ Call `noop` with reason "status:team-review — maintainer is handling it". **Repeated comments with no new info:** User says "Any update?" or "bump" after you already responded. -→ Do not respond. No new technical information to act on. +→ Call `noop` with reason "no new technical information since prior response". **Non-author comment on existing issue:** A third party comments "I have the same problem." -→ Do not respond. The commenter is not the issue author. +→ Call `noop` with reason "commenter is not the issue author". + +**Workflow failure issue (auto-generated):** Title starts with `[aw]` (e.g. "[aw] MSDO Issue Triage Assistant failed") or labeled `agentic-workflows`. +→ Call `noop` with reason "auto-generated failure report, not a user issue". diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 6bb06952..99ce274d 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 - name: Extract branch name shell: bash @@ -27,7 +27,7 @@ jobs: - name: Set up Node.js uses: actions/setup-node@v6 with: - node-version: '14' + node-version: '24' - name: Configure npm to use GitHub Packages run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc diff --git a/.github/workflows/on-push-verification.yml b/.github/workflows/on-push-verification.yml index ca97c77d..4bd35a88 100644 --- a/.github/workflows/on-push-verification.yml +++ b/.github/workflows/on-push-verification.yml @@ -22,7 +22,7 @@ jobs: steps: # Checkout your code repository to scan - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 # Run analyzers - uses: ./ @@ -30,13 +30,13 @@ jobs: # Upload alerts to the Security tab - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} # Upload alerts file as a workflow artifact - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: alerts-${{ matrix.os }} path: ${{ steps.msdo.outputs.sarifFile }} diff --git a/.github/workflows/sample-workflow.yml b/.github/workflows/sample-workflow.yml index 43ad0a2c..77c6cf47 100644 --- a/.github/workflows/sample-workflow.yml +++ b/.github/workflows/sample-workflow.yml @@ -20,7 +20,7 @@ jobs: steps: # Checkout your code repository to scan - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 # Run analyzers - name: Run Microsoft Security DevOps Analysis @@ -29,13 +29,13 @@ jobs: # Upload alerts to the Security tab - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} # Upload alerts file as a workflow artifact - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: alerts-${{ matrix.os }} path: ${{ steps.msdo.outputs.sarifFile }} diff --git a/.github/workflows/self-hosted-validation-v1.yml b/.github/workflows/self-hosted-validation-v1.yml new file mode 100644 index 00000000..3471076b --- /dev/null +++ b/.github/workflows/self-hosted-validation-v1.yml @@ -0,0 +1,29 @@ +name: MSDO v1 self-hosted validation +on: push + +permissions: + id-token: write + security-events: write + +jobs: + msdo-scan: + name: MSDO v1 - Security Scan + + runs-on: self-hosted + + steps: + + # Checkout your code repository to scan + - uses: actions/checkout@v6.0.2 + + # Run MSDO v1 + - name: Run MSDO + uses: ./ + id: msdo + + # Upload results to the Security tab + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/.github/workflows/toolchain-version-probe.yml b/.github/workflows/toolchain-version-probe.yml new file mode 100644 index 00000000..ecc8c564 --- /dev/null +++ b/.github/workflows/toolchain-version-probe.yml @@ -0,0 +1,126 @@ +name: MSDO Toolchain Version Probe + +# Runs MSDO to install tools as a side effect, then scrapes the install +# directories to record exact resolved versions into toolchain-versions.json. +# The breach monitor reads this file instead of guessing "latest" from registries. +# +# Guardian installs all tool wrappers as NuGet packages into: +# /home/runner/work/_msdo/packages/nuget/{PackageName}.{version}/ +# ESLint is installed via npm into: +# /home/runner/work/_msdo/packages/node_modules/eslint/ +# Package names confirmed from run 23433052319. + +on: + schedule: + - cron: '0 4 * * 1' # Weekly Monday 04:00 UTC + workflow_dispatch: + +permissions: + contents: write + +jobs: + probe: + name: Resolve and record MSDO tool versions + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + # Run MSDO — scan may find nothing (no real targets), that's fine. + # Side effect: Guardian downloads all tool packages into _msdo/packages/nuget/. + - name: Install MSDO tools + uses: microsoft/security-devops-action@main + continue-on-error: true + with: + tools: bandit,binskim,checkov,eslint,templateanalyzer,terrascan,trivy + + - name: Collect resolved tool versions from install dirs + run: | + python3 - <<'PYEOF' + import os, json, re, pathlib, datetime + + NUGET_DIR = pathlib.Path('/home/runner/work/_msdo/packages/nuget') + NPM_DIR = pathlib.Path('/home/runner/work/_msdo/packages/node_modules') + + VER_PAT = re.compile(r'^(.+?)\.(v?\d+\.\d+(?:\.\d+)*(?:[-+][0-9A-Za-z.-]+)?)$', re.IGNORECASE) + + # Guardian NuGet wrapper package names → canonical tool names. + # Confirmed from run 23433052319 (_msdo/packages/nuget/ directory listing). + PKG_TO_TOOL = { + 'microsoft.guardian.banditredist_linux_amd64': 'bandit', + 'microsoft.codeanalysis.binskim': 'binskim', + 'microsoft.guardian.checkovredist_linux_amd64': 'checkov', + 'azure.templates.analyzer.commandline.linux-x64': 'templateanalyzer', + 'microsoft.guardian.terrascanredist_linux_amd64': 'terrascan', + 'microsoft.guardian.trivyredist_linux_amd64': 'trivy', + } + + # Internal packages — skip + SKIP_PKGS = { + 'microsoft.security.devops.cli', + 'microsoft.security.devops.cli.linux-x64', + 'microsoft.security.devops.cli.linux-arm64', + 'microsoft.security.devops.cli.win-x64', + 'microsoft.security.devops.policy.names', + 'microsoft.security.devops.policy.github', + } + + tools = {} + raw_dirs = [] + + if NUGET_DIR.exists(): + entries = sorted(d.name for d in NUGET_DIR.iterdir() if d.is_dir()) + raw_dirs = entries + for name in entries: + m = VER_PAT.match(name) + if not m: + continue + pkg_lower = m.group(1).lower() + version = m.group(2) + if pkg_lower in SKIP_PKGS: + continue + canonical = PKG_TO_TOOL.get(pkg_lower) + if canonical: + tools[canonical] = version + + # ESLint: installed via npm, read version from package.json + eslint_pkg = NPM_DIR / 'eslint' / 'package.json' + if eslint_pkg.exists(): + tools['eslint'] = json.loads(eslint_pkg.read_text())['version'] + + print('raw_dirs:', raw_dirs) + print('resolved:', tools) + + if not tools: + raise SystemExit('ERROR: no versions resolved — _msdo/packages/nuget/ empty or missing. Aborting.') + + missing = (set(PKG_TO_TOOL.values()) | {'eslint'}) - set(tools.keys()) + if missing: + print(f'WARNING: expected tools not found: {sorted(missing)}') + + output = { + 'generated_at': datetime.datetime.now(datetime.timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ'), + 'msdo_cli_version': os.environ.get('MSDO_INSTALLEDVERSION', 'unknown'), + 'tools': tools, + 'raw_dirs': raw_dirs, + } + + out = pathlib.Path('.github/toolchain-versions.json') + out.parent.mkdir(parents=True, exist_ok=True) + out.write_text(json.dumps(output, indent=2) + '\n') + print(json.dumps(output, indent=2)) + PYEOF + + - name: Commit updated versions + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add .github/toolchain-versions.json + if git diff --cached --quiet; then + echo "toolchain-versions.json unchanged — nothing to commit" + else + git commit -m "chore(ci): update toolchain-versions.json [skip ci]" + # Push to dedicated unprotected branch — main has branch protection + # requiring PRs. The breach monitor reads from this branch via API. + git push origin HEAD:bot/toolchain-versions --force + fi diff --git a/.gitignore b/.gitignore index fc6e625c..66f5e3c1 100644 --- a/.gitignore +++ b/.gitignore @@ -329,3 +329,9 @@ ASALocalRun/ # MFractors (Xamarin productivity tool) working folder .mfractor/ + +# GitHub Actions Runner +actions-runner/ + +# Copilot instructions +.github/copilot-instructions.md diff --git a/action.yml b/action.yml index 88e603b5..fd52b505 100644 --- a/action.yml +++ b/action.yml @@ -29,7 +29,7 @@ outputs: sarifFile: description: A file path to a SARIF results file. runs: - using: 'node20' - main: 'lib/main.js' - pre: 'lib/pre.js' - post: 'lib/post.js' + using: 'node24' + main: 'lib/v1/main.js' + pre: 'lib/v1/pre.js' + post: 'lib/v1/post.js' diff --git a/docs/superpowers/plans/2026-04-24-agentic-workflows-noop-fix.md b/docs/superpowers/plans/2026-04-24-agentic-workflows-noop-fix.md new file mode 100644 index 00000000..b01b180f --- /dev/null +++ b/docs/superpowers/plans/2026-04-24-agentic-workflows-noop-fix.md @@ -0,0 +1,605 @@ +# Agentic Workflows noop Fix — Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Stop the three gh-aw agentic workflows from filing false-positive `[aw] ... failed` issues that page the on-call IcM rotation. + +**Architecture:** For all three agentic workflows, enable the `noop` safe output with `report-as-issue: false` (lets the agent explicitly signal "nothing to do" without itself filing an issue) and set `safe-outputs.report-failure-as-issue: false` (blocks the auto-filed failure issue even when no output is produced). Update the `msdo-issue-assistant` prompt so its "don't respond" rules now direct the agent to call the `noop` tool explicitly. Regenerate the three `.lock.yml` files with `gh aw compile` and ship everything in one PR. + +> **Note on syntax:** gh-aw v0.61.0 rejects `noop: true` as a boolean. The correct YAML shape is an object: `noop:\n report-as-issue: false`. All YAML blocks below use that shape. If you see `noop: true` anywhere, the compile will fail with "value must be false. Expected format: {...}". + +> **Post-implementation addenda (for traceability):** +> - The `gh aw compile` step with v0.61.0 silently downgrades `actions/github-script` from v9.0.0 (per PR #244) back to v8. The v9.0.0 SHA (`3a2844b7e9c422d3c10d287c895573f7108da1b3`) was restored via sed after compile. A maintenance note to this effect is embedded as a YAML comment at the top of each `.md` source file. +> - A second commit (after the initial review) extended the `msdo-issue-assistant` prompt edits beyond what Tasks 5-6 specified: rule 3 was updated to redirect to rule 4, and the four pre-existing "Do NOT Respond Examples" arrows were changed from "→ Do not respond" to "→ Call `noop` with reason ...". The `## Do NOT Respond Examples` heading was also renamed to `## Noop Examples`. These changes eliminated an internal contradiction between rule 3 and rule 4 and made the examples match the new noop-centric behaviour. They are not reflected in the task descriptions below. + +**Tech Stack:** GitHub Actions, gh-aw CLI v0.61.0, YAML, Markdown prompts. + +**Spec:** [docs/superpowers/specs/2026-04-24-agentic-workflows-noop-fix-design.md](../specs/2026-04-24-agentic-workflows-noop-fix-design.md) + +**Branch:** `fix/agentic-workflows-noop` (already created; the spec is committed there as `e6b5cfa`) + +--- + +## Task 1: Verify gh-aw CLI is installed at the right version + +**Files:** none (local tooling check) + +- [ ] **Step 1: Check the gh-aw version** + +Run: +```bash +gh aw version +``` + +Expected output contains `v0.61.0` (this matches the version recorded in the existing lock-file headers at [.github/workflows/msdo-issue-assistant.lock.yml:15](../../.github/workflows/msdo-issue-assistant.lock.yml#L15)). + +If `gh aw` is not installed, install it first: +```bash +gh extension install github/gh-aw +``` + +If a different version is installed, upgrade: +```bash +gh extension upgrade gh-aw +``` + +- [ ] **Step 2: Confirm we are on the right branch** + +Run: +```bash +git branch --show-current +``` + +Expected: `fix/agentic-workflows-noop` + +If not on that branch: +```bash +git checkout fix/agentic-workflows-noop +``` + +--- + +## Task 2: Edit `ci-doctor.md` safe-outputs + +**Files:** +- Modify: [.github/workflows/ci-doctor.md](../../.github/workflows/ci-doctor.md) (lines 32-40) + +- [ ] **Step 1: Replace the `safe-outputs` block** + +In [.github/workflows/ci-doctor.md](../../.github/workflows/ci-doctor.md), replace this exact block: + +```yaml +safe-outputs: + noop: false + create-issue: + max: 1 + add-labels: + allowed: [ci-failure, flaky-test, build-failure, dependency-issue, needs-maintainer] + add-comment: null + create-pull-request: null +``` + +With: + +```yaml +safe-outputs: + noop: + report-as-issue: false + report-failure-as-issue: false + create-issue: + max: 1 + add-labels: + allowed: [ci-failure, flaky-test, build-failure, dependency-issue, needs-maintainer] + add-comment: null + create-pull-request: null +``` + +Changes: `noop: false` replaced with the `noop:\n report-as-issue: false` object form (enables the noop tool without having it file its own issue), plus `report-failure-as-issue: false` inserted as the next key. + +- [ ] **Step 2: Verify the edit** + +Run: +```bash +grep -nE "noop|report-failure-as-issue|report-as-issue" .github/workflows/ci-doctor.md +``` + +Expected output: +``` +33: noop: +34: report-as-issue: false +35: report-failure-as-issue: false +``` + +--- + +## Task 3: Edit `msdo-breach-monitor.md` safe-outputs + +**Files:** +- Modify: [.github/workflows/msdo-breach-monitor.md](../../.github/workflows/msdo-breach-monitor.md) (lines 41-47) + +- [ ] **Step 1: Replace the `safe-outputs` block** + +In [.github/workflows/msdo-breach-monitor.md](../../.github/workflows/msdo-breach-monitor.md), replace this exact block: + +```yaml +safe-outputs: + noop: false + create-issue: + max: 1 + add-labels: + allowed: [security-breach, supply-chain, toolchain-alert, critical, high, medium] +``` + +With: + +```yaml +safe-outputs: + noop: + report-as-issue: false + report-failure-as-issue: false + create-issue: + max: 1 + add-labels: + allowed: [security-breach, supply-chain, toolchain-alert, critical, high, medium] +``` + +Changes: `noop: false` replaced with the `noop:\n report-as-issue: false` object form, plus `report-failure-as-issue: false` inserted as the next key. + +- [ ] **Step 2: Verify the edit** + +Run: +```bash +grep -nE "noop|report-failure-as-issue|report-as-issue" .github/workflows/msdo-breach-monitor.md +``` + +Expected output: +``` +42: noop: +43: report-as-issue: false +44: report-failure-as-issue: false +``` + +--- + +## Task 4: Edit `msdo-issue-assistant.md` safe-outputs + +**Files:** +- Modify: [.github/workflows/msdo-issue-assistant.md](../../.github/workflows/msdo-issue-assistant.md) (lines 32-38) + +- [ ] **Step 1: Replace the `safe-outputs` block** + +In [.github/workflows/msdo-issue-assistant.md](../../.github/workflows/msdo-issue-assistant.md), replace this exact block: + +```yaml +safe-outputs: + noop: false + add-comment: + max: 4 + add-labels: + allowed: ["type:bug", "type:feature", "type:docs", "type:question", "type:security", "type:maintenance", "status:triage", "status:waiting-on-author", "status:repro-needed", "status:team-review", "area:action", "area:msdo-cli", "area:ci", "area:container-mapping"] +``` + +With: + +```yaml +safe-outputs: + noop: + report-as-issue: false + report-failure-as-issue: false + add-comment: + max: 4 + add-labels: + allowed: ["type:bug", "type:feature", "type:docs", "type:question", "type:security", "type:maintenance", "status:triage", "status:waiting-on-author", "status:repro-needed", "status:team-review", "area:action", "area:msdo-cli", "area:ci", "area:container-mapping"] +``` + +Changes: `noop: false` replaced with the `noop:\n report-as-issue: false` object form, plus `report-failure-as-issue: false` inserted as the next key. + +- [ ] **Step 2: Verify the edit** + +Run: +```bash +grep -nE "noop|report-failure-as-issue|report-as-issue" .github/workflows/msdo-issue-assistant.md +``` + +Expected output (the first three lines — additional matches will appear later in the file inside the prompt text): +``` +33: noop: +34: report-as-issue: false +35: report-failure-as-issue: false +``` + +--- + +## Task 5: Update `msdo-issue-assistant.md` rule 4 to call noop explicitly + +**Files:** +- Modify: [.github/workflows/msdo-issue-assistant.md](../../.github/workflows/msdo-issue-assistant.md) (around lines 182-188, inside the `## Important Rules` section) + +- [ ] **Step 1: Replace the rule-4 block** + +Replace this exact block: + +```markdown +4. **Don't respond** if: + - The issue is not related to MSDO or security-devops-action + - The issue is closed + - The commenter is not the issue author (unless it's a new issue) + - You've already responded twice and there is no new technical information in the latest user message + - The issue has a `status:team-review` label +``` + +With: + +```markdown +4. **Call `noop` instead of staying silent** when any of these apply. Pass a one-line reason so the decision is auditable: + - The issue is not related to MSDO or security-devops-action + - The issue title starts with `[aw]` or is labeled `agentic-workflows` (auto-generated failure reports, not user issues) + - The issue is closed + - The commenter is not the issue author (unless it's a new issue) + - You have already responded twice and there is no new technical information in the latest user message + - The issue has a `status:team-review` label +``` + +Changes: title reworded from "Don't respond" to "Call `noop` instead of staying silent"; new bullet added for `[aw]`-title / `agentic-workflows`-label issues. + +- [ ] **Step 2: Verify the edit** + +Run: +```bash +grep -n "Call \`noop\` instead" .github/workflows/msdo-issue-assistant.md +``` + +Expected: one match pointing to the rule-4 line. + +--- + +## Task 6: Add `[aw]` example to `msdo-issue-assistant.md` "Do NOT Respond Examples" + +**Files:** +- Modify: [.github/workflows/msdo-issue-assistant.md](../../.github/workflows/msdo-issue-assistant.md) (at the end of the `## Do NOT Respond Examples` section, currently ending around line 213) + +- [ ] **Step 1: Append a new example at the end of the section** + +Find this existing last entry in the `## Do NOT Respond Examples` section: + +```markdown +**Non-author comment on existing issue:** A third party comments "I have the same problem." +→ Do not respond. The commenter is not the issue author. +``` + +Append **after** that block (preserve a blank line before the new entry): + +```markdown + +**Workflow failure issue (auto-generated):** Title starts with `[aw]` (e.g. "[aw] MSDO Issue Triage Assistant failed") or labeled `agentic-workflows`. +→ Call `noop` with reason "auto-generated failure report, not a user issue". +``` + +- [ ] **Step 2: Verify the edit** + +Run: +```bash +grep -n "Workflow failure issue" .github/workflows/msdo-issue-assistant.md +``` + +Expected: one match, appearing after the `Non-author comment on existing issue` example. + +Also run: +```bash +tail -5 .github/workflows/msdo-issue-assistant.md +``` + +Expected: the tail shows the new example as the last content in the file. + +--- + +## Task 7: Regenerate all three lock files + +**Files:** +- Modify (via compile): [.github/workflows/ci-doctor.lock.yml](../../.github/workflows/ci-doctor.lock.yml) +- Modify (via compile): [.github/workflows/msdo-breach-monitor.lock.yml](../../.github/workflows/msdo-breach-monitor.lock.yml) +- Modify (via compile): [.github/workflows/msdo-issue-assistant.lock.yml](../../.github/workflows/msdo-issue-assistant.lock.yml) + +- [ ] **Step 1: Run `gh aw compile`** + +Run from repo root: +```bash +gh aw compile +``` + +Expected: the command exits 0 and reports recompiling the three workflows. Any non-zero exit or schema error indicates the YAML edits are malformed — fix the `.md` files and retry. + +- [ ] **Step 2: Inspect the lock-file diff** + +Run: +```bash +git diff -- .github/workflows/*.lock.yml | head -120 +``` + +Expected: three lock files touched. In each diff, the `frontmatter_hash` near the top of the lock file changes (because the `.md` frontmatter changed). Look for new handler wiring for the noop safe output, and the absence of a `handle_missing_safe_outputs` or similar failure-issue step (because `report-failure-as-issue: false` disables it). + +If the diff shows only the `frontmatter_hash` change and no handler wiring change, the schema interpretation of `noop`/`report-failure-as-issue` may differ from expectation — pause and escalate before committing. + +--- + +## Task 8: Commit the changes + +**Files:** all six touched files in this commit. + +- [ ] **Step 1: Stage all changes** + +Run: +```bash +git add .github/workflows/ci-doctor.md \ + .github/workflows/ci-doctor.lock.yml \ + .github/workflows/msdo-breach-monitor.md \ + .github/workflows/msdo-breach-monitor.lock.yml \ + .github/workflows/msdo-issue-assistant.md \ + .github/workflows/msdo-issue-assistant.lock.yml +``` + +- [ ] **Step 2: Verify the staged diff** + +Run: +```bash +git diff --cached --stat +``` + +Expected: six files listed, three `.md` and three `.lock.yml`. + +- [ ] **Step 3: Commit with the project's oneliner style** + +Run: +```bash +git commit -m "fix(ci): enable noop on agentic workflows to stop IcM page spam" +``` + +No Co-Authored-By line; no multi-line body. + +- [ ] **Step 4: Verify the commit landed** + +Run: +```bash +git log --oneline -2 +``` + +Expected top commit: `fix(ci): enable noop on agentic workflows to stop IcM page spam`. +Second commit from top should be the earlier spec commit (`docs: add spec for agentic-workflows noop fix`). + +--- + +## Task 9: Push the branch and open the PR + +**Files:** none (GitHub operations). + +- [ ] **Step 1: Push the branch** + +Run: +```bash +git push -u origin fix/agentic-workflows-noop +``` + +Expected: branch published to `origin` with tracking configured. + +- [ ] **Step 2: Create the PR** + +Run (use `DimaBir` as the author account per the user's PR-account preference — if the git remote is already using that identity, a plain `gh pr create` is fine; otherwise the user handles account selection manually before this step): + +```bash +gh pr create \ + --repo microsoft/security-devops-action \ + --base main \ + --head fix/agentic-workflows-noop \ + --title "fix(ci): enable noop on agentic workflows to stop IcM page spam" \ + --body "$(cat <<'EOF' +## Summary +- Enables `safe-outputs.noop` (with `report-as-issue: false`) on all three agentic workflows so the agent can explicitly signal "nothing to do" instead of exiting silent. +- Sets `safe-outputs.report-failure-as-issue: false` so edge-case silent exits no longer file `[aw] ... failed` issues that page the IcM on-call rotation. +- Updates the `msdo-issue-assistant` prompt to call `noop` in its existing "don't respond" conditions and to recognise auto-generated `[aw]` failure issues. + +Fixes the false-positive failure loop documented in #247 and in [docs/superpowers/specs/2026-04-24-agentic-workflows-noop-fix-design.md](docs/superpowers/specs/2026-04-24-agentic-workflows-noop-fix-design.md). + +## Test plan +- [ ] `gh aw compile` recompiles all three workflows cleanly +- [ ] `msdo-issue-assistant` negative path: post a comment on an off-topic or `[aw]`-titled issue on the PR branch — no new `[aw] ... failed` issue filed, no comment posted +- [ ] `msdo-issue-assistant` positive path: open a test issue asking a real MSDO question — bot replies normally with wiki citations and `area:msdo-cli` label +- [ ] `ci-doctor` negative path: dispatch against a successful CI run — noop, no issue filed +- [ ] `msdo-breach-monitor` negative path: `workflow_dispatch` with no new CVEs — noop, no issue filed +EOF +)" +``` + +No `🤖 Generated with Claude Code` footer (per user preference). + +- [ ] **Step 3: Capture the PR URL** + +`gh pr create` prints the PR URL on success. Record it for the validation tasks below. + +--- + +## Task 10: Negative-path validation — `msdo-issue-assistant` + +**Files:** none (exercises the PR-branch workflow). + +- [ ] **Step 1: Trigger the bot against a known don't-respond case** + +Option A — post a comment on issue #247 (`[aw]`-titled, will exercise the new rule): + +```bash +gh issue comment 247 --repo microsoft/security-devops-action --body "test: verifying fix/agentic-workflows-noop — expect noop" +``` + +Option B — open a new test issue with clearly off-topic content, e.g. title "How do I deploy to AWS?" body "not MSDO-related, just testing". Close it after the run completes. + +Note: the workflow runs off whatever is merged on the default branch for new issues, **unless** gh-aw activation is configured to pick up the PR head. If the run still uses the current `main` version, either (a) merge first and validate post-merge, or (b) on a fork/test repo, push the branch and re-open the same test issue. For this repo, merging first is the likely path — log this as a deliberate choice in the PR review. + +- [ ] **Step 2: Observe the workflow run** + +Run: +```bash +gh run list --repo microsoft/security-devops-action --workflow "MSDO Issue Triage Assistant" --limit 5 +``` + +Expected: newest run's conclusion is `success`. Then inspect that specific run: + +```bash +gh run view --repo microsoft/security-devops-action --log | grep -E "noop|safe output|agent_output|failure" +``` + +Expected markers: +- Evidence of the `noop` handler firing (log line referencing `noop` or `handle_noop`). +- No `"Agent succeeded but produced no safe outputs"` line. +- No step that creates or comments on a `[aw] ... failed` issue. + +- [ ] **Step 3: Confirm no new `[aw]` issue was filed** + +Run: +```bash +gh issue list --repo microsoft/security-devops-action --search "[aw] MSDO Issue Triage Assistant failed" --state open --limit 5 +``` + +Expected: only the pre-existing #247 listed (or none, if it was closed). No newer `[aw]` issues. + +--- + +## Task 11: Positive-path validation — `msdo-issue-assistant` + +**Files:** none (exercises the workflow). + +- [ ] **Step 1: Open a test issue with a real MSDO question** + +Run: +```bash +gh issue create --repo microsoft/security-devops-action \ + --title "How do I pass --download-external-modules to checkov?" \ + --body "I want checkov (run via MSDO) to fetch external Terraform modules. How do I enable this?" +``` + +- [ ] **Step 2: Wait for the bot to respond (up to ~3 minutes), then inspect** + +Run: +```bash +gh issue view --repo microsoft/security-devops-action --comments +``` + +Expected: +- One new comment from the bot citing the wiki, mentioning `GDN_CHECKOV_DOWNLOADEXTERNALMODULES` or linking the Tool Configuration wiki page. +- The issue has the `area:msdo-cli` label applied. +- No `[aw] ... failed` issue created for this run. + +- [ ] **Step 3: Close the test issue** + +Run: +```bash +gh issue close --repo microsoft/security-devops-action --comment "test issue — closing" +``` + +--- + +## Task 12: Negative-path validation — `ci-doctor` + +**Files:** none. + +- [ ] **Step 1: Find a successful CI run on main** + +Run: +```bash +gh run list --repo microsoft/security-devops-action --workflow CI --branch main --status success --limit 3 +``` + +Expected: at least one green CI run. Record its run ID. + +- [ ] **Step 2: Manually dispatch `ci-doctor` against it (pre-merge, from the fix branch)** + +Run: +```bash +gh workflow run "CI Doctor" --repo microsoft/security-devops-action --ref fix/agentic-workflows-noop +``` + +Using `--ref fix/agentic-workflows-noop` makes GitHub pick up the updated `.lock.yml` on the PR branch, so this exercises the fix pre-merge. + +Wait ~1-2 minutes. Then: + +```bash +gh run list --repo microsoft/security-devops-action --workflow "CI Doctor" --limit 3 +``` + +Expected: newest run's conclusion is `success`. + +- [ ] **Step 3: Confirm no new `[aw]` or CI Doctor diagnostic issue was filed** + +Run: +```bash +gh issue list --repo microsoft/security-devops-action \ + --search "[aw] CI Doctor failed OR [CI Doctor]" \ + --state open --limit 5 +``` + +Expected: no newer entries than the pre-existing baseline. If CI Doctor found nothing new to diagnose (green run), it must have noop'd cleanly. + +--- + +## Task 13: Negative-path validation — `msdo-breach-monitor` + +**Files:** none. + +- [ ] **Step 1: Dispatch the monitor (pre-merge, from the fix branch)** + +Run: +```bash +gh workflow run "MSDO Toolchain Breach Monitor" --repo microsoft/security-devops-action --ref fix/agentic-workflows-noop +``` + +Using `--ref fix/agentic-workflows-noop` makes GitHub pick up the updated `.lock.yml` on the PR branch. + +- [ ] **Step 2: Observe the workflow run** + +Run: +```bash +gh run list --repo microsoft/security-devops-action --workflow "MSDO Toolchain Breach Monitor" --limit 3 +``` + +Expected: newest run's conclusion is `success`. + +Inspect the log for the noop call: + +```bash +gh run view --repo microsoft/security-devops-action --log | grep -E "noop|no new incidents|toolchain-alert" +``` + +Expected: evidence of a noop call (unless a genuine CVE in the window would produce a `toolchain-alert` issue — which is a positive-path outcome, not a failure). + +- [ ] **Step 3: Confirm no new `[aw] MSDO Toolchain Breach Monitor failed` issue was filed** + +Run: +```bash +gh issue list --repo microsoft/security-devops-action \ + --search "[aw] MSDO Toolchain Breach Monitor failed" \ + --state open --limit 5 +``` + +Expected: no newer entries. + +--- + +## Task 14: Complete the PR + +**Files:** none (GitHub). + +- [ ] **Step 1: Tick the PR's Test plan checkboxes** + +In the PR description, tick each checkbox that the validation tasks confirmed. + +Run: +```bash +gh pr view --repo microsoft/security-devops-action +``` + +Edit description via: +```bash +gh pr edit --repo microsoft/security-devops-action --body "" +``` + +- [ ] **Step 2: Hand off for human review and merge** + +The PR is now complete. Post a short summary comment and leave the merge to the repository maintainer per normal review process. The user will close #247 manually after merge. diff --git a/docs/superpowers/specs/2026-04-24-agentic-workflows-noop-fix-design.md b/docs/superpowers/specs/2026-04-24-agentic-workflows-noop-fix-design.md new file mode 100644 index 00000000..753e0ca3 --- /dev/null +++ b/docs/superpowers/specs/2026-04-24-agentic-workflows-noop-fix-design.md @@ -0,0 +1,155 @@ +# Agentic Workflows — `noop` Fix Design + +**Date:** 2026-04-24 +**Tracking issue:** [#247 — [aw] MSDO Issue Triage Assistant failed](https://github.com/microsoft/security-devops-action/issues/247) + +## Problem + +Three agentic workflows in `.github/workflows/` each set `safe-outputs.noop: false` +while their prompts instruct the agent to call `noop` or stay silent under +various conditions: + +| Workflow | File | Silent-path trigger | +|---|---|---| +| MSDO Issue Triage Assistant | `msdo-issue-assistant.md` | "Don't respond if" rules (off-topic issue, closed, non-author, `status:team-review`, already-responded, etc.) | +| CI Doctor | `ci-doctor.md` | "If the workflow succeeded, do nothing (noop)"; duplicate-issue check | +| MSDO Toolchain Breach Monitor | `msdo-breach-monitor.md` | "Call `noop` with a one-line summary" when no new CVEs | + +With `noop` disabled, the agent has no way to signal "intentional no-op." gh-aw +reads no `agent_output.json`, treats the run as failure, and files an issue +titled `[aw] failed`. + +In this repository, **every new GitHub issue opens a CRI IcM ticket that pages +on-call**. Each false-positive failure issue is therefore a human page. For +`msdo-issue-assistant`, the failure issue itself (#247) carries the +`agentic-workflows` label and re-triggers the bot on every comment, producing +a self-sustaining spam loop. + +Evidence from run `24783399971`: + +``` +Agent conclusion: success +Error reading agent output file: ENOENT: no such file or directory, open '/tmp/gh-aw/agent_output.json' +Agent succeeded but produced no safe outputs +Found existing issue #247: https://github.com/microsoft/security-devops-action/issues/247 +Added comment to existing issue #247 +``` + +## Goals + +1. Stop paging IcM on-call for false-positive agent failures. +2. Let each bot explicitly signal "nothing to do" when its prompt says to. +3. Preserve normal behaviour on genuine user questions and genuine incidents. + +## Non-goals + +- Closing issue #247 (user closes manually after merge). +- Adding non-paging alerting for real agent failures (future work). +- Fixing the unrelated broken `ContainerMapping` tests on main. +- Changes to non-agentic workflows. + +## Approach + +Hybrid fix — enable `noop` as the root-cause fix, add `report-failure-as-issue: false` +as a safety net so any edge case that still produces no output never pages IcM. + +### Changes to `safe-outputs` (all three `.md` files) + +```yaml +safe-outputs: + noop: true # was: false + report-failure-as-issue: false # new + # ... existing keys (add-comment, add-labels, create-issue, etc.) unchanged +``` + +Semantics: +- `noop: true` registers the `noop` safe-output handler so the agent can call it + with a reason. gh-aw records a successful no-op run and does not treat it as + failure. +- `report-failure-as-issue: false` prevents gh-aw from filing an issue when the + run ends in failure or with no outputs. Genuine failures remain visible in the + Actions tab. + +### Additional edits in `msdo-issue-assistant.md` only + +The prompt currently uses `## Important Rules → Don't respond if` and +`## Do NOT Respond Examples`. Update both to direct the agent to call `noop` +explicitly. + +**Rule replacement** (replace the existing rule 4 "Don't respond if" block): + +```markdown +4. **Call `noop` instead of staying silent** when any of these apply. Pass a + one-line reason so the decision is auditable: + - The issue is not related to MSDO or security-devops-action + - The issue title starts with `[aw]` or is labeled `agentic-workflows` + (auto-generated failure reports, not user issues) + - The issue is closed + - The commenter is not the issue author (unless it's a new issue) + - You have already responded twice and there is no new technical + information in the latest user message + - The issue has a `status:team-review` label +``` + +**New entry in "Do NOT Respond Examples"** (append): + +```markdown +**Workflow failure issue (auto-generated):** Title starts with `[aw]` +(e.g. "[aw] MSDO Issue Triage Assistant failed") or labeled +`agentic-workflows`. +→ Call `noop` with reason "auto-generated failure report, not a user issue". +``` + +No prompt edits in `ci-doctor.md` or `msdo-breach-monitor.md` — their prompts +already say "call noop" / "do nothing (noop)" and will work correctly once +`noop: true` is set. + +### Lock-file regeneration + +After `.md` edits, run `gh aw compile` locally (gh-aw CLI v0.61.0, +matching the version recorded in the existing lock-file header) to +regenerate the three `.lock.yml` files. Both `.md` and `.lock.yml` go in +the same PR so reviewers can diff intent against generated output. + +## Validation + +Existing unit tests on main are broken (ContainerMapping) and do not cover +agentic-workflow behaviour. Validation is behavioural, via `workflow_dispatch` +runs on the PR branch: + +1. **Compile check:** `gh aw compile` succeeds without error; lock-file diff + contains the expected `noop` handler wiring and no other unintended changes. +2. **`msdo-issue-assistant` negative path:** on the PR branch, post a comment + on an existing off-topic issue or on issue #247 itself (this fires the + `issue_comment: created` trigger against the PR-branch workflow via the + normal gh-aw activation flow). Expect the run to succeed, no new comment + posted, no new `[aw] ... failed` issue filed. +3. **`msdo-issue-assistant` positive path:** open a test issue with a real MSDO + question (for example "how do I pass `--download-external-modules` to + checkov?"). Expect the bot to reply normally, citing the wiki, applying the + `area:msdo-cli` label. +4. **`ci-doctor` negative path:** trigger a CI run that succeeds on `main` or a + `release/**` branch (the workflow auto-fires on `workflow_run: CI completed`), + or dispatch manually and point it at a successful run. Expect noop, no + issue filed. +5. **`msdo-breach-monitor` negative path:** `workflow_dispatch` manually when + no new CVEs are in the advisory window. Expect noop, no issue filed. + +If any dry run still files a `[aw] ... failed` issue, the safety net +(`report-failure-as-issue: false`) has not taken effect — investigate before +merging. + +## Rollout + +- One PR on branch `fix/agentic-workflows-noop`, base `main`. +- PR title: `fix(ci): enable noop on agentic workflows to stop IcM page spam`. +- Merge once dry-run validation passes. +- User closes #247 manually after merge. + +## Risks + +| Risk | Mitigation | +|---|---| +| `report-failure-as-issue: false` hides a real agent failure | Accepted trade-off — false positives page IcM; real failures remain in Actions tab and can be wired to non-paging alerts later | +| gh-aw v0.61.0 interprets `noop: true` differently than expected | Lock-file diff is reviewed before merge; fall back to `report-failure-as-issue: false` only (Approach 2) if the generated handler looks wrong | +| Prompt edits cause `msdo-issue-assistant` to noop on cases users want a reply on | Conditions are identical to existing "Don't respond" rules — behaviour unchanged, only the exit mechanism becomes explicit. Positive-path dry run catches regressions | diff --git a/lib/container-mapping.js b/lib/v1/container-mapping.js similarity index 100% rename from lib/container-mapping.js rename to lib/v1/container-mapping.js diff --git a/lib/main.js b/lib/v1/main.js similarity index 100% rename from lib/main.js rename to lib/v1/main.js diff --git a/lib/msdo-helpers.js b/lib/v1/msdo-helpers.js similarity index 100% rename from lib/msdo-helpers.js rename to lib/v1/msdo-helpers.js diff --git a/lib/msdo-interface.js b/lib/v1/msdo-interface.js similarity index 100% rename from lib/msdo-interface.js rename to lib/v1/msdo-interface.js diff --git a/lib/msdo.js b/lib/v1/msdo.js similarity index 100% rename from lib/msdo.js rename to lib/v1/msdo.js diff --git a/lib/post.js b/lib/v1/post.js similarity index 100% rename from lib/post.js rename to lib/v1/post.js diff --git a/lib/pre.js b/lib/v1/pre.js similarity index 100% rename from lib/pre.js rename to lib/v1/pre.js diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index 3d2207b8..b74d7bec 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -30,6 +30,102 @@ "version": "1.0.2", "license": "MIT" }, + "node_modules/@isaacs/cliui": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", + "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "dev": true, + "dependencies": { + "string-width": "^5.1.2", + "string-width-cjs": "npm:string-width@^4.2.0", + "strip-ansi": "^7.0.1", + "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", + "wrap-ansi": "^8.1.0", + "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/@isaacs/cliui/node_modules/ansi-regex": { + "version": "6.2.2", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz", + "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/@isaacs/cliui/node_modules/ansi-styles": { + "version": "6.2.3", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz", + "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/@isaacs/cliui/node_modules/emoji-regex": { + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "dev": true + }, + "node_modules/@isaacs/cliui/node_modules/string-width": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", + "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "dev": true, + "dependencies": { + "eastasianwidth": "^0.2.0", + "emoji-regex": "^9.2.2", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/@isaacs/cliui/node_modules/strip-ansi": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz", + "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==", + "dev": true, + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, + "node_modules/@isaacs/cliui/node_modules/wrap-ansi": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", + "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "dev": true, + "dependencies": { + "ansi-styles": "^6.1.0", + "string-width": "^5.0.1", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, "node_modules/@microsoft/security-devops-actions-toolkit": { "version": "1.11.0", "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", @@ -74,6 +170,16 @@ "node": ">= 8" } }, + "node_modules/@pkgjs/parseargs": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", + "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "dev": true, + "optional": true, + "engines": { + "node": ">=14" + } + }, "node_modules/@sinonjs/commons": { "version": "1.8.6", "dev": true, @@ -208,118 +314,6 @@ "normalize-path": "^2.1.1" } }, - "node_modules/anymatch/node_modules/define-property": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/micromatch": { - "version": "3.1.10", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/anymatch/node_modules/normalize-path": { "version": "2.1.1", "dev": true, @@ -471,14 +465,6 @@ "node": ">=0.10.0" } }, - "node_modules/array-unique": { - "version": "0.3.2", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/assign-symbols": { "version": "1.0.0", "dev": true, @@ -523,17 +509,6 @@ "node": ">= 0.10" } }, - "node_modules/atob": { - "version": "2.1.2", - "dev": true, - "license": "(MIT OR Apache-2.0)", - "bin": { - "atob": "bin/atob.js" - }, - "engines": { - "node": ">= 4.5.0" - } - }, "node_modules/bach": { "version": "1.2.0", "dev": true, @@ -558,77 +533,6 @@ "dev": true, "license": "MIT" }, - "node_modules/base": { - "version": "0.11.2", - "dev": true, - "license": "MIT", - "dependencies": { - "cache-base": "^1.0.1", - "class-utils": "^0.3.5", - "component-emitter": "^1.2.1", - "define-property": "^1.0.0", - "isobject": "^3.0.1", - "mixin-deep": "^1.2.0", - "pascalcase": "^0.1.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/base/node_modules/define-property": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/base/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/base/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/base/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/base/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/binary-extensions": { "version": "1.13.1", "dev": true, @@ -638,7 +542,9 @@ } }, "node_modules/brace-expansion": { - "version": "1.1.11", + "version": "1.1.12", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", + "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "dev": true, "license": "MIT", "dependencies": { @@ -647,23 +553,16 @@ } }, "node_modules/braces": { - "version": "2.3.2", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dev": true, "license": "MIT", "dependencies": { - "arr-flatten": "^1.1.0", - "array-unique": "^0.3.2", - "extend-shallow": "^2.0.1", - "fill-range": "^4.0.0", - "isobject": "^3.0.1", - "repeat-element": "^1.1.2", - "snapdragon": "^0.8.1", - "snapdragon-node": "^2.0.1", - "split-string": "^3.0.2", - "to-regex": "^3.0.1" + "fill-range": "^7.1.1" }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, "node_modules/browser-stdout": { @@ -687,25 +586,6 @@ "dev": true, "license": "MIT" }, - "node_modules/cache-base": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "collection-visit": "^1.0.0", - "component-emitter": "^1.2.1", - "get-value": "^2.0.6", - "has-value": "^1.0.0", - "isobject": "^3.0.1", - "set-value": "^2.0.0", - "to-object-path": "^0.3.0", - "union-value": "^1.0.0", - "unset-value": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/call-bind": { "version": "1.0.2", "dev": true, @@ -726,18 +606,6 @@ "node": ">=0.10.0" } }, - "node_modules/chalk": { - "version": "3.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-styles": "^4.1.0", - "supports-color": "^7.1.0" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/chokidar": { "version": "2.1.8", "dev": true, @@ -779,20 +647,6 @@ "node": ">=0.10.0" } }, - "node_modules/class-utils": { - "version": "0.3.6", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-union": "^3.1.0", - "define-property": "^0.2.5", - "isobject": "^3.0.0", - "static-extend": "^0.1.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/clean-stack": { "version": "4.2.0", "dev": true, @@ -869,18 +723,6 @@ "node": ">=0.10.0" } }, - "node_modules/collection-visit": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "map-visit": "^1.0.0", - "object-visit": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/color-convert": { "version": "2.0.1", "dev": true, @@ -905,11 +747,6 @@ "color-support": "bin.js" } }, - "node_modules/component-emitter": { - "version": "1.3.0", - "dev": true, - "license": "MIT" - }, "node_modules/concat-map": { "version": "0.0.1", "dev": true, @@ -934,14 +771,6 @@ "dev": true, "license": "MIT" }, - "node_modules/copy-descriptor": { - "version": "0.1.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/copy-props": { "version": "2.0.5", "dev": true, @@ -956,6 +785,35 @@ "dev": true, "license": "MIT" }, + "node_modules/cross-spawn": { + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", + "dev": true, + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/cross-spawn/node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "dev": true, + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, "node_modules/d": { "version": "1.0.1", "dev": true, @@ -965,14 +823,6 @@ "type": "^1.0.1" } }, - "node_modules/debug": { - "version": "2.6.9", - "dev": true, - "license": "MIT", - "dependencies": { - "ms": "2.0.0" - } - }, "node_modules/decamelize": { "version": "1.2.0", "dev": true, @@ -981,14 +831,6 @@ "node": ">=0.10.0" } }, - "node_modules/decode-uri-component": { - "version": "0.2.2", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10" - } - }, "node_modules/decompress-response": { "version": "8.1.0", "license": "MIT", @@ -1050,17 +892,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/define-property": { - "version": "0.2.5", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/del": { "version": "7.1.0", "dev": true, @@ -1091,7 +922,9 @@ } }, "node_modules/diff": { - "version": "3.5.0", + "version": "3.5.1", + "resolved": "https://registry.npmjs.org/diff/-/diff-3.5.1.tgz", + "integrity": "sha512-Z3u54A8qGyqFOSr2pk0ijYs8mOE9Qz8kTvtKeBI+upoG9j04Sq+oI7W8zAJiQybDcESET8/uIdHzs0p3k4fZlw==", "dev": true, "license": "BSD-3-Clause", "engines": { @@ -1140,10 +973,17 @@ "node": ">=0.10.0" } }, + "node_modules/eastasianwidth": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "dev": true + }, "node_modules/emoji-regex": { "version": "8.0.0", - "dev": true, - "license": "MIT" + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "dev": true }, "node_modules/end-of-stream": { "version": "1.4.4", @@ -1162,13 +1002,16 @@ } }, "node_modules/es5-ext": { - "version": "0.10.62", + "version": "0.10.64", + "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.64.tgz", + "integrity": "sha512-p2snDhiLaXe6dahss1LddxqEm+SkuDvV8dnIQG0MWjyHpcMNfXKPE+/Cc0y+PhxJX3A4xGNeFCj5oc0BUh6deg==", "dev": true, "hasInstallScript": true, "license": "ISC", "dependencies": { "es6-iterator": "^2.0.3", "es6-symbol": "^3.1.3", + "esniff": "^2.0.1", "next-tick": "^1.1.0" }, "engines": { @@ -1206,9 +1049,10 @@ } }, "node_modules/escalade": { - "version": "3.1.1", + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", "dev": true, - "license": "MIT", "engines": { "node": ">=6" } @@ -1224,21 +1068,38 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/expand-brackets": { - "version": "2.1.4", + "node_modules/esniff": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/esniff/-/esniff-2.0.1.tgz", + "integrity": "sha512-kTUIGKQ/mDPFoJ0oVfcmyJn4iBDRptjNVIzwIFR7tqWXdVI9xfA2RMwY/gbSpJG3lkdWNEjLap/NqVHZiJsdfg==", "dev": true, - "license": "MIT", + "license": "ISC", "dependencies": { - "debug": "^2.3.3", - "define-property": "^0.2.5", - "extend-shallow": "^2.0.1", - "posix-character-classes": "^0.1.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.1" + "d": "^1.0.1", + "es5-ext": "^0.10.62", + "event-emitter": "^0.3.5", + "type": "^2.7.2" }, "engines": { - "node": ">=0.10.0" + "node": ">=0.10" + } + }, + "node_modules/esniff/node_modules/type": { + "version": "2.7.3", + "resolved": "https://registry.npmjs.org/type/-/type-2.7.3.tgz", + "integrity": "sha512-8j+1QmAbPvLZow5Qpi6NCaN8FB60p/6x8/vfNqOk/hC+HuvFZhL4+WfekuhQLiqFZXOgQdrs3B+XxEmCc6b3FQ==", + "dev": true, + "license": "ISC" + }, + "node_modules/event-emitter": { + "version": "0.3.5", + "resolved": "https://registry.npmjs.org/event-emitter/-/event-emitter-0.3.5.tgz", + "integrity": "sha512-D9rRn9y7kLPnJ+hMq7S/nhvoKwwvVJahBi2BPmx3bvbsEdK3W9ii8cBSGjP+72/LnM4n6fo3+dkCX5FeTQruXA==", + "dev": true, + "license": "MIT", + "dependencies": { + "d": "1", + "es5-ext": "~0.10.14" } }, "node_modules/expand-tilde": { @@ -1270,89 +1131,6 @@ "dev": true, "license": "MIT" }, - "node_modules/extend-shallow": { - "version": "2.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "array-unique": "^0.3.2", - "define-property": "^1.0.0", - "expand-brackets": "^2.1.4", - "extend-shallow": "^2.0.1", - "fragment-cache": "^0.2.1", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/define-property": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/fancy-log": { "version": "1.3.3", "dev": true, @@ -1396,17 +1174,16 @@ } }, "node_modules/fill-range": { - "version": "4.0.0", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dev": true, "license": "MIT", "dependencies": { - "extend-shallow": "^2.0.1", - "is-number": "^3.0.0", - "repeat-string": "^1.6.1", - "to-regex-range": "^2.1.0" + "to-regex-range": "^5.0.1" }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, "node_modules/find-up": { @@ -1435,118 +1212,6 @@ "node": ">= 0.10" } }, - "node_modules/findup-sync/node_modules/define-property": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync/node_modules/micromatch": { - "version": "3.1.10", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/fined": { "version": "1.2.0", "dev": true, @@ -1617,15 +1282,20 @@ "node": ">=0.10.0" } }, - "node_modules/fragment-cache": { - "version": "0.2.1", + "node_modules/foreground-child": { + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz", + "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==", "dev": true, - "license": "MIT", "dependencies": { - "map-cache": "^0.2.2" + "cross-spawn": "^7.0.6", + "signal-exit": "^4.0.1" }, "engines": { - "node": ">=0.10.0" + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" } }, "node_modules/fs-mkdirp-stream": { @@ -1896,22 +1566,6 @@ "node": ">= 0.10" } }, - "node_modules/gulp-shell": { - "version": "0.8.0", - "dev": true, - "license": "MIT", - "dependencies": { - "chalk": "^3.0.0", - "fancy-log": "^1.3.3", - "lodash.template": "^4.5.0", - "plugin-error": "^1.0.1", - "through2": "^3.0.1", - "tslib": "^1.10.0" - }, - "engines": { - "node": ">=10.0.0" - } - }, "node_modules/gulp-typescript": { "version": "6.0.0-alpha.1", "dev": true, @@ -2002,63 +1656,27 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/has-value": { - "version": "1.0.0", + "node_modules/he": { + "version": "1.2.0", "dev": true, "license": "MIT", - "dependencies": { - "get-value": "^2.0.6", - "has-values": "^1.0.0", - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" + "bin": { + "he": "bin/he" } }, - "node_modules/has-values": { - "version": "1.0.0", + "node_modules/homedir-polyfill": { + "version": "1.0.3", "dev": true, "license": "MIT", "dependencies": { - "is-number": "^3.0.0", - "kind-of": "^4.0.0" + "parse-passwd": "^1.0.0" }, "engines": { "node": ">=0.10.0" } }, - "node_modules/has-values/node_modules/kind-of": { - "version": "4.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/he": { - "version": "1.2.0", - "dev": true, - "license": "MIT", - "bin": { - "he": "bin/he" - } - }, - "node_modules/homedir-polyfill": { - "version": "1.0.3", - "dev": true, - "license": "MIT", - "dependencies": { - "parse-passwd": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/hosted-git-info": { - "version": "2.8.9", + "node_modules/hosted-git-info": { + "version": "2.8.9", "dev": true, "license": "ISC" }, @@ -2128,28 +1746,6 @@ "node": ">=0.10.0" } }, - "node_modules/is-accessor-descriptor": { - "version": "0.1.6", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-accessor-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/is-arrayish": { "version": "0.2.1", "dev": true, @@ -2182,49 +1778,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/is-data-descriptor": { - "version": "0.1.4", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-data-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-descriptor": { - "version": "0.1.6", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^0.1.6", - "is-data-descriptor": "^0.1.4", - "kind-of": "^5.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-extendable": { - "version": "0.1.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/is-extglob": { "version": "2.1.1", "dev": true, @@ -2263,28 +1816,6 @@ "node": ">=0.10.0" } }, - "node_modules/is-number": { - "version": "3.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-number/node_modules/kind-of": { - "version": "3.2.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/is-path-cwd": { "version": "3.0.0", "dev": true, @@ -2395,8 +1926,25 @@ "node": ">=0.10.0" } }, + "node_modules/jackspeak": { + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "dev": true, + "dependencies": { + "@isaacs/cliui": "^8.0.2" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + }, + "optionalDependencies": { + "@pkgjs/parseargs": "^0.11.0" + } + }, "node_modules/js-yaml": { - "version": "4.1.0", + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", + "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", "dev": true, "license": "MIT", "dependencies": { @@ -2533,12 +2081,9 @@ } }, "node_modules/lodash": { - "version": "4.17.21", - "dev": true, - "license": "MIT" - }, - "node_modules/lodash._reinterpolate": { - "version": "3.0.0", + "version": "4.17.23", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", + "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", "dev": true, "license": "MIT" }, @@ -2547,23 +2092,6 @@ "dev": true, "license": "MIT" }, - "node_modules/lodash.template": { - "version": "4.5.0", - "dev": true, - "license": "MIT", - "dependencies": { - "lodash._reinterpolate": "^3.0.0", - "lodash.templatesettings": "^4.0.0" - } - }, - "node_modules/lodash.templatesettings": { - "version": "4.2.0", - "dev": true, - "license": "MIT", - "dependencies": { - "lodash._reinterpolate": "^3.0.0" - } - }, "node_modules/log-symbols": { "version": "4.1.0", "dev": true, @@ -2599,6 +2127,12 @@ "dev": true, "license": "BSD-3-Clause" }, + "node_modules/lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "dev": true + }, "node_modules/make-iterator": { "version": "1.0.1", "dev": true, @@ -2626,17 +2160,6 @@ "node": ">=0.10.0" } }, - "node_modules/map-visit": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "object-visit": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/matchdep": { "version": "2.0.0", "dev": true, @@ -2651,30 +2174,6 @@ "node": ">= 0.10.0" } }, - "node_modules/matchdep/node_modules/define-property": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/matchdep/node_modules/findup-sync": { "version": "2.0.0", "dev": true, @@ -2689,374 +2188,181 @@ "node": ">= 0.10" } }, - "node_modules/matchdep/node_modules/is-accessor-descriptor": { - "version": "1.0.0", + "node_modules/matchdep/node_modules/is-glob": { + "version": "3.1.0", "dev": true, "license": "MIT", "dependencies": { - "kind-of": "^6.0.0" + "is-extglob": "^2.1.0" }, "engines": { "node": ">=0.10.0" } }, - "node_modules/matchdep/node_modules/is-data-descriptor": { - "version": "1.0.0", + "node_modules/merge2": { + "version": "1.4.1", "dev": true, "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, "engines": { - "node": ">=0.10.0" + "node": ">= 8" } }, - "node_modules/matchdep/node_modules/is-descriptor": { - "version": "1.0.2", + "node_modules/micromatch": { + "version": "4.0.8", + "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", + "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", "dev": true, "license": "MIT", "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" + "braces": "^3.0.3", + "picomatch": "^2.3.1" }, "engines": { - "node": ">=0.10.0" + "node": ">=8.6" } }, - "node_modules/matchdep/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, + "node_modules/mimic-response": { + "version": "4.0.0", "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, "engines": { - "node": ">=0.10.0" + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/matchdep/node_modules/is-glob": { - "version": "3.1.0", + "node_modules/minimatch": { + "version": "3.1.2", "dev": true, - "license": "MIT", + "license": "ISC", "dependencies": { - "is-extglob": "^2.1.0" + "brace-expansion": "^1.1.7" }, "engines": { - "node": ">=0.10.0" + "node": "*" } }, - "node_modules/matchdep/node_modules/is-plain-object": { - "version": "2.0.4", + "node_modules/minipass": { + "version": "7.1.3", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.3.tgz", + "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==", "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, "engines": { - "node": ">=0.10.0" + "node": ">=16 || 14 >=14.17" } }, - "node_modules/matchdep/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", + "node_modules/mocha": { + "version": "11.7.5", + "resolved": "https://registry.npmjs.org/mocha/-/mocha-11.7.5.tgz", + "integrity": "sha512-mTT6RgopEYABzXWFx+GcJ+ZQ32kp4fMf0xvpZIIfSq9Z8lC/++MtcCnQ9t5FP2veYEP95FIYSvW+U9fV4xrlig==", + "dev": true, + "dependencies": { + "browser-stdout": "^1.3.1", + "chokidar": "^4.0.1", + "debug": "^4.3.5", + "diff": "^7.0.0", + "escape-string-regexp": "^4.0.0", + "find-up": "^5.0.0", + "glob": "^10.4.5", + "he": "^1.2.0", + "is-path-inside": "^3.0.3", + "js-yaml": "^4.1.0", + "log-symbols": "^4.1.0", + "minimatch": "^9.0.5", + "ms": "^2.1.3", + "picocolors": "^1.1.1", + "serialize-javascript": "^6.0.2", + "strip-json-comments": "^3.1.1", + "supports-color": "^8.1.1", + "workerpool": "^9.2.0", + "yargs": "^17.7.2", + "yargs-parser": "^21.1.1", + "yargs-unparser": "^2.0.0" + }, + "bin": { + "_mocha": "bin/_mocha", + "mocha": "bin/mocha.js" + }, "engines": { - "node": ">=0.10.0" + "node": "^18.18.0 || ^20.9.0 || >=21.1.0" } }, - "node_modules/matchdep/node_modules/micromatch": { - "version": "3.1.10", + "node_modules/mocha/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dev": true, - "license": "MIT", - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, - "node_modules/merge2": { - "version": "1.4.1", + "node_modules/mocha/node_modules/brace-expansion": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", + "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", "dev": true, - "license": "MIT", - "engines": { - "node": ">= 8" + "dependencies": { + "balanced-match": "^1.0.0" } }, - "node_modules/micromatch": { - "version": "4.0.5", + "node_modules/mocha/node_modules/chokidar": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz", + "integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==", "dev": true, - "license": "MIT", "dependencies": { - "braces": "^3.0.2", - "picomatch": "^2.3.1" + "readdirp": "^4.0.1" }, "engines": { - "node": ">=8.6" + "node": ">= 14.16.0" + }, + "funding": { + "url": "https://paulmillr.com/funding/" } }, - "node_modules/micromatch/node_modules/braces": { - "version": "3.0.2", + "node_modules/mocha/node_modules/cliui": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz", + "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==", "dev": true, - "license": "MIT", "dependencies": { - "fill-range": "^7.0.1" + "string-width": "^4.2.0", + "strip-ansi": "^6.0.1", + "wrap-ansi": "^7.0.0" }, "engines": { - "node": ">=8" + "node": ">=12" } }, - "node_modules/micromatch/node_modules/fill-range": { - "version": "7.0.1", + "node_modules/mocha/node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", "dev": true, "license": "MIT", "dependencies": { - "to-regex-range": "^5.0.1" + "ms": "^2.1.3" }, "engines": { - "node": ">=8" + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } } }, - "node_modules/micromatch/node_modules/is-number": { + "node_modules/mocha/node_modules/diff": { "version": "7.0.0", + "resolved": "https://registry.npmjs.org/diff/-/diff-7.0.0.tgz", + "integrity": "sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==", "dev": true, - "license": "MIT", "engines": { - "node": ">=0.12.0" + "node": ">=0.3.1" } }, - "node_modules/micromatch/node_modules/to-regex-range": { - "version": "5.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-number": "^7.0.0" - }, - "engines": { - "node": ">=8.0" - } - }, - "node_modules/mimic-response": { - "version": "4.0.0", - "license": "MIT", - "engines": { - "node": "^12.20.0 || ^14.13.1 || >=16.0.0" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, - "node_modules/minimatch": { - "version": "3.1.2", - "dev": true, - "license": "ISC", - "dependencies": { - "brace-expansion": "^1.1.7" - }, - "engines": { - "node": "*" - } - }, - "node_modules/mixin-deep": { - "version": "1.3.2", - "dev": true, - "license": "MIT", - "dependencies": { - "for-in": "^1.0.2", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/mixin-deep/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/mixin-deep/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/mocha": { - "version": "10.2.0", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-colors": "4.1.1", - "browser-stdout": "1.3.1", - "chokidar": "3.5.3", - "debug": "4.3.4", - "diff": "5.0.0", - "escape-string-regexp": "4.0.0", - "find-up": "5.0.0", - "glob": "7.2.0", - "he": "1.2.0", - "js-yaml": "4.1.0", - "log-symbols": "4.1.0", - "minimatch": "5.0.1", - "ms": "2.1.3", - "nanoid": "3.3.3", - "serialize-javascript": "6.0.0", - "strip-json-comments": "3.1.1", - "supports-color": "8.1.1", - "workerpool": "6.2.1", - "yargs": "16.2.0", - "yargs-parser": "20.2.4", - "yargs-unparser": "2.0.0" - }, - "bin": { - "_mocha": "bin/_mocha", - "mocha": "bin/mocha.js" - }, - "engines": { - "node": ">= 14.0.0" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/mochajs" - } - }, - "node_modules/mocha/node_modules/ansi-colors": { - "version": "4.1.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=6" - } - }, - "node_modules/mocha/node_modules/ansi-regex": { - "version": "5.0.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=8" - } - }, - "node_modules/mocha/node_modules/anymatch": { - "version": "3.1.3", - "dev": true, - "license": "ISC", - "dependencies": { - "normalize-path": "^3.0.0", - "picomatch": "^2.0.4" - }, - "engines": { - "node": ">= 8" - } - }, - "node_modules/mocha/node_modules/binary-extensions": { - "version": "2.2.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=8" - } - }, - "node_modules/mocha/node_modules/braces": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "fill-range": "^7.0.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/mocha/node_modules/chokidar": { - "version": "3.5.3", - "dev": true, - "funding": [ - { - "type": "individual", - "url": "https://paulmillr.com/funding/" - } - ], - "license": "MIT", - "dependencies": { - "anymatch": "~3.1.2", - "braces": "~3.0.2", - "glob-parent": "~5.1.2", - "is-binary-path": "~2.1.0", - "is-glob": "~4.0.1", - "normalize-path": "~3.0.0", - "readdirp": "~3.6.0" - }, - "engines": { - "node": ">= 8.10.0" - }, - "optionalDependencies": { - "fsevents": "~2.3.2" - } - }, - "node_modules/mocha/node_modules/cliui": { - "version": "7.0.4", - "dev": true, - "license": "ISC", - "dependencies": { - "string-width": "^4.2.0", - "strip-ansi": "^6.0.0", - "wrap-ansi": "^7.0.0" - } - }, - "node_modules/mocha/node_modules/debug": { - "version": "4.3.4", - "dev": true, - "license": "MIT", - "dependencies": { - "ms": "2.1.2" - }, - "engines": { - "node": ">=6.0" - }, - "peerDependenciesMeta": { - "supports-color": { - "optional": true - } - } - }, - "node_modules/mocha/node_modules/debug/node_modules/ms": { - "version": "2.1.2", - "dev": true, - "license": "MIT" - }, - "node_modules/mocha/node_modules/diff": { - "version": "5.0.0", - "dev": true, - "license": "BSD-3-Clause", - "engines": { - "node": ">=0.3.1" - } - }, - "node_modules/mocha/node_modules/escape-string-regexp": { - "version": "4.0.0", + "node_modules/mocha/node_modules/escape-string-regexp": { + "version": "4.0.0", "dev": true, "license": "MIT", "engines": { @@ -3066,17 +2372,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/mocha/node_modules/fill-range": { - "version": "7.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "to-regex-range": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/mocha/node_modules/find-up": { "version": "5.0.0", "dev": true, @@ -3094,86 +2389,65 @@ }, "node_modules/mocha/node_modules/get-caller-file": { "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", "dev": true, - "license": "ISC", "engines": { "node": "6.* || 8.* || >= 10.*" } }, "node_modules/mocha/node_modules/glob": { - "version": "7.2.0", + "version": "10.5.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz", + "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==", + "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me", "dev": true, - "license": "ISC", "dependencies": { - "fs.realpath": "^1.0.0", - "inflight": "^1.0.4", - "inherits": "2", - "minimatch": "^3.0.4", - "once": "^1.3.0", - "path-is-absolute": "^1.0.0" + "foreground-child": "^3.1.0", + "jackspeak": "^3.1.2", + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^1.11.1" }, - "engines": { - "node": "*" + "bin": { + "glob": "dist/esm/bin.mjs" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, - "node_modules/mocha/node_modules/glob/node_modules/minimatch": { - "version": "3.1.2", - "dev": true, - "license": "ISC", - "dependencies": { - "brace-expansion": "^1.1.7" - }, - "engines": { - "node": "*" - } - }, - "node_modules/mocha/node_modules/is-binary-path": { - "version": "2.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "binary-extensions": "^2.0.0" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/mocha/node_modules/is-fullwidth-code-point": { "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "dev": true, - "license": "MIT", "engines": { "node": ">=8" } }, - "node_modules/mocha/node_modules/is-number": { - "version": "7.0.0", + "node_modules/mocha/node_modules/is-path-inside": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz", + "integrity": "sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==", "dev": true, - "license": "MIT", "engines": { - "node": ">=0.12.0" + "node": ">=8" } }, "node_modules/mocha/node_modules/minimatch": { - "version": "5.0.1", + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", "dev": true, - "license": "ISC", "dependencies": { "brace-expansion": "^2.0.1" }, "engines": { - "node": ">=10" - } - }, - "node_modules/mocha/node_modules/minimatch/node_modules/brace-expansion": { - "version": "2.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "balanced-match": "^1.0.0" + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" } }, "node_modules/mocha/node_modules/ms": { @@ -3190,20 +2464,23 @@ } }, "node_modules/mocha/node_modules/readdirp": { - "version": "3.6.0", + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz", + "integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==", "dev": true, - "license": "MIT", - "dependencies": { - "picomatch": "^2.2.1" - }, "engines": { - "node": ">=8.10.0" + "node": ">= 14.18.0" + }, + "funding": { + "type": "individual", + "url": "https://paulmillr.com/funding/" } }, "node_modules/mocha/node_modules/string-width": { "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "dev": true, - "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -3215,8 +2492,9 @@ }, "node_modules/mocha/node_modules/strip-ansi": { "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, - "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" }, @@ -3225,211 +2503,78 @@ } }, "node_modules/mocha/node_modules/supports-color": { - "version": "8.1.1", - "dev": true, - "license": "MIT", - "dependencies": { - "has-flag": "^4.0.0" - }, - "engines": { - "node": ">=10" - }, - "funding": { - "url": "https://github.com/chalk/supports-color?sponsor=1" - } - }, - "node_modules/mocha/node_modules/to-regex-range": { - "version": "5.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-number": "^7.0.0" - }, - "engines": { - "node": ">=8.0" - } - }, - "node_modules/mocha/node_modules/wrap-ansi": { - "version": "7.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-styles": "^4.0.0", - "string-width": "^4.1.0", - "strip-ansi": "^6.0.0" - }, - "engines": { - "node": ">=10" - }, - "funding": { - "url": "https://github.com/chalk/wrap-ansi?sponsor=1" - } - }, - "node_modules/mocha/node_modules/y18n": { - "version": "5.0.8", - "dev": true, - "license": "ISC", - "engines": { - "node": ">=10" - } - }, - "node_modules/mocha/node_modules/yargs": { - "version": "16.2.0", - "dev": true, - "license": "MIT", - "dependencies": { - "cliui": "^7.0.2", - "escalade": "^3.1.1", - "get-caller-file": "^2.0.5", - "require-directory": "^2.1.1", - "string-width": "^4.2.0", - "y18n": "^5.0.5", - "yargs-parser": "^20.2.2" - }, - "engines": { - "node": ">=10" - } - }, - "node_modules/mocha/node_modules/yargs-parser": { - "version": "20.2.4", - "dev": true, - "license": "ISC", - "engines": { - "node": ">=10" - } - }, - "node_modules/ms": { - "version": "2.0.0", - "dev": true, - "license": "MIT" - }, - "node_modules/mute-stdout": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/nanoid": { - "version": "3.3.3", - "dev": true, - "license": "MIT", - "bin": { - "nanoid": "bin/nanoid.cjs" - }, - "engines": { - "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" - } - }, - "node_modules/nanomatch": { - "version": "1.2.13", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "fragment-cache": "^0.2.1", - "is-windows": "^1.0.2", - "kind-of": "^6.0.2", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/nanomatch/node_modules/define-property": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/nanomatch/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/nanomatch/node_modules/is-accessor-descriptor": { - "version": "1.0.0", + "version": "8.1.1", "dev": true, "license": "MIT", "dependencies": { - "kind-of": "^6.0.0" + "has-flag": "^4.0.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/supports-color?sponsor=1" } }, - "node_modules/nanomatch/node_modules/is-data-descriptor": { - "version": "1.0.0", + "node_modules/mocha/node_modules/wrap-ansi": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", "dev": true, - "license": "MIT", "dependencies": { - "kind-of": "^6.0.0" + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" } }, - "node_modules/nanomatch/node_modules/is-descriptor": { - "version": "1.0.2", + "node_modules/mocha/node_modules/y18n": { + "version": "5.0.8", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", + "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, "engines": { - "node": ">=0.10.0" + "node": ">=10" } }, - "node_modules/nanomatch/node_modules/is-extendable": { - "version": "1.0.1", + "node_modules/mocha/node_modules/yargs": { + "version": "17.7.2", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz", + "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==", "dev": true, - "license": "MIT", "dependencies": { - "is-plain-object": "^2.0.4" + "cliui": "^8.0.1", + "escalade": "^3.1.1", + "get-caller-file": "^2.0.5", + "require-directory": "^2.1.1", + "string-width": "^4.2.3", + "y18n": "^5.0.5", + "yargs-parser": "^21.1.1" }, "engines": { - "node": ">=0.10.0" + "node": ">=12" } }, - "node_modules/nanomatch/node_modules/is-plain-object": { - "version": "2.0.4", + "node_modules/mocha/node_modules/yargs-parser": { + "version": "21.1.1", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz", + "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==", "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, "engines": { - "node": ">=0.10.0" + "node": ">=12" } }, - "node_modules/nanomatch/node_modules/kind-of": { - "version": "6.0.3", + "node_modules/mute-stdout": { + "version": "1.0.1", "dev": true, "license": "MIT", "engines": { - "node": ">=0.10.0" + "node": ">= 0.10" } }, "node_modules/next-tick": { @@ -3504,30 +2649,6 @@ "node": ">=0.10.0" } }, - "node_modules/object-copy": { - "version": "0.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "copy-descriptor": "^0.1.0", - "define-property": "^0.2.5", - "kind-of": "^3.0.3" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/kind-of": { - "version": "3.2.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/object-keys": { "version": "1.1.1", "dev": true, @@ -3536,17 +2657,6 @@ "node": ">= 0.4" } }, - "node_modules/object-visit": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/object.assign": { "version": "4.1.4", "dev": true, @@ -3682,6 +2792,12 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true + }, "node_modules/parse-filepath": { "version": "1.0.2", "dev": true, @@ -3722,14 +2838,6 @@ "node": ">=0.10.0" } }, - "node_modules/pascalcase": { - "version": "0.1.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/path-dirname": { "version": "1.0.2", "dev": true, @@ -3754,6 +2862,15 @@ "node": ">=0.10.0" } }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "dev": true, + "engines": { + "node": ">=8" + } + }, "node_modules/path-parse": { "version": "1.0.7", "dev": true, @@ -3778,8 +2895,26 @@ "node": ">=0.10.0" } }, + "node_modules/path-scurry": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "dev": true, + "dependencies": { + "lru-cache": "^10.2.0", + "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + }, + "engines": { + "node": ">=16 || 14 >=14.18" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/path-to-regexp": { - "version": "1.8.0", + "version": "1.9.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.9.0.tgz", + "integrity": "sha512-xIp7/apCFJuUHdDLWe8O1HIkb0kQrOMb/0u6FXQjemHn/ii5LrIzU6bdECnsiTF/GjZkMEKg1xdiZwNqDYlZ6g==", "dev": true, "license": "MIT", "dependencies": { @@ -3799,6 +2934,12 @@ "node": ">=8" } }, + "node_modules/picocolors": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", + "dev": true + }, "node_modules/picomatch": { "version": "2.3.1", "dev": true, @@ -3885,14 +3026,6 @@ "node": ">=0.10.0" } }, - "node_modules/posix-character-classes": { - "version": "0.1.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/pretty-hrtime": { "version": "1.0.3", "dev": true, @@ -3942,247 +3075,91 @@ "url": "https://feross.org/support" } ], - "license": "MIT" - }, - "node_modules/randombytes": { - "version": "2.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, - "node_modules/read-pkg": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "load-json-file": "^1.0.0", - "normalize-package-data": "^2.3.2", - "path-type": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/read-pkg-up": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "find-up": "^1.0.0", - "read-pkg": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/read-pkg/node_modules/path-type": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "graceful-fs": "^4.1.2", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readable-stream": { - "version": "2.3.8", - "dev": true, - "license": "MIT", - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/readdirp": { - "version": "2.2.1", - "dev": true, - "license": "MIT", - "dependencies": { - "graceful-fs": "^4.1.11", - "micromatch": "^3.1.10", - "readable-stream": "^2.0.2" - }, - "engines": { - "node": ">=0.10" - } - }, - "node_modules/readdirp/node_modules/define-property": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } + "license": "MIT" }, - "node_modules/readdirp/node_modules/kind-of": { - "version": "6.0.3", + "node_modules/randombytes": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", + "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", "dev": true, "license": "MIT", - "engines": { - "node": ">=0.10.0" + "dependencies": { + "safe-buffer": "^5.1.0" } }, - "node_modules/readdirp/node_modules/micromatch": { - "version": "3.1.10", + "node_modules/read-pkg": { + "version": "1.1.0", "dev": true, "license": "MIT", "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" + "load-json-file": "^1.0.0", + "normalize-package-data": "^2.3.2", + "path-type": "^1.0.0" }, "engines": { "node": ">=0.10.0" } }, - "node_modules/rechoir": { - "version": "0.6.2", + "node_modules/read-pkg-up": { + "version": "1.0.1", "dev": true, + "license": "MIT", "dependencies": { - "resolve": "^1.1.6" + "find-up": "^1.0.0", + "read-pkg": "^1.0.0" }, "engines": { - "node": ">= 0.10" + "node": ">=0.10.0" } }, - "node_modules/regex-not": { - "version": "1.0.2", + "node_modules/read-pkg/node_modules/path-type": { + "version": "1.1.0", "dev": true, "license": "MIT", "dependencies": { - "extend-shallow": "^3.0.2", - "safe-regex": "^1.1.0" + "graceful-fs": "^4.1.2", + "pify": "^2.0.0", + "pinkie-promise": "^2.0.0" }, "engines": { "node": ">=0.10.0" } }, - "node_modules/regex-not/node_modules/extend-shallow": { - "version": "3.0.2", + "node_modules/readable-stream": { + "version": "2.3.8", "dev": true, "license": "MIT", "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" } }, - "node_modules/regex-not/node_modules/is-extendable": { - "version": "1.0.1", + "node_modules/readdirp": { + "version": "2.2.1", "dev": true, "license": "MIT", "dependencies": { - "is-plain-object": "^2.0.4" + "graceful-fs": "^4.1.11", + "micromatch": "^3.1.10", + "readable-stream": "^2.0.2" }, "engines": { - "node": ">=0.10.0" + "node": ">=0.10" } }, - "node_modules/regex-not/node_modules/is-plain-object": { - "version": "2.0.4", + "node_modules/rechoir": { + "version": "0.6.2", "dev": true, - "license": "MIT", "dependencies": { - "isobject": "^3.0.1" + "resolve": "^1.1.6" }, "engines": { - "node": ">=0.10.0" + "node": ">= 0.10" } }, "node_modules/remove-bom-buffer": { @@ -4224,22 +3201,6 @@ "dev": true, "license": "ISC" }, - "node_modules/repeat-element": { - "version": "1.1.4", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/repeat-string": { - "version": "1.6.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10" - } - }, "node_modules/replace-ext": { "version": "1.0.1", "dev": true, @@ -4313,19 +3274,6 @@ "node": ">= 0.10" } }, - "node_modules/resolve-url": { - "version": "0.2.1", - "dev": true, - "license": "MIT" - }, - "node_modules/ret": { - "version": "0.1.15", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.12" - } - }, "node_modules/reusify": { "version": "1.0.4", "dev": true, @@ -4376,14 +3324,6 @@ "dev": true, "license": "MIT" }, - "node_modules/safe-regex": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "ret": "~0.1.10" - } - }, "node_modules/samsam": { "version": "1.3.0", "dev": true, @@ -4409,7 +3349,9 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.0", + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", + "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", "dev": true, "license": "BSD-3-Clause", "dependencies": { @@ -4421,29 +3363,37 @@ "dev": true, "license": "ISC" }, - "node_modules/set-value": { - "version": "2.0.1", + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", "dev": true, - "license": "MIT", "dependencies": { - "extend-shallow": "^2.0.1", - "is-extendable": "^0.1.1", - "is-plain-object": "^2.0.3", - "split-string": "^3.0.1" + "shebang-regex": "^3.0.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, - "node_modules/set-value/node_modules/is-plain-object": { - "version": "2.0.4", + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, "engines": { - "node": ">=0.10.0" + "node": ">=8" + } + }, + "node_modules/signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "dev": true, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" } }, "node_modules/sinon": { @@ -4491,121 +3441,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/snapdragon": { - "version": "0.8.2", - "dev": true, - "license": "MIT", - "dependencies": { - "base": "^0.11.1", - "debug": "^2.2.0", - "define-property": "^0.2.5", - "extend-shallow": "^2.0.1", - "map-cache": "^0.2.2", - "source-map": "^0.5.6", - "source-map-resolve": "^0.5.0", - "use": "^3.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node": { - "version": "2.1.1", - "dev": true, - "license": "MIT", - "dependencies": { - "define-property": "^1.0.0", - "isobject": "^3.0.0", - "snapdragon-util": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node/node_modules/define-property": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-util": { - "version": "3.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^3.2.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-util/node_modules/kind-of": { - "version": "3.2.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/source-map": { - "version": "0.5.7", - "dev": true, - "license": "BSD-3-Clause", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/source-map": { "version": "0.7.4", "dev": true, @@ -4614,23 +3449,6 @@ "node": ">= 8" } }, - "node_modules/source-map-resolve": { - "version": "0.5.3", - "dev": true, - "license": "MIT", - "dependencies": { - "atob": "^2.1.2", - "decode-uri-component": "^0.2.0", - "resolve-url": "^0.2.1", - "source-map-url": "^0.4.0", - "urix": "^0.1.0" - } - }, - "node_modules/source-map-url": { - "version": "0.4.1", - "dev": true, - "license": "MIT" - }, "node_modules/sparkles": { "version": "1.0.1", "dev": true, @@ -4667,69 +3485,12 @@ "dev": true, "license": "CC0-1.0" }, - "node_modules/split-string": { - "version": "3.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "extend-shallow": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/split-string/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/split-string/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/split-string/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/stack-trace": { "version": "0.0.10", "dev": true, "license": "MIT", "engines": { - "node": "*" - } - }, - "node_modules/static-extend": { - "version": "0.1.2", - "dev": true, - "license": "MIT", - "dependencies": { - "define-property": "^0.2.5", - "object-copy": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" + "node": "*" } }, "node_modules/stream-exhaust": { @@ -4763,6 +3524,51 @@ "node": ">=0.10.0" } }, + "node_modules/string-width-cjs": { + "name": "string-width", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/strip-ansi": { "version": "3.0.1", "dev": true, @@ -4774,6 +3580,28 @@ "node": ">=0.10.0" } }, + "node_modules/strip-ansi-cjs": { + "name": "strip-ansi", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, "node_modules/strip-bom": { "version": "2.0.0", "dev": true, @@ -4874,141 +3702,27 @@ "node": ">=0.10.0" } }, - "node_modules/to-object-path": { - "version": "0.3.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-object-path/node_modules/kind-of": { - "version": "3.2.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "regex-not": "^1.0.2", - "safe-regex": "^1.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/to-regex-range": { - "version": "2.1.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-number": "^3.0.0", - "repeat-string": "^1.6.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/define-property": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/extend-shallow": { - "version": "3.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/is-data-descriptor": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/is-descriptor": { - "version": "1.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/is-extendable": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex/node_modules/is-plain-object": { - "version": "2.0.4", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", "dev": true, "license": "MIT", "dependencies": { - "isobject": "^3.0.1" + "is-number": "^7.0.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=8.0" } }, - "node_modules/to-regex/node_modules/kind-of": { - "version": "6.0.3", + "node_modules/to-regex-range/node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", "dev": true, "license": "MIT", "engines": { - "node": ">=0.10.0" + "node": ">=0.12.0" } }, "node_modules/to-through": { @@ -5031,11 +3745,6 @@ "xtend": "~4.0.1" } }, - "node_modules/tslib": { - "version": "1.14.1", - "dev": true, - "license": "0BSD" - }, "node_modules/tunnel": { "version": "0.0.6", "license": "MIT", @@ -5109,20 +3818,6 @@ "node": ">= 0.10" } }, - "node_modules/union-value": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-union": "^3.1.0", - "get-value": "^2.0.6", - "is-extendable": "^0.1.1", - "set-value": "^2.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/unique-stream": { "version": "2.3.1", "dev": true, @@ -5132,50 +3827,6 @@ "through2-filter": "^3.0.0" } }, - "node_modules/unset-value": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "has-value": "^0.3.1", - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unset-value/node_modules/has-value": { - "version": "0.3.1", - "dev": true, - "license": "MIT", - "dependencies": { - "get-value": "^2.0.3", - "has-values": "^0.1.4", - "isobject": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unset-value/node_modules/has-value/node_modules/isobject": { - "version": "2.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "isarray": "1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unset-value/node_modules/has-values": { - "version": "0.1.4", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/upath": { "version": "1.2.0", "dev": true, @@ -5185,19 +3836,6 @@ "yarn": "*" } }, - "node_modules/urix": { - "version": "0.1.0", - "dev": true, - "license": "MIT" - }, - "node_modules/use": { - "version": "3.1.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/util-deprecate": { "version": "1.0.2", "dev": true, @@ -5335,9 +3973,10 @@ "license": "ISC" }, "node_modules/workerpool": { - "version": "6.2.1", - "dev": true, - "license": "Apache-2.0" + "version": "9.3.4", + "resolved": "https://registry.npmjs.org/workerpool/-/workerpool-9.3.4.tgz", + "integrity": "sha512-TmPRQYYSAnnDiEB0P/Ytip7bFGvqnSU6I2BcuSw7Hx+JSg/DsUi5ebYfc8GYaSdpuvOcEs6dXxPurOYpe9QFwg==", + "dev": true }, "node_modules/wrap-ansi": { "version": "2.1.0", @@ -5351,6 +3990,68 @@ "node": ">=0.10.0" } }, + "node_modules/wrap-ansi-cjs": { + "name": "wrap-ansi", + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dev": true, + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/wrappy": { "version": "1.0.2", "dev": true, diff --git a/package-lock.json b/package-lock.json index eb69c35d..013bf7d4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,50 +9,82 @@ "version": "1.12.0", "license": "MIT", "dependencies": { - "@actions/core": "1.10.0", - "@actions/exec": "1.1.1", + "@actions/core": "2.0.3", + "@actions/exec": "2.0.0", "@microsoft/security-devops-actions-toolkit": "1.11.0" }, "devDependencies": { - "@types/mocha": "^2.2.44", - "@types/node": "^20.3.1", - "@types/q": "^1.0.6", - "@types/sinon": "^4.1.2", - "del": "^7.0.0", - "gulp": "^4.0.2", - "gulp-cli": "^2.3.0", + "@types/mocha": "^10.0.10", + "@types/node": "^25.6.0", + "@types/q": "^1.5.8", + "@types/sinon": "^21.0.1", + "del": "^8.0.1", + "gulp": "^5.0.1", + "gulp-cli": "^3.1.0", "gulp-typescript": "^6.0.0-alpha.1", "mocha": "^11.7.5", - "sinon": "^4.1.3", - "typescript": "^5.1.3" + "sinon": "^22.0.0", + "typescript": "^5.9.3" } }, "node_modules/@actions/core": { - "version": "1.10.0", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-2.0.3.tgz", + "integrity": "sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==", "license": "MIT", "dependencies": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" + "@actions/exec": "^2.0.0", + "@actions/http-client": "^3.0.2" } }, "node_modules/@actions/exec": { - "version": "1.1.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz", + "integrity": "sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==", "license": "MIT", "dependencies": { - "@actions/io": "^1.0.1" + "@actions/io": "^2.0.0" } }, "node_modules/@actions/http-client": { - "version": "2.0.1", + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz", + "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==", "license": "MIT", "dependencies": { - "tunnel": "^0.0.6" + "tunnel": "^0.0.6", + "undici": "^6.23.0" } }, "node_modules/@actions/io": { - "version": "1.0.2", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz", + "integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==", "license": "MIT" }, + "node_modules/@gulpjs/messages": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@gulpjs/messages/-/messages-1.1.0.tgz", + "integrity": "sha512-Ys9sazDatyTgZVb4xPlDufLweJ/Os2uHWOv+Caxvy2O85JcnT4M3vc73bi8pdLWlv3fdWQz3pdI9tVwo8rQQSg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/@gulpjs/to-absolute-glob": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@gulpjs/to-absolute-glob/-/to-absolute-glob-4.0.0.tgz", + "integrity": "sha512-kjotm7XJrJ6v+7knhPaRgaT6q8F8K2jiafwYdNHLzmV0uGLuZY43FK6smNSHUPrhq5kX2slCUy+RGG/xGqmIKA==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-negated-glob": "^1.0.0" + }, + "engines": { + "node": ">=10.13.0" + } + }, "node_modules/@isaacs/cliui": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", @@ -161,8 +193,45 @@ "decompress-response": "^8.1.0" } }, + "node_modules/@microsoft/security-devops-actions-toolkit/node_modules/@actions/core": { + "version": "1.10.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz", + "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==", + "license": "MIT", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@microsoft/security-devops-actions-toolkit/node_modules/@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "license": "MIT", + "dependencies": { + "@actions/io": "^1.0.1" + } + }, + "node_modules/@microsoft/security-devops-actions-toolkit/node_modules/@actions/http-client": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", + "license": "MIT", + "dependencies": { + "tunnel": "^0.0.6", + "undici": "^5.25.4" + } + }, + "node_modules/@microsoft/security-devops-actions-toolkit/node_modules/@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==", + "license": "MIT" + }, "node_modules/@nodelib/fs.scandir": { "version": "2.1.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", + "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==", "dev": true, "license": "MIT", "dependencies": { @@ -175,6 +244,8 @@ }, "node_modules/@nodelib/fs.stat": { "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz", + "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==", "dev": true, "license": "MIT", "engines": { @@ -183,6 +254,8 @@ }, "node_modules/@nodelib/fs.walk": { "version": "1.2.8", + "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz", + "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==", "dev": true, "license": "MIT", "dependencies": { @@ -203,54 +276,92 @@ "node": ">=14" } }, + "node_modules/@sindresorhus/merge-streams": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-2.3.0.tgz", + "integrity": "sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/@sinonjs/commons": { - "version": "1.8.6", + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-3.0.1.tgz", + "integrity": "sha512-K3mCHKQ9sVh8o1C9cxkwxaOmXoAMlDxC1mYyHrjqOWEcBjYr76t96zL2zlj5dUGZ3HSw240X1qgH3Mjf1yJWpQ==", "dev": true, - "license": "BSD-3-Clause", "dependencies": { "type-detect": "4.0.8" } }, - "node_modules/@sinonjs/formatio": { - "version": "2.0.0", + "node_modules/@sinonjs/fake-timers": { + "version": "15.4.0", + "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.4.0.tgz", + "integrity": "sha512-DsG+8/LscQIQg68J6Ef3dv10u6nVyetYn923s3/sus5eaGfTo1of5WMZSLf0UJc9KDuKPilPH0UDJCjvNbDNCA==", "dev": true, - "license": "BSD-3-Clause", "dependencies": { - "samsam": "1.3.0" + "@sinonjs/commons": "^3.0.1" } }, "node_modules/@sinonjs/samsam": { - "version": "3.3.3", + "version": "10.0.2", + "resolved": "https://registry.npmjs.org/@sinonjs/samsam/-/samsam-10.0.2.tgz", + "integrity": "sha512-8lVwD1Df1BmzoaOLhMcGGcz/Jyr5QY2KSB75/YK1QgKzoabTeLdIVyhXNZK9ojfSKSdirbXqdbsXXqP9/Ve8+A==", "dev": true, - "license": "BSD-3-Clause", "dependencies": { - "@sinonjs/commons": "^1.3.0", - "array-from": "^2.1.1", - "lodash": "^4.17.15" + "@sinonjs/commons": "^3.0.1", + "type-detect": "^4.1.0" } }, - "node_modules/@sinonjs/text-encoding": { - "version": "0.7.2", + "node_modules/@sinonjs/samsam/node_modules/type-detect": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.1.0.tgz", + "integrity": "sha512-Acylog8/luQ8L7il+geoSxhEkazvkslg7PSNKOX59mbB9cOveP5aq9h74Y7YU8yDpJwetzQQrfIwtf4Wp4LKcw==", "dev": true, - "license": "(Unlicense OR Apache-2.0)" + "engines": { + "node": ">=4" + } }, "node_modules/@types/mocha": { - "version": "2.2.48", + "version": "10.0.10", + "resolved": "https://registry.npmjs.org/@types/mocha/-/mocha-10.0.10.tgz", + "integrity": "sha512-xPyYSz1cMPnJQhl0CLMH68j3gprKZaTjG3s5Vi+fDgx+uhG9NOXwbVt52eFS8ECyXhyKcjDLCBEqBExKuiZb7Q==", "dev": true, "license": "MIT" }, "node_modules/@types/node": { - "version": "20.8.0", + "version": "25.6.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.6.0.tgz", + "integrity": "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==", "dev": true, - "license": "MIT" + "dependencies": { + "undici-types": "~7.19.0" + } }, "node_modules/@types/q": { - "version": "1.5.6", + "version": "1.5.8", + "resolved": "https://registry.npmjs.org/@types/q/-/q-1.5.8.tgz", + "integrity": "sha512-hroOstUScF6zhIi+5+x0dzqrHA1EJi+Irri6b1fxolMTqqHIV/Cg77EtnQcZqZCu8hR3mX2BzIxN4/GzI68Kfw==", "dev": true, "license": "MIT" }, "node_modules/@types/sinon": { - "version": "4.3.3", + "version": "21.0.1", + "resolved": "https://registry.npmjs.org/@types/sinon/-/sinon-21.0.1.tgz", + "integrity": "sha512-5yoJSqLbjH8T9V2bksgRayuhpZy+723/z6wBOR+Soe4ZlXC0eW8Na71TeaZPUWDQvM7LYKa9UGFc6LRqxiR5fQ==", + "dev": true, + "dependencies": { + "@types/sinonjs__fake-timers": "*" + } + }, + "node_modules/@types/sinonjs__fake-timers": { + "version": "15.0.1", + "resolved": "https://registry.npmjs.org/@types/sinonjs__fake-timers/-/sinonjs__fake-timers-15.0.1.tgz", + "integrity": "sha512-Ko2tjWJq8oozHzHV+reuvS5KYIRAokHnGbDwGh/J64LntgpbuylF74ipEL24HCyRjf9FOlBiBHWBR1RlVKsI1w==", "dev": true, "license": "MIT" }, @@ -261,21 +372,6 @@ "node": ">=6.0" } }, - "node_modules/aggregate-error": { - "version": "4.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "clean-stack": "^4.0.0", - "indent-string": "^5.0.0" - }, - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/ansi-colors": { "version": "1.1.0", "dev": true, @@ -287,23 +383,14 @@ "node": ">=0.10.0" } }, - "node_modules/ansi-gray": { - "version": "0.1.1", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-wrap": "0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/ansi-regex": { - "version": "2.1.1", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dev": true, "license": "MIT", "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, "node_modules/ansi-styles": { @@ -329,23 +416,17 @@ } }, "node_modules/anymatch": { - "version": "2.0.0", + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", "dev": true, "license": "ISC", "dependencies": { - "micromatch": "^3.1.4", - "normalize-path": "^2.1.1" - } - }, - "node_modules/anymatch/node_modules/normalize-path": { - "version": "2.1.1", - "dev": true, - "license": "MIT", - "dependencies": { - "remove-trailing-separator": "^1.0.1" + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" }, "engines": { - "node": ">=0.10.0" + "node": ">= 8" } }, "node_modules/append-buffer": { @@ -359,11 +440,6 @@ "node": ">=0.10.0" } }, - "node_modules/archy": { - "version": "1.0.0", - "dev": true, - "license": "MIT" - }, "node_modules/argparse": { "version": "2.0.1", "dev": true, @@ -377,36 +453,6 @@ "node": ">=0.10.0" } }, - "node_modules/arr-filter": { - "version": "1.1.2", - "dev": true, - "license": "MIT", - "dependencies": { - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/arr-flatten": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/arr-map": { - "version": "2.0.2", - "dev": true, - "license": "MIT", - "dependencies": { - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/arr-union": { "version": "3.1.0", "dev": true, @@ -417,173 +463,200 @@ }, "node_modules/array-each": { "version": "1.0.1", + "resolved": "https://registry.npmjs.org/array-each/-/array-each-1.0.1.tgz", + "integrity": "sha512-zHjL5SZa68hkKHBFBK6DJCTtr9sfTCPCaph/L7tMSLcTFgy+zX7E+6q5UArbtOtMBCtxdICpfTCspRse+ywyXA==", "dev": true, "license": "MIT", "engines": { "node": ">=0.10.0" } }, - "node_modules/array-from": { - "version": "2.1.1", - "dev": true, - "license": "MIT" - }, - "node_modules/array-initial": { + "node_modules/array-slice": { "version": "1.1.0", + "resolved": "https://registry.npmjs.org/array-slice/-/array-slice-1.1.0.tgz", + "integrity": "sha512-B1qMD3RBP7O8o0H2KbrXDyB0IccejMF15+87Lvlor12ONPRHP6gTjXMNkt/d3ZuOGbAe66hFmaCfECI24Ufp6w==", "dev": true, "license": "MIT", - "dependencies": { - "array-slice": "^1.0.0", - "is-number": "^4.0.0" - }, "engines": { "node": ">=0.10.0" } }, - "node_modules/array-initial/node_modules/is-number": { - "version": "4.0.0", + "node_modules/assign-symbols": { + "version": "1.0.0", "dev": true, "license": "MIT", "engines": { "node": ">=0.10.0" } }, - "node_modules/array-last": { - "version": "1.3.0", + "node_modules/async-done": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/async-done/-/async-done-2.0.0.tgz", + "integrity": "sha512-j0s3bzYq9yKIVLKGE/tWlCpa3PfFLcrDZLTSVdnnCTGagXuXBJO4SsY9Xdk/fQBirCkH4evW5xOeJXqlAQFdsw==", "dev": true, "license": "MIT", "dependencies": { - "is-number": "^4.0.0" + "end-of-stream": "^1.4.4", + "once": "^1.4.0", + "stream-exhaust": "^1.0.2" }, "engines": { - "node": ">=0.10.0" + "node": ">= 10.13.0" } }, - "node_modules/array-last/node_modules/is-number": { - "version": "4.0.0", + "node_modules/async-settle": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/async-settle/-/async-settle-2.0.0.tgz", + "integrity": "sha512-Obu/KE8FurfQRN6ODdHN9LuXqwC+JFIM9NRyZqJJ4ZfLJmIYN9Rg0/kb+wF70VV5+fJusTMQlJ1t5rF7J/ETdg==", "dev": true, "license": "MIT", + "dependencies": { + "async-done": "^2.0.0" + }, "engines": { - "node": ">=0.10.0" + "node": ">= 10.13.0" } }, - "node_modules/array-slice": { - "version": "1.1.0", + "node_modules/b4a": { + "version": "1.8.0", + "resolved": "https://registry.npmjs.org/b4a/-/b4a-1.8.0.tgz", + "integrity": "sha512-qRuSmNSkGQaHwNbM7J78Wwy+ghLEYF1zNrSeMxj4Kgw6y33O3mXcQ6Ie9fRvfU/YnxWkOchPXbaLb73TkIsfdg==", + "dev": true, + "license": "Apache-2.0", + "peerDependencies": { + "react-native-b4a": "*" + }, + "peerDependenciesMeta": { + "react-native-b4a": { + "optional": true + } + } + }, + "node_modules/bach": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/bach/-/bach-2.0.1.tgz", + "integrity": "sha512-A7bvGMGiTOxGMpNupYl9HQTf0FFDNF4VCmks4PJpFyN1AX2pdKuxuwdvUz2Hu388wcgp+OvGFNsumBfFNkR7eg==", "dev": true, "license": "MIT", + "dependencies": { + "async-done": "^2.0.0", + "async-settle": "^2.0.0", + "now-and-later": "^3.0.0" + }, "engines": { - "node": ">=0.10.0" + "node": ">=10.13.0" } }, - "node_modules/array-sort": { - "version": "1.0.0", + "node_modules/bach/node_modules/now-and-later": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/now-and-later/-/now-and-later-3.0.0.tgz", + "integrity": "sha512-pGO4pzSdaxhWTGkfSfHx3hVzJVslFPwBp2Myq9MYN/ChfJZF87ochMAXnvz6/58RJSf5ik2q9tXprBBrk2cpcg==", "dev": true, "license": "MIT", "dependencies": { - "default-compare": "^1.0.0", - "get-value": "^2.0.6", - "kind-of": "^5.0.2" + "once": "^1.4.0" }, "engines": { - "node": ">=0.10.0" + "node": ">= 10.13.0" } }, - "node_modules/assign-symbols": { - "version": "1.0.0", + "node_modules/balanced-match": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz", + "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==", "dev": true, "license": "MIT", "engines": { - "node": ">=0.10.0" + "node": "18 || 20 || >=22" } }, - "node_modules/async-done": { - "version": "1.3.2", + "node_modules/bare-events": { + "version": "2.8.2", + "resolved": "https://registry.npmjs.org/bare-events/-/bare-events-2.8.2.tgz", + "integrity": "sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==", "dev": true, - "license": "MIT", - "dependencies": { - "end-of-stream": "^1.1.0", - "once": "^1.3.2", - "process-nextick-args": "^2.0.0", - "stream-exhaust": "^1.0.1" + "license": "Apache-2.0", + "peerDependencies": { + "bare-abort-controller": "*" }, - "engines": { - "node": ">= 0.10" + "peerDependenciesMeta": { + "bare-abort-controller": { + "optional": true + } } }, - "node_modules/async-each": { - "version": "1.0.6", + "node_modules/base64-js": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", + "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", "dev": true, "funding": [ { - "type": "individual", - "url": "https://paulmillr.com/funding/" + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" } ], "license": "MIT" }, - "node_modules/async-settle": { - "version": "1.0.0", + "node_modules/binary-extensions": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", + "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==", "dev": true, "license": "MIT", - "dependencies": { - "async-done": "^1.2.2" - }, "engines": { - "node": ">= 0.10" - } - }, - "node_modules/bach": { - "version": "1.2.0", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-filter": "^1.1.1", - "arr-flatten": "^1.0.1", - "arr-map": "^2.0.0", - "array-each": "^1.0.0", - "array-initial": "^1.0.0", - "array-last": "^1.1.1", - "async-done": "^1.2.2", - "async-settle": "^1.0.0", - "now-and-later": "^2.0.0" + "node": ">=8" }, - "engines": { - "node": ">= 0.10" + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/balanced-match": { - "version": "1.0.2", - "dev": true, - "license": "MIT" - }, - "node_modules/binary-extensions": { - "version": "1.13.1", + "node_modules/bl": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/bl/-/bl-5.1.0.tgz", + "integrity": "sha512-tv1ZJHLfTDnXE6tMHv73YgSJaWR2AFuPwMntBe7XL/GBFHnT0CLnsHMogfk5+GzCDC5ZWarSCYaIGATZt9dNsQ==", "dev": true, "license": "MIT", - "engines": { - "node": ">=0.10.0" + "dependencies": { + "buffer": "^6.0.3", + "inherits": "^2.0.4", + "readable-stream": "^3.4.0" } }, - "node_modules/bindings": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz", - "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==", + "node_modules/bl/node_modules/readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", "dev": true, "license": "MIT", - "optional": true, "dependencies": { - "file-uri-to-path": "1.0.0" + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + }, + "engines": { + "node": ">= 6" } }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "5.0.5", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", + "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", "dev": true, "license": "MIT", "dependencies": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" + "balanced-match": "^4.0.2" + }, + "engines": { + "node": "18 || 20 || >=22" } }, "node_modules/braces": { @@ -604,22 +677,42 @@ "dev": true, "license": "ISC" }, - "node_modules/buffer-equal": { - "version": "1.0.1", + "node_modules/buffer": { + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/buffer/-/buffer-6.0.3.tgz", + "integrity": "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==", "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.4" + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT", + "dependencies": { + "base64-js": "^1.3.1", + "ieee754": "^1.2.1" + } + }, + "node_modules/buffer-equal": { + "version": "1.0.1", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/buffer-from": { - "version": "1.1.2", - "dev": true, - "license": "MIT" - }, "node_modules/call-bind": { "version": "1.0.2", "dev": true, @@ -632,77 +725,58 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/camelcase": { - "version": "3.0.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar": { - "version": "2.1.8", - "dev": true, - "license": "MIT", - "dependencies": { - "anymatch": "^2.0.0", - "async-each": "^1.0.1", - "braces": "^2.3.2", - "glob-parent": "^3.1.0", - "inherits": "^2.0.3", - "is-binary-path": "^1.0.0", - "is-glob": "^4.0.0", - "normalize-path": "^3.0.0", - "path-is-absolute": "^1.0.0", - "readdirp": "^2.2.1", - "upath": "^1.1.1" - }, - "optionalDependencies": { - "fsevents": "^1.2.7" - } - }, - "node_modules/chokidar/node_modules/glob-parent": { - "version": "3.1.0", - "dev": true, - "license": "ISC", - "dependencies": { - "is-glob": "^3.1.0", - "path-dirname": "^1.0.0" - } - }, - "node_modules/chokidar/node_modules/glob-parent/node_modules/is-glob": { - "version": "3.1.0", + "node_modules/chalk": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz", + "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==", "dev": true, "license": "MIT", "dependencies": { - "is-extglob": "^2.1.0" + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/chalk?sponsor=1" } }, - "node_modules/clean-stack": { - "version": "4.2.0", + "node_modules/chokidar": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", + "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==", "dev": true, "license": "MIT", "dependencies": { - "escape-string-regexp": "5.0.0" + "anymatch": "~3.1.2", + "braces": "~3.0.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" }, "engines": { - "node": ">=12" + "node": ">= 8.10.0" }, "funding": { - "url": "https://github.com/sponsors/sindresorhus" + "url": "https://paulmillr.com/funding/" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" } }, "node_modules/cliui": { - "version": "3.2.0", + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-7.0.4.tgz", + "integrity": "sha512-OcRE68cOsVMXp1Yvonl/fzkQOyjLSu/8bhPDfQt0e0/Eb283TKP20Fs2MqoPsr9SwA595rRCA+QMzYc9nBP+JQ==", "dev": true, "license": "ISC", "dependencies": { - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1", - "wrap-ansi": "^2.0.0" + "string-width": "^4.2.0", + "strip-ansi": "^6.0.0", + "wrap-ansi": "^7.0.0" } }, "node_modules/clone": { @@ -736,27 +810,6 @@ "readable-stream": "^2.3.5" } }, - "node_modules/code-point-at": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/collection-map": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "arr-map": "^2.0.2", - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/color-convert": { "version": "2.0.1", "dev": true, @@ -773,45 +826,23 @@ "dev": true, "license": "MIT" }, - "node_modules/color-support": { - "version": "1.1.3", - "dev": true, - "license": "ISC", - "bin": { - "color-support": "bin.js" - } - }, - "node_modules/concat-map": { - "version": "0.0.1", - "dev": true, - "license": "MIT" - }, - "node_modules/concat-stream": { - "version": "1.6.2", - "dev": true, - "engines": [ - "node >= 0.8" - ], - "license": "MIT", - "dependencies": { - "buffer-from": "^1.0.0", - "inherits": "^2.0.3", - "readable-stream": "^2.2.2", - "typedarray": "^0.0.6" - } - }, "node_modules/convert-source-map": { "version": "1.9.0", "dev": true, "license": "MIT" }, "node_modules/copy-props": { - "version": "2.0.5", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/copy-props/-/copy-props-4.0.0.tgz", + "integrity": "sha512-bVWtw1wQLzzKiYROtvNlbJgxgBYt2bMJpkCbKmXM3xyijvcjjWXEk5nyrrT3bgJ7ODb19ZohE2T0Y3FgNPyoTw==", "dev": true, "license": "MIT", "dependencies": { - "each-props": "^1.3.2", + "each-props": "^3.0.0", "is-plain-object": "^5.0.0" + }, + "engines": { + "node": ">= 10.13.0" } }, "node_modules/core-util-is": { @@ -848,23 +879,6 @@ "node": ">= 8" } }, - "node_modules/d": { - "version": "1.0.1", - "dev": true, - "license": "ISC", - "dependencies": { - "es5-ext": "^0.10.50", - "type": "^1.0.1" - } - }, - "node_modules/decamelize": { - "version": "1.2.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/decompress-response": { "version": "8.1.0", "license": "MIT", @@ -878,25 +892,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/default-compare": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^5.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/default-resolution": { - "version": "2.0.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 0.10" - } - }, "node_modules/define-data-property": { "version": "1.1.0", "dev": true, @@ -927,21 +922,22 @@ } }, "node_modules/del": { - "version": "7.1.0", + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/del/-/del-8.0.1.tgz", + "integrity": "sha512-gPqh0mKTPvaUZGAuHbrBUYKZWBNAeHG7TU3QH5EhVwPMyKvmfJaNXhcD2jTcXsJRRcffuho4vaYweu80dRrMGA==", "dev": true, "license": "MIT", "dependencies": { - "globby": "^13.1.2", - "graceful-fs": "^4.2.10", + "globby": "^14.0.2", "is-glob": "^4.0.3", "is-path-cwd": "^3.0.0", "is-path-inside": "^4.0.0", - "p-map": "^5.5.0", - "rimraf": "^3.0.2", - "slash": "^4.0.0" + "p-map": "^7.0.2", + "presentable-error": "^0.0.1", + "slash": "^5.1.0" }, "engines": { - "node": ">=14.16" + "node": ">=18" }, "funding": { "url": "https://github.com/sponsors/sindresorhus" @@ -949,6 +945,8 @@ }, "node_modules/detect-file": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/detect-file/-/detect-file-1.0.0.tgz", + "integrity": "sha512-DtCOLG98P007x7wiiOmfI0fi3eIKyWiLTGJ2MDnVi/E04lWGbf+JzrRHMm0rgIIZJGtHpKpbVgLWHrv8xXpc3Q==", "dev": true, "license": "MIT", "engines": { @@ -956,26 +954,14 @@ } }, "node_modules/diff": { - "version": "3.5.1", - "resolved": "https://registry.npmjs.org/diff/-/diff-3.5.1.tgz", - "integrity": "sha512-Z3u54A8qGyqFOSr2pk0ijYs8mOE9Qz8kTvtKeBI+upoG9j04Sq+oI7W8zAJiQybDcESET8/uIdHzs0p3k4fZlw==", + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/diff/-/diff-9.0.0.tgz", + "integrity": "sha512-svtcdpS8CgJyqAjEQIXdb3OjhFVVYjzGAPO8WGCmRbrml64SPw/jJD4GoE98aR7r25A0XcgrK3F02yw9R/vhQw==", "dev": true, - "license": "BSD-3-Clause", "engines": { "node": ">=0.3.1" } }, - "node_modules/dir-glob": { - "version": "3.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "path-type": "^4.0.0" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/duplexify": { "version": "3.7.1", "dev": true, @@ -988,23 +974,17 @@ } }, "node_modules/each-props": { - "version": "1.3.2", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/each-props/-/each-props-3.0.0.tgz", + "integrity": "sha512-IYf1hpuWrdzse/s/YJOrFmU15lyhSzxelNVAHTEG3DtP4QsLTWZUzcUL3HMXmKQxXpa4EIrBPpwRgj0aehdvAw==", "dev": true, "license": "MIT", "dependencies": { - "is-plain-object": "^2.0.1", + "is-plain-object": "^5.0.0", "object.defaults": "^1.1.0" - } - }, - "node_modules/each-props/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" }, "engines": { - "node": ">=0.10.0" + "node": ">= 10.13.0" } }, "node_modules/eastasianwidth": { @@ -1027,61 +1007,6 @@ "once": "^1.4.0" } }, - "node_modules/error-ex": { - "version": "1.3.2", - "dev": true, - "license": "MIT", - "dependencies": { - "is-arrayish": "^0.2.1" - } - }, - "node_modules/es5-ext": { - "version": "0.10.64", - "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.64.tgz", - "integrity": "sha512-p2snDhiLaXe6dahss1LddxqEm+SkuDvV8dnIQG0MWjyHpcMNfXKPE+/Cc0y+PhxJX3A4xGNeFCj5oc0BUh6deg==", - "dev": true, - "hasInstallScript": true, - "license": "ISC", - "dependencies": { - "es6-iterator": "^2.0.3", - "es6-symbol": "^3.1.3", - "esniff": "^2.0.1", - "next-tick": "^1.1.0" - }, - "engines": { - "node": ">=0.10" - } - }, - "node_modules/es6-iterator": { - "version": "2.0.3", - "dev": true, - "license": "MIT", - "dependencies": { - "d": "1", - "es5-ext": "^0.10.35", - "es6-symbol": "^3.1.1" - } - }, - "node_modules/es6-symbol": { - "version": "3.1.3", - "dev": true, - "license": "ISC", - "dependencies": { - "d": "^1.0.1", - "ext": "^1.1.2" - } - }, - "node_modules/es6-weak-map": { - "version": "2.0.3", - "dev": true, - "license": "ISC", - "dependencies": { - "d": "1", - "es5-ext": "^0.10.46", - "es6-iterator": "^2.0.3", - "es6-symbol": "^3.1.1" - } - }, "node_modules/escalade": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", @@ -1091,53 +1016,20 @@ "node": ">=6" } }, - "node_modules/escape-string-regexp": { - "version": "5.0.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, - "node_modules/esniff": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/esniff/-/esniff-2.0.1.tgz", - "integrity": "sha512-kTUIGKQ/mDPFoJ0oVfcmyJn4iBDRptjNVIzwIFR7tqWXdVI9xfA2RMwY/gbSpJG3lkdWNEjLap/NqVHZiJsdfg==", - "dev": true, - "license": "ISC", - "dependencies": { - "d": "^1.0.1", - "es5-ext": "^0.10.62", - "event-emitter": "^0.3.5", - "type": "^2.7.2" - }, - "engines": { - "node": ">=0.10" - } - }, - "node_modules/esniff/node_modules/type": { - "version": "2.7.3", - "resolved": "https://registry.npmjs.org/type/-/type-2.7.3.tgz", - "integrity": "sha512-8j+1QmAbPvLZow5Qpi6NCaN8FB60p/6x8/vfNqOk/hC+HuvFZhL4+WfekuhQLiqFZXOgQdrs3B+XxEmCc6b3FQ==", - "dev": true, - "license": "ISC" - }, - "node_modules/event-emitter": { - "version": "0.3.5", - "resolved": "https://registry.npmjs.org/event-emitter/-/event-emitter-0.3.5.tgz", - "integrity": "sha512-D9rRn9y7kLPnJ+hMq7S/nhvoKwwvVJahBi2BPmx3bvbsEdK3W9ii8cBSGjP+72/LnM4n6fo3+dkCX5FeTQruXA==", + "node_modules/events-universal": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/events-universal/-/events-universal-1.0.1.tgz", + "integrity": "sha512-LUd5euvbMLpwOF8m6ivPCbhQeSiYVNb8Vs0fQ8QjXo0JTkEHpz8pxdQf0gStltaPpw0Cca8b39KxvK9cfKRiAw==", "dev": true, - "license": "MIT", + "license": "Apache-2.0", "dependencies": { - "d": "1", - "es5-ext": "~0.10.14" + "bare-events": "^2.7.0" } }, "node_modules/expand-tilde": { "version": "2.0.2", + "resolved": "https://registry.npmjs.org/expand-tilde/-/expand-tilde-2.0.2.tgz", + "integrity": "sha512-A5EmesHW6rfnZ9ysHQjPdJRni0SRar0tjtG5MNtm9n5TUvsYU8oozprtRD4AqHxcZWWlVuAmQo2nWKfN9oyjTw==", "dev": true, "license": "MIT", "dependencies": { @@ -1147,40 +1039,22 @@ "node": ">=0.10.0" } }, - "node_modules/ext": { - "version": "1.7.0", - "dev": true, - "license": "ISC", - "dependencies": { - "type": "^2.7.2" - } - }, - "node_modules/ext/node_modules/type": { - "version": "2.7.2", - "dev": true, - "license": "ISC" - }, "node_modules/extend": { "version": "3.0.2", "dev": true, "license": "MIT" }, - "node_modules/fancy-log": { - "version": "1.3.3", + "node_modules/fast-fifo": { + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/fast-fifo/-/fast-fifo-1.3.2.tgz", + "integrity": "sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ==", "dev": true, - "license": "MIT", - "dependencies": { - "ansi-gray": "^0.1.1", - "color-support": "^1.1.3", - "parse-node-version": "^1.0.0", - "time-stamp": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } + "license": "MIT" }, "node_modules/fast-glob": { - "version": "3.3.1", + "version": "3.3.3", + "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", + "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", "dev": true, "license": "MIT", "dependencies": { @@ -1188,33 +1062,42 @@ "@nodelib/fs.walk": "^1.2.3", "glob-parent": "^5.1.2", "merge2": "^1.3.0", - "micromatch": "^4.0.4" + "micromatch": "^4.0.8" }, "engines": { "node": ">=8.6.0" } }, "node_modules/fast-levenshtein": { - "version": "1.1.4", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-3.0.0.tgz", + "integrity": "sha512-hKKNajm46uNmTlhHSyZkmToAc56uZJwYq7yrciZjqOxnlfQwERDQJmHPUp7m1m9wx8vgOe8IaCKZ5Kv2k1DdCQ==", "dev": true, - "license": "MIT" + "license": "MIT", + "dependencies": { + "fastest-levenshtein": "^1.0.7" + } + }, + "node_modules/fastest-levenshtein": { + "version": "1.0.16", + "resolved": "https://registry.npmjs.org/fastest-levenshtein/-/fastest-levenshtein-1.0.16.tgz", + "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 4.9.1" + } }, "node_modules/fastq": { - "version": "1.15.0", + "version": "1.20.1", + "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz", + "integrity": "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==", "dev": true, "license": "ISC", "dependencies": { "reusify": "^1.0.4" } }, - "node_modules/file-uri-to-path": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz", - "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==", - "dev": true, - "license": "MIT", - "optional": true - }, "node_modules/fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -1228,64 +1111,47 @@ "node": ">=8" } }, - "node_modules/find-up": { - "version": "1.1.2", - "dev": true, - "license": "MIT", - "dependencies": { - "path-exists": "^2.0.0", - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/findup-sync": { - "version": "3.0.0", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/findup-sync/-/findup-sync-5.0.0.tgz", + "integrity": "sha512-MzwXju70AuyflbgeOhzvQWAvvQdo1XL0A9bVvlXsYcFEBM87WR4OakL4OfZq+QRmr+duJubio+UtNQCPsVESzQ==", "dev": true, "license": "MIT", "dependencies": { "detect-file": "^1.0.0", - "is-glob": "^4.0.0", - "micromatch": "^3.0.4", + "is-glob": "^4.0.3", + "micromatch": "^4.0.4", "resolve-dir": "^1.0.1" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/fined": { - "version": "1.2.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fined/-/fined-2.0.0.tgz", + "integrity": "sha512-OFRzsL6ZMHz5s0JrsEr+TpdGNCtrVtnuG3x1yzGNiQHT0yaDnXAj8V/lWcpJVrnoDpcwXcASxAZYbuXda2Y82A==", "dev": true, "license": "MIT", "dependencies": { "expand-tilde": "^2.0.2", - "is-plain-object": "^2.0.3", + "is-plain-object": "^5.0.0", "object.defaults": "^1.1.0", - "object.pick": "^1.2.0", - "parse-filepath": "^1.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/fined/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" + "object.pick": "^1.3.0", + "parse-filepath": "^1.0.2" }, "engines": { - "node": ">=0.10.0" + "node": ">= 10.13.0" } }, "node_modules/flagged-respawn": { - "version": "1.0.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/flagged-respawn/-/flagged-respawn-2.0.0.tgz", + "integrity": "sha512-Gq/a6YCi8zexmGHMuJwahTGzXlAZAOsbCVKduWXC6TlLCjjFRlExMJc4GC2NYPYZ0r/brw9P7CpRgQmlPVeOoA==", "dev": true, "license": "MIT", "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/flat": { @@ -1307,6 +1173,8 @@ }, "node_modules/for-in": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/for-in/-/for-in-1.0.2.tgz", + "integrity": "sha512-7EwmXrOjyL+ChxMhmG5lnW9MPt1aIeZEwKhQzoBUdTV0N3zuwWDZYVJatDvZ2OyzPUvdIAZDsCetk3coyMfcnQ==", "dev": true, "license": "MIT", "engines": { @@ -1315,6 +1183,8 @@ }, "node_modules/for-own": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/for-own/-/for-own-1.0.0.tgz", + "integrity": "sha512-0OABksIGrxKK8K4kynWkQ7y1zounQxP+CWnyclVwj81KW3vlLlGUx57DKGcP/LH216GzqnstnPocF16Nxs0Ycg==", "dev": true, "license": "MIT", "dependencies": { @@ -1367,10 +1237,9 @@ "license": "ISC" }, "node_modules/fsevents": { - "version": "1.2.13", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-1.2.13.tgz", - "integrity": "sha512-oWb1Z6mkHIskLzEJ/XWX0srkpkTQ7vaopMQkyaEIoq0fmtFVxOthb8cCxeT+p3ynTdkk/RZwbgG4brR5BeWECw==", - "deprecated": "Upgrade to fsevents v2 to mitigate potential security issues", + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", "dev": true, "hasInstallScript": true, "license": "MIT", @@ -1378,23 +1247,29 @@ "os": [ "darwin" ], - "dependencies": { - "bindings": "^1.5.0", - "nan": "^2.12.1" - }, "engines": { - "node": ">= 4.0" + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" } }, "node_modules/function-bind": { - "version": "1.1.1", + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "dev": true, - "license": "MIT" + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } }, "node_modules/get-caller-file": { - "version": "1.0.3", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", "dev": true, - "license": "ISC" + "license": "ISC", + "engines": { + "node": "6.* || 8.* || >= 10.*" + } }, "node_modules/get-intrinsic": { "version": "1.2.1", @@ -1410,14 +1285,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/get-value": { - "version": "2.0.6", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/glob": { "version": "7.2.3", "dev": true, @@ -1439,6 +1306,8 @@ }, "node_modules/glob-parent": { "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", "dev": true, "license": "ISC", "dependencies": { @@ -1489,24 +1358,23 @@ } }, "node_modules/glob-watcher": { - "version": "5.0.5", + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/glob-watcher/-/glob-watcher-6.0.0.tgz", + "integrity": "sha512-wGM28Ehmcnk2NqRORXFOTOR064L4imSw3EeOqU5bIwUf62eXGwg89WivH6VMahL8zlQHeodzvHpXplrqzrz3Nw==", "dev": true, "license": "MIT", "dependencies": { - "anymatch": "^2.0.0", - "async-done": "^1.2.0", - "chokidar": "^2.0.0", - "is-negated-glob": "^1.0.0", - "just-debounce": "^1.0.0", - "normalize-path": "^3.0.0", - "object.defaults": "^1.1.0" + "async-done": "^2.0.0", + "chokidar": "^3.5.3" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/global-modules": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/global-modules/-/global-modules-1.0.0.tgz", + "integrity": "sha512-sKzpEkf11GpOFuw0Zzjzmt4B4UZwjOcG757PPvrfhxcLFbq0wpsgpOqxpxtxFiCG4DtG93M6XRVbF2oGdev7bg==", "dev": true, "license": "MIT", "dependencies": { @@ -1520,6 +1388,8 @@ }, "node_modules/global-prefix": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/global-prefix/-/global-prefix-1.0.2.tgz", + "integrity": "sha512-5lsx1NUDHtSjfg0eHlmYvZKv8/nVqX4ckFbM+FrGcQ+04KWcWFo9P5MxPZYSzUvyzmdTbI7Eix8Q4IbELDqzKg==", "dev": true, "license": "MIT", "dependencies": { @@ -1534,32 +1404,37 @@ } }, "node_modules/globby": { - "version": "13.2.2", + "version": "14.1.0", + "resolved": "https://registry.npmjs.org/globby/-/globby-14.1.0.tgz", + "integrity": "sha512-0Ia46fDOaT7k4og1PDW4YbodWWr3scS2vAr2lTbsplOt2WkKp0vQbkI9wKis/T5LV/dqPjO3bpS/z6GTJB82LA==", "dev": true, "license": "MIT", "dependencies": { - "dir-glob": "^3.0.1", - "fast-glob": "^3.3.0", - "ignore": "^5.2.4", - "merge2": "^1.4.1", - "slash": "^4.0.0" + "@sindresorhus/merge-streams": "^2.1.0", + "fast-glob": "^3.3.3", + "ignore": "^7.0.3", + "path-type": "^6.0.0", + "slash": "^5.1.0", + "unicorn-magic": "^0.3.0" }, "engines": { - "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + "node": ">=18" }, "funding": { "url": "https://github.com/sponsors/sindresorhus" } }, "node_modules/glogg": { - "version": "1.0.2", + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/glogg/-/glogg-2.2.0.tgz", + "integrity": "sha512-eWv1ds/zAlz+M1ioHsyKJomfY7jbDDPpwSkv14KQj89bycx1nvK5/2Cj/T9g7kzJcX5Bc7Yv22FjfBZS/jl94A==", "dev": true, "license": "MIT", "dependencies": { - "sparkles": "^1.0.0" + "sparkles": "^2.1.0" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/gopd": { @@ -1579,91 +1454,272 @@ "license": "ISC" }, "node_modules/gulp": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", - "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/gulp/-/gulp-5.0.1.tgz", + "integrity": "sha512-PErok3DZSA5WGMd6XXV3IRNO0mlB+wW3OzhFJLEec1jSERg2j1bxJ6e5Fh6N6fn3FH2T9AP4UYNb/pYlADB9sA==", + "dev": true, + "license": "MIT", + "dependencies": { + "glob-watcher": "^6.0.0", + "gulp-cli": "^3.1.0", + "undertaker": "^2.0.0", + "vinyl-fs": "^4.0.2" + }, + "bin": { + "gulp": "bin/gulp.js" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/gulp-cli": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/gulp-cli/-/gulp-cli-3.1.0.tgz", + "integrity": "sha512-zZzwlmEsTfXcxRKiCHsdyjZZnFvXWM4v1NqBJSYbuApkvVKivjcmOS2qruAJ+PkEHLFavcDKH40DPc1+t12a9Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "@gulpjs/messages": "^1.1.0", + "chalk": "^4.1.2", + "copy-props": "^4.0.0", + "gulplog": "^2.2.0", + "interpret": "^3.1.1", + "liftoff": "^5.0.1", + "mute-stdout": "^2.0.0", + "replace-homedir": "^2.0.0", + "semver-greatest-satisfied-range": "^2.0.0", + "string-width": "^4.2.3", + "v8flags": "^4.0.0", + "yargs": "^16.2.0" + }, + "bin": { + "gulp": "bin/gulp.js" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/gulp-typescript": { + "version": "6.0.0-alpha.1", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-colors": "^4.1.1", + "plugin-error": "^1.0.1", + "source-map": "^0.7.3", + "through2": "^3.0.1", + "vinyl": "^2.2.0", + "vinyl-fs": "^3.0.3" + }, + "engines": { + "node": ">= 8" + }, + "peerDependencies": { + "typescript": "~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.7.0-dev " + } + }, + "node_modules/gulp-typescript/node_modules/ansi-colors": { + "version": "4.1.3", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/gulp/node_modules/convert-source-map": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz", + "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==", + "dev": true, + "license": "MIT" + }, + "node_modules/gulp/node_modules/fs-mkdirp-stream": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/fs-mkdirp-stream/-/fs-mkdirp-stream-2.0.1.tgz", + "integrity": "sha512-UTOY+59K6IA94tec8Wjqm0FSh5OVudGNB0NL/P6fB3HiE3bYOY3VYBGijsnOHNkQSwC1FKkU77pmq7xp9CskLw==", + "dev": true, + "license": "MIT", + "dependencies": { + "graceful-fs": "^4.2.8", + "streamx": "^2.12.0" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/gulp/node_modules/glob-parent": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz", + "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==", + "dev": true, + "license": "ISC", + "dependencies": { + "is-glob": "^4.0.3" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/gulp/node_modules/glob-stream": { + "version": "8.0.3", + "resolved": "https://registry.npmjs.org/glob-stream/-/glob-stream-8.0.3.tgz", + "integrity": "sha512-fqZVj22LtFJkHODT+M4N1RJQ3TjnnQhfE9GwZI8qXscYarnhpip70poMldRnP8ipQ/w0B621kOhfc53/J9bd/A==", + "dev": true, + "license": "MIT", + "dependencies": { + "@gulpjs/to-absolute-glob": "^4.0.0", + "anymatch": "^3.1.3", + "fastq": "^1.13.0", + "glob-parent": "^6.0.2", + "is-glob": "^4.0.3", + "is-negated-glob": "^1.0.0", + "normalize-path": "^3.0.0", + "streamx": "^2.12.5" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/gulp/node_modules/lead": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/lead/-/lead-4.0.0.tgz", + "integrity": "sha512-DpMa59o5uGUWWjruMp71e6knmwKU3jRBBn1kjuLWN9EeIOxNeSAwvHf03WIl8g/ZMR2oSQC9ej3yeLBwdDc/pg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/gulp/node_modules/now-and-later": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/now-and-later/-/now-and-later-3.0.0.tgz", + "integrity": "sha512-pGO4pzSdaxhWTGkfSfHx3hVzJVslFPwBp2Myq9MYN/ChfJZF87ochMAXnvz6/58RJSf5ik2q9tXprBBrk2cpcg==", + "dev": true, + "license": "MIT", + "dependencies": { + "once": "^1.4.0" + }, + "engines": { + "node": ">= 10.13.0" + } + }, + "node_modules/gulp/node_modules/replace-ext": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz", + "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 10" + } + }, + "node_modules/gulp/node_modules/resolve-options": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/resolve-options/-/resolve-options-2.0.0.tgz", + "integrity": "sha512-/FopbmmFOQCfsCx77BRFdKOniglTiHumLgwvd6IDPihy1GKkadZbgQJBcTb2lMzSR1pndzd96b1nZrreZ7+9/A==", "dev": true, "license": "MIT", "dependencies": { - "glob-watcher": "^5.0.3", - "gulp-cli": "^2.2.0", - "undertaker": "^1.2.1", - "vinyl-fs": "^3.0.0" - }, - "bin": { - "gulp": "bin/gulp.js" + "value-or-function": "^4.0.0" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, - "node_modules/gulp-cli": { - "version": "2.3.0", + "node_modules/gulp/node_modules/to-through": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/to-through/-/to-through-3.0.0.tgz", + "integrity": "sha512-y8MN937s/HVhEoBU1SxfHC+wxCHkV1a9gW8eAdTadYh/bGyesZIVcbjI+mSpFbSVwQici/XjBjuUyri1dnXwBw==", "dev": true, "license": "MIT", "dependencies": { - "ansi-colors": "^1.0.1", - "archy": "^1.0.0", - "array-sort": "^1.0.0", - "color-support": "^1.1.3", - "concat-stream": "^1.6.0", - "copy-props": "^2.0.1", - "fancy-log": "^1.3.2", - "gulplog": "^1.0.0", - "interpret": "^1.4.0", - "isobject": "^3.0.1", - "liftoff": "^3.1.0", - "matchdep": "^2.0.0", - "mute-stdout": "^1.0.0", - "pretty-hrtime": "^1.0.0", - "replace-homedir": "^1.0.0", - "semver-greatest-satisfied-range": "^1.1.0", - "v8flags": "^3.2.0", - "yargs": "^7.1.0" - }, - "bin": { - "gulp": "bin/gulp.js" + "streamx": "^2.12.5" }, "engines": { - "node": ">= 0.10" + "node": ">=10.13.0" } }, - "node_modules/gulp-typescript": { - "version": "6.0.0-alpha.1", + "node_modules/gulp/node_modules/value-or-function": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/value-or-function/-/value-or-function-4.0.0.tgz", + "integrity": "sha512-aeVK81SIuT6aMJfNo9Vte8Dw0/FZINGBV8BfCraGtqVxIeLAEhJyoWs8SmvRVmXfGss2PmmOwZCuBPbZR+IYWg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 10.13.0" + } + }, + "node_modules/gulp/node_modules/vinyl": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-3.0.1.tgz", + "integrity": "sha512-0QwqXteBNXgnLCdWdvPQBX6FXRHtIH3VhJPTd5Lwn28tJXc34YqSCWUmkOvtJHBmB3gGoPtrOKk3Ts8/kEZ9aA==", "dev": true, "license": "MIT", "dependencies": { - "ansi-colors": "^4.1.1", - "plugin-error": "^1.0.1", - "source-map": "^0.7.3", - "through2": "^3.0.1", - "vinyl": "^2.2.0", - "vinyl-fs": "^3.0.3" + "clone": "^2.1.2", + "remove-trailing-separator": "^1.1.0", + "replace-ext": "^2.0.0", + "teex": "^1.0.1" }, "engines": { - "node": ">= 8" + "node": ">=10.13.0" + } + }, + "node_modules/gulp/node_modules/vinyl-fs": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/vinyl-fs/-/vinyl-fs-4.0.2.tgz", + "integrity": "sha512-XRFwBLLTl8lRAOYiBqxY279wY46tVxLaRhSwo3GzKEuLz1giffsOquWWboD/haGf5lx+JyTigCFfe7DWHoARIA==", + "dev": true, + "license": "MIT", + "dependencies": { + "fs-mkdirp-stream": "^2.0.1", + "glob-stream": "^8.0.3", + "graceful-fs": "^4.2.11", + "iconv-lite": "^0.6.3", + "is-valid-glob": "^1.0.0", + "lead": "^4.0.0", + "normalize-path": "3.0.0", + "resolve-options": "^2.0.0", + "stream-composer": "^1.0.2", + "streamx": "^2.14.0", + "to-through": "^3.0.0", + "value-or-function": "^4.0.0", + "vinyl": "^3.0.1", + "vinyl-sourcemap": "^2.0.0" }, - "peerDependencies": { - "typescript": "~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.7.0-dev " + "engines": { + "node": ">=10.13.0" } }, - "node_modules/gulp-typescript/node_modules/ansi-colors": { - "version": "4.1.3", + "node_modules/gulp/node_modules/vinyl-sourcemap": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/vinyl-sourcemap/-/vinyl-sourcemap-2.0.0.tgz", + "integrity": "sha512-BAEvWxbBUXvlNoFQVFVHpybBbjW1r03WhohJzJDSfgrrK5xVYIDTan6xN14DlyImShgDRv2gl9qhM6irVMsV0Q==", "dev": true, "license": "MIT", + "dependencies": { + "convert-source-map": "^2.0.0", + "graceful-fs": "^4.2.10", + "now-and-later": "^3.0.0", + "streamx": "^2.12.5", + "vinyl": "^3.0.0", + "vinyl-contents": "^2.0.0" + }, "engines": { - "node": ">=6" + "node": ">=10.13.0" } }, "node_modules/gulplog": { - "version": "1.0.0", + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/gulplog/-/gulplog-2.2.0.tgz", + "integrity": "sha512-V2FaKiOhpR3DRXZuYdRLn/qiY0yI5XmqbTKrYbdemJ+xOh2d2MOweI/XFgMzd/9+1twdvMwllnZbWZNJ+BOm4A==", "dev": true, "license": "MIT", "dependencies": { - "glogg": "^1.0.0" + "glogg": "^2.2.0" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/has": { @@ -1718,6 +1774,19 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, "node_modules/he": { "version": "1.2.0", "dev": true, @@ -1728,6 +1797,8 @@ }, "node_modules/homedir-polyfill": { "version": "1.0.3", + "resolved": "https://registry.npmjs.org/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz", + "integrity": "sha512-eSmmWE5bZTK2Nou4g0AI3zZ9rswp7GRKoKXS1BLUkvPviOqs4YTN1djQIqrXy9k5gEtdLPy86JjRwsNM9tnDcA==", "dev": true, "license": "MIT", "dependencies": { @@ -1737,28 +1808,48 @@ "node": ">=0.10.0" } }, - "node_modules/hosted-git-info": { - "version": "2.8.9", - "dev": true, - "license": "ISC" - }, - "node_modules/ignore": { - "version": "5.2.4", + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", "dev": true, "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, "engines": { - "node": ">= 4" + "node": ">=0.10.0" } }, - "node_modules/indent-string": { - "version": "5.0.0", + "node_modules/ieee754": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz", + "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "BSD-3-Clause" + }, + "node_modules/ignore": { + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz", + "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==", "dev": true, "license": "MIT", "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" + "node": ">= 4" } }, "node_modules/inflight": { @@ -1777,23 +1868,19 @@ }, "node_modules/ini": { "version": "1.3.8", + "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "dev": true, "license": "ISC" }, "node_modules/interpret": { - "version": "1.4.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/invert-kv": { - "version": "1.0.0", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/interpret/-/interpret-3.1.1.tgz", + "integrity": "sha512-6xwYfHbajpoF0xLW+iwLkhwgvLoZDfjYfoFNu8ftMoXINzwuymNLd9u/KmwtdT2GbR+/Cz66otEGEVVUHX9QLQ==", "dev": true, "license": "MIT", "engines": { - "node": ">=0.10.0" + "node": ">=10.13.0" } }, "node_modules/is-absolute": { @@ -1808,20 +1895,17 @@ "node": ">=0.10.0" } }, - "node_modules/is-arrayish": { - "version": "0.2.1", - "dev": true, - "license": "MIT" - }, "node_modules/is-binary-path": { - "version": "1.0.1", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", "dev": true, "license": "MIT", "dependencies": { - "binary-extensions": "^1.0.0" + "binary-extensions": "^2.0.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, "node_modules/is-buffer": { @@ -1830,11 +1914,16 @@ "license": "MIT" }, "node_modules/is-core-module": { - "version": "2.13.0", + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", "dev": true, "license": "MIT", "dependencies": { - "has": "^1.0.3" + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" @@ -1849,14 +1938,13 @@ } }, "node_modules/is-fullwidth-code-point": { - "version": "1.0.0", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "dev": true, "license": "MIT", - "dependencies": { - "number-is-nan": "^1.0.0" - }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, "node_modules/is-glob": { @@ -1878,6 +1966,16 @@ "node": ">=0.10.0" } }, + "node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.12.0" + } + }, "node_modules/is-path-cwd": { "version": "3.0.0", "dev": true, @@ -1910,6 +2008,8 @@ }, "node_modules/is-plain-object": { "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", + "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", "dev": true, "license": "MIT", "engines": { @@ -2021,34 +2121,14 @@ "dev": true, "license": "MIT" }, - "node_modules/just-debounce": { - "version": "1.1.0", - "dev": true, - "license": "MIT" - }, - "node_modules/just-extend": { - "version": "4.2.1", - "dev": true, - "license": "MIT" - }, - "node_modules/kind-of": { - "version": "5.1.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/last-run": { - "version": "1.1.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/last-run/-/last-run-2.0.0.tgz", + "integrity": "sha512-j+y6WhTLN4Itnf9j5ZQos1BGPCS8DAwmgMroR3OzfxAsBxam0hMw7J8M3KqZl0pLQJ1jNnwIexg5DYpC/ctwEQ==", "dev": true, "license": "MIT", - "dependencies": { - "default-resolution": "^2.0.0", - "es6-weak-map": "^2.0.1" - }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/lazystream": { @@ -2062,17 +2142,6 @@ "node": ">= 0.6.3" } }, - "node_modules/lcid": { - "version": "1.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "invert-kv": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/lead": { "version": "1.0.0", "dev": true, @@ -2085,47 +2154,22 @@ } }, "node_modules/liftoff": { - "version": "3.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "extend": "^3.0.0", - "findup-sync": "^3.0.0", - "fined": "^1.0.1", - "flagged-respawn": "^1.0.0", - "is-plain-object": "^2.0.4", - "object.map": "^1.0.0", - "rechoir": "^0.6.2", - "resolve": "^1.1.7" - }, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/liftoff/node_modules/is-plain-object": { - "version": "2.0.4", - "dev": true, - "license": "MIT", - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/load-json-file": { - "version": "1.1.0", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/liftoff/-/liftoff-5.0.1.tgz", + "integrity": "sha512-wwLXMbuxSF8gMvubFcFRp56lkFV69twvbU5vDPbaw+Q+/rF8j0HKjGbIdlSi+LuJm9jf7k9PB+nTxnsLMPcv2Q==", "dev": true, "license": "MIT", "dependencies": { - "graceful-fs": "^4.1.2", - "parse-json": "^2.2.0", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0", - "strip-bom": "^2.0.0" + "extend": "^3.0.2", + "findup-sync": "^5.0.0", + "fined": "^2.0.0", + "flagged-respawn": "^2.0.0", + "is-plain-object": "^5.0.0", + "rechoir": "^0.8.0", + "resolve": "^1.20.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=10.13.0" } }, "node_modules/locate-path": { @@ -2139,130 +2183,44 @@ "node": ">=10" }, "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, - "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", - "dev": true, - "license": "MIT" - }, - "node_modules/lodash.get": { - "version": "4.4.2", - "dev": true, - "license": "MIT" - }, - "node_modules/log-symbols": { - "version": "4.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "chalk": "^4.1.0", - "is-unicode-supported": "^0.1.0" - }, - "engines": { - "node": ">=10" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, - "node_modules/log-symbols/node_modules/chalk": { - "version": "4.1.2", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-styles": "^4.1.0", - "supports-color": "^7.1.0" - }, - "engines": { - "node": ">=10" - }, - "funding": { - "url": "https://github.com/chalk/chalk?sponsor=1" - } - }, - "node_modules/lolex": { - "version": "2.7.5", - "dev": true, - "license": "BSD-3-Clause" - }, - "node_modules/lru-cache": { - "version": "10.4.3", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", - "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", - "dev": true - }, - "node_modules/make-iterator": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/make-iterator/node_modules/kind-of": { - "version": "6.0.3", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/map-cache": { - "version": "0.2.2", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep": { - "version": "2.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "findup-sync": "^2.0.0", - "micromatch": "^3.0.4", - "resolve": "^1.4.0", - "stack-trace": "0.0.10" - }, - "engines": { - "node": ">= 0.10.0" + "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/matchdep/node_modules/findup-sync": { - "version": "2.0.0", + "node_modules/log-symbols": { + "version": "4.1.0", "dev": true, "license": "MIT", "dependencies": { - "detect-file": "^1.0.0", - "is-glob": "^3.1.0", - "micromatch": "^3.0.4", - "resolve-dir": "^1.0.1" + "chalk": "^4.1.0", + "is-unicode-supported": "^0.1.0" }, "engines": { - "node": ">= 0.10" + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/matchdep/node_modules/is-glob": { - "version": "3.1.0", + "node_modules/lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "dev": true + }, + "node_modules/map-cache": { + "version": "0.2.2", + "resolved": "https://registry.npmjs.org/map-cache/-/map-cache-0.2.2.tgz", + "integrity": "sha512-8y/eV9QQZCiyn1SprXSrCmqJN0yNRATe+PO8ztwqrvrbdRLA3eYJF0yaR0YayLWkMbsQSKWS9N2gPcGEc4UsZg==", "dev": true, "license": "MIT", - "dependencies": { - "is-extglob": "^2.1.0" - }, "engines": { "node": ">=0.10.0" } }, "node_modules/merge2": { "version": "1.4.1", + "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", + "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", "dev": true, "license": "MIT", "engines": { @@ -2294,14 +2252,19 @@ } }, "node_modules/minimatch": { - "version": "3.1.2", + "version": "10.2.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz", + "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==", "dev": true, - "license": "ISC", + "license": "BlueOak-1.0.0", "dependencies": { - "brace-expansion": "^1.1.7" + "brace-expansion": "^5.0.5" }, "engines": { - "node": "*" + "node": "18 || 20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" } }, "node_modules/minipass": { @@ -2349,24 +2312,6 @@ "node": "^18.18.0 || ^20.9.0 || >=21.1.0" } }, - "node_modules/mocha/node_modules/ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/mocha/node_modules/brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", - "dev": true, - "dependencies": { - "balanced-match": "^1.0.0" - } - }, "node_modules/mocha/node_modules/chokidar": { "version": "4.0.3", "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz", @@ -2449,15 +2394,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/mocha/node_modules/get-caller-file": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", - "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", - "dev": true, - "engines": { - "node": "6.* || 8.* || >= 10.*" - } - }, "node_modules/mocha/node_modules/glob": { "version": "10.5.0", "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz", @@ -2479,15 +2415,6 @@ "url": "https://github.com/sponsors/isaacs" } }, - "node_modules/mocha/node_modules/is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true, - "engines": { - "node": ">=8" - } - }, "node_modules/mocha/node_modules/is-path-inside": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz", @@ -2497,21 +2424,6 @@ "node": ">=8" } }, - "node_modules/mocha/node_modules/minimatch": { - "version": "9.0.5", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", - "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", - "dev": true, - "dependencies": { - "brace-expansion": "^2.0.1" - }, - "engines": { - "node": ">=16 || 14 >=14.17" - }, - "funding": { - "url": "https://github.com/sponsors/isaacs" - } - }, "node_modules/mocha/node_modules/ms": { "version": "2.1.3", "dev": true, @@ -2538,32 +2450,6 @@ "url": "https://paulmillr.com/funding/" } }, - "node_modules/mocha/node_modules/string-width": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", - "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "dev": true, - "dependencies": { - "emoji-regex": "^8.0.0", - "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/mocha/node_modules/strip-ansi": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", - "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, - "dependencies": { - "ansi-regex": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/mocha/node_modules/supports-color": { "version": "8.1.1", "dev": true, @@ -2578,32 +2464,6 @@ "url": "https://github.com/chalk/supports-color?sponsor=1" } }, - "node_modules/mocha/node_modules/wrap-ansi": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", - "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", - "dev": true, - "dependencies": { - "ansi-styles": "^4.0.0", - "string-width": "^4.1.0", - "strip-ansi": "^6.0.0" - }, - "engines": { - "node": ">=10" - }, - "funding": { - "url": "https://github.com/chalk/wrap-ansi?sponsor=1" - } - }, - "node_modules/mocha/node_modules/y18n": { - "version": "5.0.8", - "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", - "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", - "dev": true, - "engines": { - "node": ">=10" - } - }, "node_modules/mocha/node_modules/yargs": { "version": "17.7.2", "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz", @@ -2632,68 +2492,19 @@ } }, "node_modules/mute-stdout": { - "version": "1.0.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/mute-stdout/-/mute-stdout-2.0.0.tgz", + "integrity": "sha512-32GSKM3Wyc8dg/p39lWPKYu8zci9mJFzV1Np9Of0ZEpe6Fhssn/FbI7ywAMd40uX+p3ZKh3T5EeCFv81qS3HmQ==", "dev": true, "license": "MIT", "engines": { - "node": ">= 0.10" - } - }, - "node_modules/nan": { - "version": "2.25.0", - "resolved": "https://registry.npmjs.org/nan/-/nan-2.25.0.tgz", - "integrity": "sha512-0M90Ag7Xn5KMLLZ7zliPWP3rT90P6PN+IzVFS0VqmnPktBk3700xUVv8Ikm9EUaUE5SDWdp/BIxdENzVznpm1g==", - "dev": true, - "license": "MIT", - "optional": true - }, - "node_modules/next-tick": { - "version": "1.1.0", - "dev": true, - "license": "ISC" - }, - "node_modules/nise": { - "version": "1.5.3", - "dev": true, - "license": "BSD-3-Clause", - "dependencies": { - "@sinonjs/formatio": "^3.2.1", - "@sinonjs/text-encoding": "^0.7.1", - "just-extend": "^4.0.2", - "lolex": "^5.0.1", - "path-to-regexp": "^1.7.0" - } - }, - "node_modules/nise/node_modules/@sinonjs/formatio": { - "version": "3.2.2", - "dev": true, - "license": "BSD-3-Clause", - "dependencies": { - "@sinonjs/commons": "^1", - "@sinonjs/samsam": "^3.1.0" - } - }, - "node_modules/nise/node_modules/lolex": { - "version": "5.1.2", - "dev": true, - "license": "BSD-3-Clause", - "dependencies": { - "@sinonjs/commons": "^1.7.0" - } - }, - "node_modules/normalize-package-data": { - "version": "2.5.0", - "dev": true, - "license": "BSD-2-Clause", - "dependencies": { - "hosted-git-info": "^2.1.4", - "resolve": "^1.10.0", - "semver": "2 || 3 || 4 || 5", - "validate-npm-package-license": "^3.0.1" + "node": ">= 10.13.0" } }, "node_modules/normalize-path": { "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", "dev": true, "license": "MIT", "engines": { @@ -2711,14 +2522,6 @@ "node": ">= 0.10" } }, - "node_modules/number-is-nan": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/object-keys": { "version": "1.1.1", "dev": true, @@ -2746,6 +2549,8 @@ }, "node_modules/object.defaults": { "version": "1.1.0", + "resolved": "https://registry.npmjs.org/object.defaults/-/object.defaults-1.1.0.tgz", + "integrity": "sha512-c/K0mw/F11k4dEUBMW8naXUuBuhxRCfG7W+yFy8EcijU/rSmazOUd1XAEEe6bC0OuXY4HUKjTJv7xbxIMqdxrA==", "dev": true, "license": "MIT", "dependencies": { @@ -2758,20 +2563,10 @@ "node": ">=0.10.0" } }, - "node_modules/object.map": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/object.pick": { "version": "1.3.0", + "resolved": "https://registry.npmjs.org/object.pick/-/object.pick-1.3.0.tgz", + "integrity": "sha512-tqa/UMy/CCoYmj+H5qc07qvSL9dqcs/WZENZ1JbtWBlATP+iVOe778gE6MSijnyCnORzDuX6hU+LA4SZ09YjFQ==", "dev": true, "license": "MIT", "dependencies": { @@ -2781,18 +2576,6 @@ "node": ">=0.10.0" } }, - "node_modules/object.reduce": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/once": { "version": "1.4.0", "dev": true, @@ -2809,17 +2592,6 @@ "readable-stream": "^2.0.1" } }, - "node_modules/os-locale": { - "version": "1.4.0", - "dev": true, - "license": "MIT", - "dependencies": { - "lcid": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/p-limit": { "version": "3.1.0", "dev": true, @@ -2849,14 +2621,13 @@ } }, "node_modules/p-map": { - "version": "5.5.0", + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/p-map/-/p-map-7.0.4.tgz", + "integrity": "sha512-tkAQEw8ysMzmkhgw8k+1U/iPhWNhykKnSk4Rd5zLoPJCuJaGRPo6YposrZgaxHKzDHdDWWZvE/Sk7hsL2X/CpQ==", "dev": true, "license": "MIT", - "dependencies": { - "aggregate-error": "^4.0.0" - }, "engines": { - "node": ">=12" + "node": ">=18" }, "funding": { "url": "https://github.com/sponsors/sindresorhus" @@ -2870,6 +2641,8 @@ }, "node_modules/parse-filepath": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/parse-filepath/-/parse-filepath-1.0.2.tgz", + "integrity": "sha512-FwdRXKCohSVeXqwtYonZTXtbGJKrn+HNyWDYVcp5yuJlesTwNH4rsmRZ+GrKAPJ5bLpRxESMeS+Rl0VCHRvB2Q==", "dev": true, "license": "MIT", "dependencies": { @@ -2881,27 +2654,10 @@ "node": ">=0.8" } }, - "node_modules/parse-json": { - "version": "2.2.0", - "dev": true, - "license": "MIT", - "dependencies": { - "error-ex": "^1.2.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/parse-node-version": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 0.10" - } - }, "node_modules/parse-passwd": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/parse-passwd/-/parse-passwd-1.0.0.tgz", + "integrity": "sha512-1Y1A//QUXEZK7YKz+rD9WydcE1+EuPr6ZBgKecAB8tmoW6UFv0NREVJe1p+jRxtThkcbbKkfwIbWJe/IeE6m2Q==", "dev": true, "license": "MIT", "engines": { @@ -2913,17 +2669,6 @@ "dev": true, "license": "MIT" }, - "node_modules/path-exists": { - "version": "2.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/path-is-absolute": { "version": "1.0.1", "dev": true, @@ -2943,11 +2688,15 @@ }, "node_modules/path-parse": { "version": "1.0.7", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", + "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", "dev": true, "license": "MIT" }, "node_modules/path-root": { "version": "0.1.1", + "resolved": "https://registry.npmjs.org/path-root/-/path-root-0.1.1.tgz", + "integrity": "sha512-QLcPegTHF11axjfojBIoDygmS2E3Lf+8+jI6wOVmNVenrKSo3mFdSGiIgdSHenczw3wPtlVMQaFVwGmM7BJdtg==", "dev": true, "license": "MIT", "dependencies": { @@ -2959,6 +2708,8 @@ }, "node_modules/path-root-regex": { "version": "0.1.2", + "resolved": "https://registry.npmjs.org/path-root-regex/-/path-root-regex-0.1.2.tgz", + "integrity": "sha512-4GlJ6rZDhQZFE0DPVKh0e9jmZ5egZfxTkp7bcRDuPlJXbAwhxcl2dINPUAsjLdejqaLsCeg8axcLjIbvBjN4pQ==", "dev": true, "license": "MIT", "engines": { @@ -2981,71 +2732,36 @@ "url": "https://github.com/sponsors/isaacs" } }, - "node_modules/path-to-regexp": { - "version": "1.9.0", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.9.0.tgz", - "integrity": "sha512-xIp7/apCFJuUHdDLWe8O1HIkb0kQrOMb/0u6FXQjemHn/ii5LrIzU6bdECnsiTF/GjZkMEKg1xdiZwNqDYlZ6g==", - "dev": true, - "license": "MIT", - "dependencies": { - "isarray": "0.0.1" - } - }, - "node_modules/path-to-regexp/node_modules/isarray": { - "version": "0.0.1", - "dev": true, - "license": "MIT" - }, "node_modules/path-type": { - "version": "4.0.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=8" - } - }, - "node_modules/picocolors": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", - "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", - "dev": true - }, - "node_modules/picomatch": { - "version": "2.3.1", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=8.6" - }, - "funding": { - "url": "https://github.com/sponsors/jonschlinkert" - } - }, - "node_modules/pify": { - "version": "2.3.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/pinkie": { - "version": "2.0.4", + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/path-type/-/path-type-6.0.0.tgz", + "integrity": "sha512-Vj7sf++t5pBD637NSfkxpHSMfWaeig5+DKWLhcqIYx6mWQz5hdJTGDVMQiJcw1ZYkhs7AazKDGpRVji1LJCZUQ==", "dev": true, "license": "MIT", "engines": { - "node": ">=0.10.0" + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/pinkie-promise": { - "version": "2.0.1", + "node_modules/picocolors": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", + "dev": true + }, + "node_modules/picomatch": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dev": true, "license": "MIT", - "dependencies": { - "pinkie": "^2.0.0" - }, "engines": { - "node": ">=0.10.0" + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" } }, "node_modules/plugin-error": { @@ -3096,12 +2812,17 @@ "node": ">=0.10.0" } }, - "node_modules/pretty-hrtime": { - "version": "1.0.3", + "node_modules/presentable-error": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/presentable-error/-/presentable-error-0.0.1.tgz", + "integrity": "sha512-E6rsNU1QNJgB3sjj7OANinGncFKuK+164sLXw1/CqBjj/EkXSoSdHCtWQGBNlREIGLnL7IEUEGa08YFVUbrhVg==", "dev": true, "license": "MIT", "engines": { - "node": ">= 0.8" + "node": ">=16" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, "node_modules/process-nextick-args": { @@ -3130,6 +2851,8 @@ }, "node_modules/queue-microtask": { "version": "1.2.3", + "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", + "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==", "dev": true, "funding": [ { @@ -3147,54 +2870,6 @@ ], "license": "MIT" }, - "node_modules/randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, - "node_modules/read-pkg": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "load-json-file": "^1.0.0", - "normalize-package-data": "^2.3.2", - "path-type": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/read-pkg-up": { - "version": "1.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "find-up": "^1.0.0", - "read-pkg": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/read-pkg/node_modules/path-type": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "dependencies": { - "graceful-fs": "^4.1.2", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/readable-stream": { "version": "2.3.8", "dev": true, @@ -3210,26 +2885,29 @@ } }, "node_modules/readdirp": { - "version": "2.2.1", + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", "dev": true, "license": "MIT", "dependencies": { - "graceful-fs": "^4.1.11", - "micromatch": "^3.1.10", - "readable-stream": "^2.0.2" + "picomatch": "^2.2.1" }, "engines": { - "node": ">=0.10" + "node": ">=8.10.0" } }, "node_modules/rechoir": { - "version": "0.6.2", + "version": "0.8.0", + "resolved": "https://registry.npmjs.org/rechoir/-/rechoir-0.8.0.tgz", + "integrity": "sha512-/vxpCXddiX8NGfGO/mTafwjq4aFa/71pvamip0++IQk3zG8cbCj0fifNPrjjF1XMXUne91jL9OoxmdykoEtifQ==", "dev": true, + "license": "MIT", "dependencies": { - "resolve": "^1.1.6" + "resolve": "^1.20.0" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/remove-bom-buffer": { @@ -3280,16 +2958,13 @@ } }, "node_modules/replace-homedir": { - "version": "1.0.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/replace-homedir/-/replace-homedir-2.0.0.tgz", + "integrity": "sha512-bgEuQQ/BHW0XkkJtawzrfzHFSN70f/3cNOiHa2QsYxqrjaC30X1k74FJ6xswVBP0sr0SpGIdVFuPwfrYziVeyw==", "dev": true, "license": "MIT", - "dependencies": { - "homedir-polyfill": "^1.0.1", - "is-absolute": "^1.0.0", - "remove-trailing-separator": "^1.1.0" - }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/require-directory": { @@ -3300,29 +2975,31 @@ "node": ">=0.10.0" } }, - "node_modules/require-main-filename": { - "version": "1.0.1", - "dev": true, - "license": "ISC" - }, "node_modules/resolve": { - "version": "1.22.6", + "version": "1.22.11", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz", + "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==", "dev": true, "license": "MIT", "dependencies": { - "is-core-module": "^2.13.0", + "is-core-module": "^2.16.1", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, + "engines": { + "node": ">= 0.4" + }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/resolve-dir": { "version": "1.0.1", + "resolved": "https://registry.npmjs.org/resolve-dir/-/resolve-dir-1.0.1.tgz", + "integrity": "sha512-R7uiTjECzvOsWSfdM0QKFNBVFcK27aHOUwdvK53BcW8zqnGdYp0Fbj82cy54+2A4P2tFM22J5kRfe1R+lM/1yg==", "dev": true, "license": "MIT", "dependencies": { @@ -3345,7 +3022,9 @@ } }, "node_modules/reusify": { - "version": "1.0.4", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz", + "integrity": "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==", "dev": true, "license": "MIT", "engines": { @@ -3353,22 +3032,10 @@ "node": ">=0.10.0" } }, - "node_modules/rimraf": { - "version": "3.0.2", - "dev": true, - "license": "ISC", - "dependencies": { - "glob": "^7.1.3" - }, - "bin": { - "rimraf": "bin.js" - }, - "funding": { - "url": "https://github.com/sponsors/isaacs" - } - }, "node_modules/run-parallel": { "version": "1.2.0", + "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", + "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==", "dev": true, "funding": [ { @@ -3394,45 +3061,47 @@ "dev": true, "license": "MIT" }, - "node_modules/samsam": { - "version": "1.3.0", + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", "dev": true, - "license": "BSD-3-Clause" + "license": "MIT" }, "node_modules/semver": { - "version": "5.7.2", + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", "dev": true, "license": "ISC", + "optional": true, "bin": { - "semver": "bin/semver" + "semver": "bin/semver.js" } }, "node_modules/semver-greatest-satisfied-range": { - "version": "1.1.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/semver-greatest-satisfied-range/-/semver-greatest-satisfied-range-2.0.0.tgz", + "integrity": "sha512-lH3f6kMbwyANB7HuOWRMlLCa2itaCrZJ+SAqqkSZrZKO/cAsk2EOyaKHUtNkVLFyFW9pct22SFesFp3Z7zpA0g==", "dev": true, "license": "MIT", "dependencies": { - "sver-compat": "^1.5.0" + "sver": "^1.8.3" }, "engines": { - "node": ">= 0.10" + "node": ">= 10.13.0" } }, "node_modules/serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz", + "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==", "dev": true, "license": "BSD-3-Clause", - "dependencies": { - "randombytes": "^2.1.0" + "engines": { + "node": ">=20.0.0" } }, - "node_modules/set-blocking": { - "version": "2.0.0", - "dev": true, - "license": "ISC" - }, "node_modules/shebang-command": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", @@ -3467,45 +3136,29 @@ } }, "node_modules/sinon": { - "version": "4.5.0", - "dev": true, - "hasInstallScript": true, - "license": "BSD-3-Clause", - "dependencies": { - "@sinonjs/formatio": "^2.0.0", - "diff": "^3.1.0", - "lodash.get": "^4.4.2", - "lolex": "^2.2.0", - "nise": "^1.2.0", - "supports-color": "^5.1.0", - "type-detect": "^4.0.5" - } - }, - "node_modules/sinon/node_modules/has-flag": { - "version": "3.0.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=4" - } - }, - "node_modules/sinon/node_modules/supports-color": { - "version": "5.5.0", + "version": "22.0.0", + "resolved": "https://registry.npmjs.org/sinon/-/sinon-22.0.0.tgz", + "integrity": "sha512-sq/6DpdXOrLyfbKlXLg/Usc7xu8YXPeLkOFZRvA3bNUSA2lhbrZ06yuXbH1fkzBPCbz9O10+7hznzUsjaYNm0Q==", "dev": true, - "license": "MIT", "dependencies": { - "has-flag": "^3.0.0" + "@sinonjs/commons": "^3.0.1", + "@sinonjs/fake-timers": "^15.4.0", + "@sinonjs/samsam": "^10.0.2", + "diff": "^9.0.0" }, - "engines": { - "node": ">=4" + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/sinon" } }, "node_modules/slash": { - "version": "4.0.0", + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/slash/-/slash-5.1.0.tgz", + "integrity": "sha512-ZA6oR3T/pEyuqwMgAKT0/hAv8oAXckzbkmR0UkUosQ+Mc4RxGoJkRmwHgHufaenlyAgE1Mxgpdcrf75y6XcnDg==", "dev": true, "license": "MIT", "engines": { - "node": ">=12" + "node": ">=14.16" }, "funding": { "url": "https://github.com/sponsors/sindresorhus" @@ -3520,51 +3173,29 @@ } }, "node_modules/sparkles": { - "version": "1.0.1", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/sparkles/-/sparkles-2.1.0.tgz", + "integrity": "sha512-r7iW1bDw8R/cFifrD3JnQJX0K1jqT0kprL48BiBpLZLJPmAm34zsVBsK5lc7HirZYZqMW65dOXZgbAGt/I6frg==", "dev": true, "license": "MIT", "engines": { - "node": ">= 0.10" - } - }, - "node_modules/spdx-correct": { - "version": "3.2.0", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "spdx-expression-parse": "^3.0.0", - "spdx-license-ids": "^3.0.0" + "node": ">= 10.13.0" } }, - "node_modules/spdx-exceptions": { - "version": "2.3.0", - "dev": true, - "license": "CC-BY-3.0" - }, - "node_modules/spdx-expression-parse": { - "version": "3.0.1", + "node_modules/stream-composer": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/stream-composer/-/stream-composer-1.0.2.tgz", + "integrity": "sha512-bnBselmwfX5K10AH6L4c8+S5lgZMWI7ZYrz2rvYjCPB2DIMC4Ig8OpxGpNJSxRZ58oti7y1IcNvjBAz9vW5m4w==", "dev": true, "license": "MIT", "dependencies": { - "spdx-exceptions": "^2.1.0", - "spdx-license-ids": "^3.0.0" - } - }, - "node_modules/spdx-license-ids": { - "version": "3.0.15", - "dev": true, - "license": "CC0-1.0" - }, - "node_modules/stack-trace": { - "version": "0.0.10", - "dev": true, - "license": "MIT", - "engines": { - "node": "*" + "streamx": "^2.13.2" } }, "node_modules/stream-exhaust": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/stream-exhaust/-/stream-exhaust-1.0.2.tgz", + "integrity": "sha512-b/qaq/GlBK5xaq1yrK9/zFcyRSTNxmcZwFLGSTG0mXgZl/4Z6GgiyYOXOvY7N3eEvFRAG1bkDRz5EPGSvPYQlw==", "dev": true, "license": "MIT" }, @@ -3573,6 +3204,18 @@ "dev": true, "license": "MIT" }, + "node_modules/streamx": { + "version": "2.23.0", + "resolved": "https://registry.npmjs.org/streamx/-/streamx-2.23.0.tgz", + "integrity": "sha512-kn+e44esVfn2Fa/O0CPFcex27fjIL6MkVae0Mm6q+E6f0hWv578YCERbv+4m02cjxvDsPKLnmxral/rR6lBMAg==", + "dev": true, + "license": "MIT", + "dependencies": { + "events-universal": "^1.0.0", + "fast-fifo": "^1.3.2", + "text-decoder": "^1.1.0" + } + }, "node_modules/string_decoder": { "version": "1.1.1", "dev": true, @@ -3582,16 +3225,18 @@ } }, "node_modules/string-width": { - "version": "1.0.2", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "dev": true, "license": "MIT", "dependencies": { - "code-point-at": "^1.0.0", - "is-fullwidth-code-point": "^1.0.0", - "strip-ansi": "^3.0.0" + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" }, "engines": { - "node": ">=0.10.0" + "node": ">=8" } }, "node_modules/string-width-cjs": { @@ -3609,29 +3254,12 @@ "node": ">=8" } }, - "node_modules/string-width-cjs/node_modules/ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/string-width-cjs/node_modules/is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/string-width-cjs/node_modules/strip-ansi": { + "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, + "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" }, @@ -3639,17 +3267,6 @@ "node": ">=8" } }, - "node_modules/strip-ansi": { - "version": "3.0.1", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-regex": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/strip-ansi-cjs": { "name": "strip-ansi", "version": "6.0.1", @@ -3663,26 +3280,6 @@ "node": ">=8" } }, - "node_modules/strip-ansi-cjs/node_modules/ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/strip-bom": { - "version": "2.0.0", - "dev": true, - "license": "MIT", - "dependencies": { - "is-utf8": "^0.2.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/strip-json-comments": { "version": "3.1.1", "dev": true, @@ -3707,6 +3304,8 @@ }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", + "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "dev": true, "license": "MIT", "engines": { @@ -3716,13 +3315,34 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/sver-compat": { - "version": "1.5.0", + "node_modules/sver": { + "version": "1.8.4", + "resolved": "https://registry.npmjs.org/sver/-/sver-1.8.4.tgz", + "integrity": "sha512-71o1zfzyawLfIWBOmw8brleKyvnbn73oVHNCsu51uPMz/HWiKkkXsI31JjHW5zqXEqnPYkIiHd8ZmL7FCimLEA==", + "dev": true, + "license": "MIT", + "optionalDependencies": { + "semver": "^6.3.0" + } + }, + "node_modules/teex": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/teex/-/teex-1.0.1.tgz", + "integrity": "sha512-eYE6iEI62Ni1H8oIa7KlDU6uQBtqr4Eajni3wX7rpfXD8ysFx8z0+dri+KWEPWpBsxXfxu58x/0jvTVT1ekOSg==", "dev": true, "license": "MIT", "dependencies": { - "es6-iterator": "^2.0.1", - "es6-symbol": "^3.1.1" + "streamx": "^2.12.5" + } + }, + "node_modules/text-decoder": { + "version": "1.2.7", + "resolved": "https://registry.npmjs.org/text-decoder/-/text-decoder-1.2.7.tgz", + "integrity": "sha512-vlLytXkeP4xvEq2otHeJfSQIRyWxo/oZGEbXrtEEF9Hnmrdly59sUbzZ/QgyWuLYHctCHxFF4tRQZNQ9k60ExQ==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "b4a": "^1.6.4" } }, "node_modules/through2": { @@ -3752,14 +3372,6 @@ "xtend": "~4.0.1" } }, - "node_modules/time-stamp": { - "version": "1.1.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/to-absolute-glob": { "version": "2.0.2", "dev": true, @@ -3785,16 +3397,6 @@ "node": ">=8.0" } }, - "node_modules/to-regex-range/node_modules/is-number": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", - "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.12.0" - } - }, "node_modules/to-through": { "version": "2.0.0", "dev": true, @@ -3817,31 +3419,26 @@ }, "node_modules/tunnel": { "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", "license": "MIT", "engines": { "node": ">=0.6.11 <=0.7.0 || >=0.7.3" } }, - "node_modules/type": { - "version": "1.2.0", - "dev": true, - "license": "ISC" - }, "node_modules/type-detect": { "version": "4.0.8", + "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.0.8.tgz", + "integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==", "dev": true, - "license": "MIT", "engines": { "node": ">=4" } }, - "node_modules/typedarray": { - "version": "0.0.6", - "dev": true, - "license": "MIT" - }, "node_modules/typescript": { - "version": "5.2.2", + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "dev": true, "license": "Apache-2.0", "bin": { @@ -3860,32 +3457,58 @@ "node": ">=0.10.0" } }, - "node_modules/undertaker": { - "version": "1.3.0", - "dev": true, + "node_modules/undertaker": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/undertaker/-/undertaker-2.0.0.tgz", + "integrity": "sha512-tO/bf30wBbTsJ7go80j0RzA2rcwX6o7XPBpeFcb+jzoeb4pfMM2zUeSDIkY1AWqeZabWxaQZ/h8N9t35QKDLPQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "bach": "^2.0.1", + "fast-levenshtein": "^3.0.0", + "last-run": "^2.0.0", + "undertaker-registry": "^2.0.0" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/undertaker-registry": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/undertaker-registry/-/undertaker-registry-2.0.0.tgz", + "integrity": "sha512-+hhVICbnp+rlzZMgxXenpvTxpuvA67Bfgtt+O9WOE5jo7w/dyiF1VmoZVIHvP2EkUjsyKyTwYKlLhA+j47m1Ew==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 10.13.0" + } + }, + "node_modules/undici": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/undici/-/undici-8.0.2.tgz", + "integrity": "sha512-B9MeU5wuFhkFAuNeA19K2GDFcQXZxq33fL0nRy2Aq30wdufZbyyvxW3/ChaeipXVfy/wUweZyzovQGk39+9k2w==", "license": "MIT", - "dependencies": { - "arr-flatten": "^1.0.1", - "arr-map": "^2.0.0", - "bach": "^1.0.0", - "collection-map": "^1.0.0", - "es6-weak-map": "^2.0.1", - "fast-levenshtein": "^1.0.0", - "last-run": "^1.1.0", - "object.defaults": "^1.0.0", - "object.reduce": "^1.0.0", - "undertaker-registry": "^1.0.0" - }, "engines": { - "node": ">= 0.10" + "node": ">=22.19.0" } }, - "node_modules/undertaker-registry": { - "version": "1.0.1", + "node_modules/undici-types": { + "version": "7.19.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.19.2.tgz", + "integrity": "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg==", + "dev": true + }, + "node_modules/unicorn-magic": { + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.3.0.tgz", + "integrity": "sha512-+QBBXBCvifc56fsbuxZQ6Sic3wqqc3WWaqxs58gvJrcOuN83HGTCwz3oS5phzU9LthRNE9VrJCFCLUgHeeFnfA==", "dev": true, "license": "MIT", "engines": { - "node": ">= 0.10" + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, "node_modules/unique-stream": { @@ -3897,15 +3520,6 @@ "through2-filter": "^3.0.0" } }, - "node_modules/upath": { - "version": "1.2.0", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=4", - "yarn": "*" - } - }, "node_modules/util-deprecate": { "version": "1.0.2", "dev": true, @@ -3913,29 +3527,21 @@ }, "node_modules/uuid": { "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", "license": "MIT", "bin": { "uuid": "dist/bin/uuid" } }, "node_modules/v8flags": { - "version": "3.2.0", + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/v8flags/-/v8flags-4.0.1.tgz", + "integrity": "sha512-fcRLaS4H/hrZk9hYwbdRM35D0U8IYMfEClhXxCivOojl+yTRAZH3Zy2sSy6qVCiGbV9YAtPssP6jaChqC9vPCg==", "dev": true, "license": "MIT", - "dependencies": { - "homedir-polyfill": "^1.0.1" - }, "engines": { - "node": ">= 0.10" - } - }, - "node_modules/validate-npm-package-license": { - "version": "3.0.4", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "spdx-correct": "^3.0.0", - "spdx-expression-parse": "^3.0.0" + "node": ">= 10.13.0" } }, "node_modules/value-or-function": { @@ -3962,6 +3568,46 @@ "node": ">= 0.10" } }, + "node_modules/vinyl-contents": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/vinyl-contents/-/vinyl-contents-2.0.0.tgz", + "integrity": "sha512-cHq6NnGyi2pZ7xwdHSW1v4Jfnho4TEGtxZHw01cmnc8+i7jgR6bRnED/LbrKan/Q7CvVLbnvA5OepnhbpjBZ5Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "bl": "^5.0.0", + "vinyl": "^3.0.0" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/vinyl-contents/node_modules/replace-ext": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz", + "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 10" + } + }, + "node_modules/vinyl-contents/node_modules/vinyl": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-3.0.1.tgz", + "integrity": "sha512-0QwqXteBNXgnLCdWdvPQBX6FXRHtIH3VhJPTd5Lwn28tJXc34YqSCWUmkOvtJHBmB3gGoPtrOKk3Ts8/kEZ9aA==", + "dev": true, + "license": "MIT", + "dependencies": { + "clone": "^2.1.2", + "remove-trailing-separator": "^1.1.0", + "replace-ext": "^2.0.0", + "teex": "^1.0.1" + }, + "engines": { + "node": ">=10.13.0" + } + }, "node_modules/vinyl-fs": { "version": "3.0.3", "dev": true, @@ -4028,6 +3674,8 @@ }, "node_modules/which": { "version": "1.3.1", + "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz", + "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==", "dev": true, "license": "ISC", "dependencies": { @@ -4037,11 +3685,6 @@ "which": "bin/which" } }, - "node_modules/which-module": { - "version": "1.0.0", - "dev": true, - "license": "ISC" - }, "node_modules/workerpool": { "version": "9.3.4", "resolved": "https://registry.npmjs.org/workerpool/-/workerpool-9.3.4.tgz", @@ -4049,15 +3692,21 @@ "dev": true }, "node_modules/wrap-ansi": { - "version": "2.1.0", + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", "dev": true, "license": "MIT", "dependencies": { - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1" + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" }, "engines": { - "node": ">=0.10.0" + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" } }, "node_modules/wrap-ansi-cjs": { @@ -4078,50 +3727,6 @@ "url": "https://github.com/chalk/wrap-ansi?sponsor=1" } }, - "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/wrap-ansi-cjs/node_modules/is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/wrap-ansi-cjs/node_modules/string-width": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", - "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "dev": true, - "dependencies": { - "emoji-regex": "^8.0.0", - "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", - "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, - "dependencies": { - "ansi-regex": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/wrappy": { "version": "1.0.2", "dev": true, @@ -4136,37 +3741,42 @@ } }, "node_modules/y18n": { - "version": "3.2.2", + "version": "5.0.8", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", + "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", "dev": true, - "license": "ISC" + "license": "ISC", + "engines": { + "node": ">=10" + } }, "node_modules/yargs": { - "version": "7.1.2", + "version": "16.2.0", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-16.2.0.tgz", + "integrity": "sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw==", "dev": true, "license": "MIT", "dependencies": { - "camelcase": "^3.0.0", - "cliui": "^3.2.0", - "decamelize": "^1.1.1", - "get-caller-file": "^1.0.1", - "os-locale": "^1.4.0", - "read-pkg-up": "^1.0.1", + "cliui": "^7.0.2", + "escalade": "^3.1.1", + "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", - "require-main-filename": "^1.0.1", - "set-blocking": "^2.0.0", - "string-width": "^1.0.2", - "which-module": "^1.0.0", - "y18n": "^3.2.1", - "yargs-parser": "^5.0.1" + "string-width": "^4.2.0", + "y18n": "^5.0.5", + "yargs-parser": "^20.2.2" + }, + "engines": { + "node": ">=10" } }, "node_modules/yargs-parser": { - "version": "5.0.1", + "version": "20.2.9", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.9.tgz", + "integrity": "sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==", "dev": true, "license": "ISC", - "dependencies": { - "camelcase": "^3.0.0", - "object.assign": "^4.1.0" + "engines": { + "node": ">=10" } }, "node_modules/yargs-unparser": { @@ -4219,26 +3829,50 @@ }, "dependencies": { "@actions/core": { - "version": "1.10.0", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-2.0.3.tgz", + "integrity": "sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==", "requires": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" + "@actions/exec": "^2.0.0", + "@actions/http-client": "^3.0.2" } }, "@actions/exec": { - "version": "1.1.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz", + "integrity": "sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==", "requires": { - "@actions/io": "^1.0.1" + "@actions/io": "^2.0.0" } }, "@actions/http-client": { - "version": "2.0.1", + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz", + "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==", "requires": { - "tunnel": "^0.0.6" + "tunnel": "^0.0.6", + "undici": ">=6.24.1" } }, "@actions/io": { - "version": "1.0.2" + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz", + "integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==" + }, + "@gulpjs/messages": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@gulpjs/messages/-/messages-1.1.0.tgz", + "integrity": "sha512-Ys9sazDatyTgZVb4xPlDufLweJ/Os2uHWOv+Caxvy2O85JcnT4M3vc73bi8pdLWlv3fdWQz3pdI9tVwo8rQQSg==", + "dev": true + }, + "@gulpjs/to-absolute-glob": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@gulpjs/to-absolute-glob/-/to-absolute-glob-4.0.0.tgz", + "integrity": "sha512-kjotm7XJrJ6v+7knhPaRgaT6q8F8K2jiafwYdNHLzmV0uGLuZY43FK6smNSHUPrhq5kX2slCUy+RGG/xGqmIKA==", + "dev": true, + "requires": { + "is-negated-glob": "^1.0.0" + } }, "@isaacs/cliui": { "version": "8.0.2", @@ -4314,10 +3948,45 @@ "@actions/exec": "1.1.1", "adm-zip": "0.5.10", "decompress-response": "^8.1.0" + }, + "dependencies": { + "@actions/core": { + "version": "1.10.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz", + "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "requires": { + "@actions/io": "^1.0.1" + } + }, + "@actions/http-client": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", + "requires": { + "tunnel": "^0.0.6", + "undici": ">=6.24.1" + } + }, + "@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" + } } }, "@nodelib/fs.scandir": { "version": "2.1.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", + "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==", "dev": true, "requires": { "@nodelib/fs.stat": "2.0.5", @@ -4326,10 +3995,14 @@ }, "@nodelib/fs.stat": { "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz", + "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==", "dev": true }, "@nodelib/fs.walk": { "version": "1.2.8", + "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz", + "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==", "dev": true, "requires": { "@nodelib/fs.scandir": "2.1.5", @@ -4343,60 +4016,87 @@ "dev": true, "optional": true }, + "@sindresorhus/merge-streams": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-2.3.0.tgz", + "integrity": "sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==", + "dev": true + }, "@sinonjs/commons": { - "version": "1.8.6", + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-3.0.1.tgz", + "integrity": "sha512-K3mCHKQ9sVh8o1C9cxkwxaOmXoAMlDxC1mYyHrjqOWEcBjYr76t96zL2zlj5dUGZ3HSw240X1qgH3Mjf1yJWpQ==", "dev": true, "requires": { "type-detect": "4.0.8" } }, - "@sinonjs/formatio": { - "version": "2.0.0", + "@sinonjs/fake-timers": { + "version": "15.4.0", + "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.4.0.tgz", + "integrity": "sha512-DsG+8/LscQIQg68J6Ef3dv10u6nVyetYn923s3/sus5eaGfTo1of5WMZSLf0UJc9KDuKPilPH0UDJCjvNbDNCA==", "dev": true, "requires": { - "samsam": "1.3.0" + "@sinonjs/commons": "^3.0.1" } }, "@sinonjs/samsam": { - "version": "3.3.3", + "version": "10.0.2", + "resolved": "https://registry.npmjs.org/@sinonjs/samsam/-/samsam-10.0.2.tgz", + "integrity": "sha512-8lVwD1Df1BmzoaOLhMcGGcz/Jyr5QY2KSB75/YK1QgKzoabTeLdIVyhXNZK9ojfSKSdirbXqdbsXXqP9/Ve8+A==", "dev": true, "requires": { - "@sinonjs/commons": "^1.3.0", - "array-from": "^2.1.1", - "lodash": "^4.17.15" + "@sinonjs/commons": "^3.0.1", + "type-detect": "^4.1.0" + }, + "dependencies": { + "type-detect": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.1.0.tgz", + "integrity": "sha512-Acylog8/luQ8L7il+geoSxhEkazvkslg7PSNKOX59mbB9cOveP5aq9h74Y7YU8yDpJwetzQQrfIwtf4Wp4LKcw==", + "dev": true + } } }, - "@sinonjs/text-encoding": { - "version": "0.7.2", - "dev": true - }, "@types/mocha": { - "version": "2.2.48", + "version": "10.0.10", + "resolved": "https://registry.npmjs.org/@types/mocha/-/mocha-10.0.10.tgz", + "integrity": "sha512-xPyYSz1cMPnJQhl0CLMH68j3gprKZaTjG3s5Vi+fDgx+uhG9NOXwbVt52eFS8ECyXhyKcjDLCBEqBExKuiZb7Q==", "dev": true }, "@types/node": { - "version": "20.8.0", - "dev": true + "version": "25.6.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.6.0.tgz", + "integrity": "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==", + "dev": true, + "requires": { + "undici-types": "~7.19.0" + } }, "@types/q": { - "version": "1.5.6", + "version": "1.5.8", + "resolved": "https://registry.npmjs.org/@types/q/-/q-1.5.8.tgz", + "integrity": "sha512-hroOstUScF6zhIi+5+x0dzqrHA1EJi+Irri6b1fxolMTqqHIV/Cg77EtnQcZqZCu8hR3mX2BzIxN4/GzI68Kfw==", "dev": true }, "@types/sinon": { - "version": "4.3.3", + "version": "21.0.1", + "resolved": "https://registry.npmjs.org/@types/sinon/-/sinon-21.0.1.tgz", + "integrity": "sha512-5yoJSqLbjH8T9V2bksgRayuhpZy+723/z6wBOR+Soe4ZlXC0eW8Na71TeaZPUWDQvM7LYKa9UGFc6LRqxiR5fQ==", + "dev": true, + "requires": { + "@types/sinonjs__fake-timers": "*" + } + }, + "@types/sinonjs__fake-timers": { + "version": "15.0.1", + "resolved": "https://registry.npmjs.org/@types/sinonjs__fake-timers/-/sinonjs__fake-timers-15.0.1.tgz", + "integrity": "sha512-Ko2tjWJq8oozHzHV+reuvS5KYIRAokHnGbDwGh/J64LntgpbuylF74ipEL24HCyRjf9FOlBiBHWBR1RlVKsI1w==", "dev": true }, "adm-zip": { "version": "0.5.10" }, - "aggregate-error": { - "version": "4.0.1", - "dev": true, - "requires": { - "clean-stack": "^4.0.0", - "indent-string": "^5.0.0" - } - }, "ansi-colors": { "version": "1.1.0", "dev": true, @@ -4404,15 +4104,10 @@ "ansi-wrap": "^0.1.0" } }, - "ansi-gray": { - "version": "0.1.1", - "dev": true, - "requires": { - "ansi-wrap": "0.1.0" - } - }, "ansi-regex": { - "version": "2.1.1", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dev": true }, "ansi-styles": { @@ -4427,20 +4122,13 @@ "dev": true }, "anymatch": { - "version": "2.0.0", + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", "dev": true, "requires": { - "micromatch": ">=4.0.8", - "normalize-path": "^2.1.1" - }, - "dependencies": { - "normalize-path": { - "version": "2.1.1", - "dev": true, - "requires": { - "remove-trailing-separator": "^1.0.1" - } - } + "normalize-path": "^3.0.0", + "picomatch": ">=2.3.2" } }, "append-buffer": { @@ -4450,10 +4138,6 @@ "buffer-equal": "^1.0.0" } }, - "archy": { - "version": "1.0.0", - "dev": true - }, "argparse": { "version": "2.0.1", "dev": true @@ -4462,142 +4146,131 @@ "version": "4.0.0", "dev": true }, - "arr-filter": { - "version": "1.1.2", - "dev": true, - "requires": { - "make-iterator": "^1.0.0" - } - }, - "arr-flatten": { - "version": "1.1.0", - "dev": true - }, - "arr-map": { - "version": "2.0.2", - "dev": true, - "requires": { - "make-iterator": "^1.0.0" - } - }, "arr-union": { "version": "3.1.0", "dev": true }, "array-each": { "version": "1.0.1", + "resolved": "https://registry.npmjs.org/array-each/-/array-each-1.0.1.tgz", + "integrity": "sha512-zHjL5SZa68hkKHBFBK6DJCTtr9sfTCPCaph/L7tMSLcTFgy+zX7E+6q5UArbtOtMBCtxdICpfTCspRse+ywyXA==", "dev": true }, - "array-from": { - "version": "2.1.1", - "dev": true - }, - "array-initial": { - "version": "1.1.0", - "dev": true, - "requires": { - "array-slice": "^1.0.0", - "is-number": "^4.0.0" - }, - "dependencies": { - "is-number": { - "version": "4.0.0", - "dev": true - } - } - }, - "array-last": { - "version": "1.3.0", - "dev": true, - "requires": { - "is-number": "^4.0.0" - }, - "dependencies": { - "is-number": { - "version": "4.0.0", - "dev": true - } - } - }, - "array-slice": { - "version": "1.1.0", - "dev": true - }, - "array-sort": { - "version": "1.0.0", - "dev": true, - "requires": { - "default-compare": "^1.0.0", - "get-value": "^2.0.6", - "kind-of": "^5.0.2" - } + "array-slice": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/array-slice/-/array-slice-1.1.0.tgz", + "integrity": "sha512-B1qMD3RBP7O8o0H2KbrXDyB0IccejMF15+87Lvlor12ONPRHP6gTjXMNkt/d3ZuOGbAe66hFmaCfECI24Ufp6w==", + "dev": true }, "assign-symbols": { "version": "1.0.0", "dev": true }, "async-done": { - "version": "1.3.2", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/async-done/-/async-done-2.0.0.tgz", + "integrity": "sha512-j0s3bzYq9yKIVLKGE/tWlCpa3PfFLcrDZLTSVdnnCTGagXuXBJO4SsY9Xdk/fQBirCkH4evW5xOeJXqlAQFdsw==", "dev": true, "requires": { - "end-of-stream": "^1.1.0", - "once": "^1.3.2", - "process-nextick-args": "^2.0.0", - "stream-exhaust": "^1.0.1" + "end-of-stream": "^1.4.4", + "once": "^1.4.0", + "stream-exhaust": "^1.0.2" } }, - "async-each": { - "version": "1.0.6", - "dev": true - }, "async-settle": { - "version": "1.0.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/async-settle/-/async-settle-2.0.0.tgz", + "integrity": "sha512-Obu/KE8FurfQRN6ODdHN9LuXqwC+JFIM9NRyZqJJ4ZfLJmIYN9Rg0/kb+wF70VV5+fJusTMQlJ1t5rF7J/ETdg==", "dev": true, "requires": { - "async-done": "^1.2.2" + "async-done": "^2.0.0" } }, + "b4a": { + "version": "1.8.0", + "resolved": "https://registry.npmjs.org/b4a/-/b4a-1.8.0.tgz", + "integrity": "sha512-qRuSmNSkGQaHwNbM7J78Wwy+ghLEYF1zNrSeMxj4Kgw6y33O3mXcQ6Ie9fRvfU/YnxWkOchPXbaLb73TkIsfdg==", + "dev": true, + "requires": {} + }, "bach": { - "version": "1.2.0", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/bach/-/bach-2.0.1.tgz", + "integrity": "sha512-A7bvGMGiTOxGMpNupYl9HQTf0FFDNF4VCmks4PJpFyN1AX2pdKuxuwdvUz2Hu388wcgp+OvGFNsumBfFNkR7eg==", "dev": true, "requires": { - "arr-filter": "^1.1.1", - "arr-flatten": "^1.0.1", - "arr-map": "^2.0.0", - "array-each": "^1.0.0", - "array-initial": "^1.0.0", - "array-last": "^1.1.1", - "async-done": "^1.2.2", - "async-settle": "^1.0.0", - "now-and-later": "^2.0.0" + "async-done": "^2.0.0", + "async-settle": "^2.0.0", + "now-and-later": "^3.0.0" + }, + "dependencies": { + "now-and-later": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/now-and-later/-/now-and-later-3.0.0.tgz", + "integrity": "sha512-pGO4pzSdaxhWTGkfSfHx3hVzJVslFPwBp2Myq9MYN/ChfJZF87ochMAXnvz6/58RJSf5ik2q9tXprBBrk2cpcg==", + "dev": true, + "requires": { + "once": "^1.4.0" + } + } } }, "balanced-match": { - "version": "1.0.2", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz", + "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==", + "dev": true + }, + "bare-events": { + "version": "2.8.2", + "resolved": "https://registry.npmjs.org/bare-events/-/bare-events-2.8.2.tgz", + "integrity": "sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==", + "dev": true, + "requires": {} + }, + "base64-js": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", + "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", "dev": true }, "binary-extensions": { - "version": "1.13.1", + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", + "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==", "dev": true }, - "bindings": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz", - "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==", + "bl": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/bl/-/bl-5.1.0.tgz", + "integrity": "sha512-tv1ZJHLfTDnXE6tMHv73YgSJaWR2AFuPwMntBe7XL/GBFHnT0CLnsHMogfk5+GzCDC5ZWarSCYaIGATZt9dNsQ==", "dev": true, - "optional": true, "requires": { - "file-uri-to-path": "1.0.0" + "buffer": "^6.0.3", + "inherits": "^2.0.4", + "readable-stream": "^3.4.0" + }, + "dependencies": { + "readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "dev": true, + "requires": { + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + } + } } }, "brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "5.0.5", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", + "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", "dev": true, "requires": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" + "balanced-match": "^4.0.2" } }, "braces": { @@ -4613,14 +4286,20 @@ "version": "1.3.1", "dev": true }, + "buffer": { + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/buffer/-/buffer-6.0.3.tgz", + "integrity": "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==", + "dev": true, + "requires": { + "base64-js": "^1.3.1", + "ieee754": "^1.2.1" + } + }, "buffer-equal": { "version": "1.0.1", "dev": true }, - "buffer-from": { - "version": "1.1.2", - "dev": true - }, "call-bind": { "version": "1.0.2", "dev": true, @@ -4629,61 +4308,41 @@ "get-intrinsic": "^1.0.2" } }, - "camelcase": { - "version": "3.0.0", - "dev": true - }, - "chokidar": { - "version": "2.1.8", + "chalk": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz", + "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==", "dev": true, "requires": { - "anymatch": "^2.0.0", - "async-each": "^1.0.1", - "braces": ">=3.0.3", - "fsevents": "^1.2.7", - "glob-parent": "^3.1.0", - "inherits": "^2.0.3", - "is-binary-path": "^1.0.0", - "is-glob": "^4.0.0", - "normalize-path": "^3.0.0", - "path-is-absolute": "^1.0.0", - "readdirp": "^2.2.1", - "upath": "^1.1.1" - }, - "dependencies": { - "glob-parent": { - "version": "3.1.0", - "dev": true, - "requires": { - "is-glob": "^3.1.0", - "path-dirname": "^1.0.0" - }, - "dependencies": { - "is-glob": { - "version": "3.1.0", - "dev": true, - "requires": { - "is-extglob": "^2.1.0" - } - } - } - } + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" } }, - "clean-stack": { - "version": "4.2.0", + "chokidar": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", + "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==", "dev": true, "requires": { - "escape-string-regexp": "5.0.0" + "anymatch": "~3.1.2", + "braces": ">=3.0.3", + "fsevents": "~2.3.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" } }, "cliui": { - "version": "3.2.0", + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-7.0.4.tgz", + "integrity": "sha512-OcRE68cOsVMXp1Yvonl/fzkQOyjLSu/8bhPDfQt0e0/Eb283TKP20Fs2MqoPsr9SwA595rRCA+QMzYc9nBP+JQ==", "dev": true, "requires": { - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1", - "wrap-ansi": "^2.0.0" + "string-width": "^4.2.0", + "strip-ansi": "^6.0.0", + "wrap-ansi": "^7.0.0" } }, "clone": { @@ -4707,19 +4366,6 @@ "readable-stream": "^2.3.5" } }, - "code-point-at": { - "version": "1.1.0", - "dev": true - }, - "collection-map": { - "version": "1.0.0", - "dev": true, - "requires": { - "arr-map": "^2.0.2", - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - } - }, "color-convert": { "version": "2.0.1", "dev": true, @@ -4731,33 +4377,17 @@ "version": "1.1.4", "dev": true }, - "color-support": { - "version": "1.1.3", - "dev": true - }, - "concat-map": { - "version": "0.0.1", - "dev": true - }, - "concat-stream": { - "version": "1.6.2", - "dev": true, - "requires": { - "buffer-from": "^1.0.0", - "inherits": "^2.0.3", - "readable-stream": "^2.2.2", - "typedarray": "^0.0.6" - } - }, "convert-source-map": { "version": "1.9.0", "dev": true }, "copy-props": { - "version": "2.0.5", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/copy-props/-/copy-props-4.0.0.tgz", + "integrity": "sha512-bVWtw1wQLzzKiYROtvNlbJgxgBYt2bMJpkCbKmXM3xyijvcjjWXEk5nyrrT3bgJ7ODb19ZohE2T0Y3FgNPyoTw==", "dev": true, "requires": { - "each-props": "^1.3.2", + "each-props": "^3.0.0", "is-plain-object": "^5.0.0" } }, @@ -4787,35 +4417,12 @@ } } }, - "d": { - "version": "1.0.1", - "dev": true, - "requires": { - "es5-ext": "^0.10.50", - "type": "^1.0.1" - } - }, - "decamelize": { - "version": "1.2.0", - "dev": true - }, "decompress-response": { "version": "8.1.0", "requires": { "mimic-response": "^4.0.0" } }, - "default-compare": { - "version": "1.0.0", - "dev": true, - "requires": { - "kind-of": "^5.0.2" - } - }, - "default-resolution": { - "version": "2.0.0", - "dev": true - }, "define-data-property": { "version": "1.1.0", "dev": true, @@ -4835,36 +4442,32 @@ } }, "del": { - "version": "7.1.0", + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/del/-/del-8.0.1.tgz", + "integrity": "sha512-gPqh0mKTPvaUZGAuHbrBUYKZWBNAeHG7TU3QH5EhVwPMyKvmfJaNXhcD2jTcXsJRRcffuho4vaYweu80dRrMGA==", "dev": true, "requires": { - "globby": "^13.1.2", - "graceful-fs": "^4.2.10", + "globby": "^14.0.2", "is-glob": "^4.0.3", "is-path-cwd": "^3.0.0", "is-path-inside": "^4.0.0", - "p-map": "^5.5.0", - "rimraf": "^3.0.2", - "slash": "^4.0.0" + "p-map": "^7.0.2", + "presentable-error": "^0.0.1", + "slash": "^5.1.0" } }, "detect-file": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/detect-file/-/detect-file-1.0.0.tgz", + "integrity": "sha512-DtCOLG98P007x7wiiOmfI0fi3eIKyWiLTGJ2MDnVi/E04lWGbf+JzrRHMm0rgIIZJGtHpKpbVgLWHrv8xXpc3Q==", "dev": true }, "diff": { - "version": "3.5.1", - "resolved": "https://registry.npmjs.org/diff/-/diff-3.5.1.tgz", - "integrity": "sha512-Z3u54A8qGyqFOSr2pk0ijYs8mOE9Qz8kTvtKeBI+upoG9j04Sq+oI7W8zAJiQybDcESET8/uIdHzs0p3k4fZlw==", + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/diff/-/diff-9.0.0.tgz", + "integrity": "sha512-svtcdpS8CgJyqAjEQIXdb3OjhFVVYjzGAPO8WGCmRbrml64SPw/jJD4GoE98aR7r25A0XcgrK3F02yw9R/vhQw==", "dev": true }, - "dir-glob": { - "version": "3.0.1", - "dev": true, - "requires": { - "path-type": "^4.0.0" - } - }, "duplexify": { "version": "3.7.1", "dev": true, @@ -4876,20 +4479,13 @@ } }, "each-props": { - "version": "1.3.2", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/each-props/-/each-props-3.0.0.tgz", + "integrity": "sha512-IYf1hpuWrdzse/s/YJOrFmU15lyhSzxelNVAHTEG3DtP4QsLTWZUzcUL3HMXmKQxXpa4EIrBPpwRgj0aehdvAw==", "dev": true, "requires": { - "is-plain-object": "^2.0.1", + "is-plain-object": "^5.0.0", "object.defaults": "^1.1.0" - }, - "dependencies": { - "is-plain-object": { - "version": "2.0.4", - "dev": true, - "requires": { - "isobject": "^3.0.1" - } - } } }, "eastasianwidth": { @@ -4911,128 +4507,44 @@ "once": "^1.4.0" } }, - "error-ex": { - "version": "1.3.2", - "dev": true, - "requires": { - "is-arrayish": "^0.2.1" - } - }, - "es5-ext": { - "version": "0.10.64", - "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.64.tgz", - "integrity": "sha512-p2snDhiLaXe6dahss1LddxqEm+SkuDvV8dnIQG0MWjyHpcMNfXKPE+/Cc0y+PhxJX3A4xGNeFCj5oc0BUh6deg==", - "dev": true, - "requires": { - "es6-iterator": "^2.0.3", - "es6-symbol": "^3.1.3", - "esniff": "^2.0.1", - "next-tick": "^1.1.0" - } - }, - "es6-iterator": { - "version": "2.0.3", - "dev": true, - "requires": { - "d": "1", - "es5-ext": "^0.10.35", - "es6-symbol": "^3.1.1" - } - }, - "es6-symbol": { - "version": "3.1.3", - "dev": true, - "requires": { - "d": "^1.0.1", - "ext": "^1.1.2" - } - }, - "es6-weak-map": { - "version": "2.0.3", - "dev": true, - "requires": { - "d": "1", - "es5-ext": "^0.10.46", - "es6-iterator": "^2.0.3", - "es6-symbol": "^3.1.1" - } - }, "escalade": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", "dev": true }, - "escape-string-regexp": { - "version": "5.0.0", - "dev": true - }, - "esniff": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/esniff/-/esniff-2.0.1.tgz", - "integrity": "sha512-kTUIGKQ/mDPFoJ0oVfcmyJn4iBDRptjNVIzwIFR7tqWXdVI9xfA2RMwY/gbSpJG3lkdWNEjLap/NqVHZiJsdfg==", - "dev": true, - "requires": { - "d": "^1.0.1", - "es5-ext": "^0.10.62", - "event-emitter": "^0.3.5", - "type": "^2.7.2" - }, - "dependencies": { - "type": { - "version": "2.7.3", - "resolved": "https://registry.npmjs.org/type/-/type-2.7.3.tgz", - "integrity": "sha512-8j+1QmAbPvLZow5Qpi6NCaN8FB60p/6x8/vfNqOk/hC+HuvFZhL4+WfekuhQLiqFZXOgQdrs3B+XxEmCc6b3FQ==", - "dev": true - } - } - }, - "event-emitter": { - "version": "0.3.5", - "resolved": "https://registry.npmjs.org/event-emitter/-/event-emitter-0.3.5.tgz", - "integrity": "sha512-D9rRn9y7kLPnJ+hMq7S/nhvoKwwvVJahBi2BPmx3bvbsEdK3W9ii8cBSGjP+72/LnM4n6fo3+dkCX5FeTQruXA==", + "events-universal": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/events-universal/-/events-universal-1.0.1.tgz", + "integrity": "sha512-LUd5euvbMLpwOF8m6ivPCbhQeSiYVNb8Vs0fQ8QjXo0JTkEHpz8pxdQf0gStltaPpw0Cca8b39KxvK9cfKRiAw==", "dev": true, "requires": { - "d": "1", - "es5-ext": "~0.10.14" + "bare-events": "^2.7.0" } }, "expand-tilde": { "version": "2.0.2", + "resolved": "https://registry.npmjs.org/expand-tilde/-/expand-tilde-2.0.2.tgz", + "integrity": "sha512-A5EmesHW6rfnZ9ysHQjPdJRni0SRar0tjtG5MNtm9n5TUvsYU8oozprtRD4AqHxcZWWlVuAmQo2nWKfN9oyjTw==", "dev": true, "requires": { "homedir-polyfill": "^1.0.1" } }, - "ext": { - "version": "1.7.0", - "dev": true, - "requires": { - "type": "^2.7.2" - }, - "dependencies": { - "type": { - "version": "2.7.2", - "dev": true - } - } - }, "extend": { "version": "3.0.2", "dev": true }, - "fancy-log": { - "version": "1.3.3", - "dev": true, - "requires": { - "ansi-gray": "^0.1.1", - "color-support": "^1.1.3", - "parse-node-version": "^1.0.0", - "time-stamp": "^1.0.0" - } + "fast-fifo": { + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/fast-fifo/-/fast-fifo-1.3.2.tgz", + "integrity": "sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ==", + "dev": true }, "fast-glob": { - "version": "3.3.1", + "version": "3.3.3", + "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", + "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", "dev": true, "requires": { "@nodelib/fs.stat": "^2.0.2", @@ -5043,23 +4555,29 @@ } }, "fast-levenshtein": { - "version": "1.1.4", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-3.0.0.tgz", + "integrity": "sha512-hKKNajm46uNmTlhHSyZkmToAc56uZJwYq7yrciZjqOxnlfQwERDQJmHPUp7m1m9wx8vgOe8IaCKZ5Kv2k1DdCQ==", + "dev": true, + "requires": { + "fastest-levenshtein": "^1.0.7" + } + }, + "fastest-levenshtein": { + "version": "1.0.16", + "resolved": "https://registry.npmjs.org/fastest-levenshtein/-/fastest-levenshtein-1.0.16.tgz", + "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==", "dev": true }, "fastq": { - "version": "1.15.0", + "version": "1.20.1", + "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz", + "integrity": "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==", "dev": true, "requires": { "reusify": "^1.0.4" } }, - "file-uri-to-path": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz", - "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==", - "dev": true, - "optional": true - }, "fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -5069,46 +4587,35 @@ "to-regex-range": "^5.0.1" } }, - "find-up": { - "version": "1.1.2", - "dev": true, - "requires": { - "path-exists": "^2.0.0", - "pinkie-promise": "^2.0.0" - } - }, "findup-sync": { - "version": "3.0.0", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/findup-sync/-/findup-sync-5.0.0.tgz", + "integrity": "sha512-MzwXju70AuyflbgeOhzvQWAvvQdo1XL0A9bVvlXsYcFEBM87WR4OakL4OfZq+QRmr+duJubio+UtNQCPsVESzQ==", "dev": true, "requires": { "detect-file": "^1.0.0", - "is-glob": "^4.0.0", + "is-glob": "^4.0.3", "micromatch": ">=4.0.8", "resolve-dir": "^1.0.1" } }, "fined": { - "version": "1.2.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fined/-/fined-2.0.0.tgz", + "integrity": "sha512-OFRzsL6ZMHz5s0JrsEr+TpdGNCtrVtnuG3x1yzGNiQHT0yaDnXAj8V/lWcpJVrnoDpcwXcASxAZYbuXda2Y82A==", "dev": true, "requires": { "expand-tilde": "^2.0.2", - "is-plain-object": "^2.0.3", + "is-plain-object": "^5.0.0", "object.defaults": "^1.1.0", - "object.pick": "^1.2.0", - "parse-filepath": "^1.0.1" - }, - "dependencies": { - "is-plain-object": { - "version": "2.0.4", - "dev": true, - "requires": { - "isobject": "^3.0.1" - } - } + "object.pick": "^1.3.0", + "parse-filepath": "^1.0.2" } }, "flagged-respawn": { - "version": "1.0.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/flagged-respawn/-/flagged-respawn-2.0.0.tgz", + "integrity": "sha512-Gq/a6YCi8zexmGHMuJwahTGzXlAZAOsbCVKduWXC6TlLCjjFRlExMJc4GC2NYPYZ0r/brw9P7CpRgQmlPVeOoA==", "dev": true }, "flat": { @@ -5125,10 +4632,14 @@ }, "for-in": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/for-in/-/for-in-1.0.2.tgz", + "integrity": "sha512-7EwmXrOjyL+ChxMhmG5lnW9MPt1aIeZEwKhQzoBUdTV0N3zuwWDZYVJatDvZ2OyzPUvdIAZDsCetk3coyMfcnQ==", "dev": true }, "for-own": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/for-own/-/for-own-1.0.0.tgz", + "integrity": "sha512-0OABksIGrxKK8K4kynWkQ7y1zounQxP+CWnyclVwj81KW3vlLlGUx57DKGcP/LH216GzqnstnPocF16Nxs0Ycg==", "dev": true, "requires": { "for-in": "^1.0.1" @@ -5167,22 +4678,22 @@ "dev": true }, "fsevents": { - "version": "1.2.13", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-1.2.13.tgz", - "integrity": "sha512-oWb1Z6mkHIskLzEJ/XWX0srkpkTQ7vaopMQkyaEIoq0fmtFVxOthb8cCxeT+p3ynTdkk/RZwbgG4brR5BeWECw==", + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", "dev": true, - "optional": true, - "requires": { - "bindings": "^1.5.0", - "nan": "^2.12.1" - } + "optional": true }, "function-bind": { - "version": "1.1.1", + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "dev": true }, "get-caller-file": { - "version": "1.0.3", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", "dev": true }, "get-intrinsic": { @@ -5195,10 +4706,6 @@ "has-symbols": "^1.0.3" } }, - "get-value": { - "version": "2.0.6", - "dev": true - }, "glob": { "version": "7.2.3", "dev": true, @@ -5206,13 +4713,15 @@ "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", - "minimatch": "^3.1.1", + "minimatch": ">=3.1.3", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "glob-parent": { "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", "dev": true, "requires": { "is-glob": "^4.0.1" @@ -5252,20 +4761,19 @@ } }, "glob-watcher": { - "version": "5.0.5", + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/glob-watcher/-/glob-watcher-6.0.0.tgz", + "integrity": "sha512-wGM28Ehmcnk2NqRORXFOTOR064L4imSw3EeOqU5bIwUf62eXGwg89WivH6VMahL8zlQHeodzvHpXplrqzrz3Nw==", "dev": true, "requires": { - "anymatch": "^2.0.0", - "async-done": "^1.2.0", - "chokidar": "^2.0.0", - "is-negated-glob": "^1.0.0", - "just-debounce": "^1.0.0", - "normalize-path": "^3.0.0", - "object.defaults": "^1.1.0" + "async-done": "^2.0.0", + "chokidar": "^3.5.3" } }, "global-modules": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/global-modules/-/global-modules-1.0.0.tgz", + "integrity": "sha512-sKzpEkf11GpOFuw0Zzjzmt4B4UZwjOcG757PPvrfhxcLFbq0wpsgpOqxpxtxFiCG4DtG93M6XRVbF2oGdev7bg==", "dev": true, "requires": { "global-prefix": "^1.0.1", @@ -5275,6 +4783,8 @@ }, "global-prefix": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/global-prefix/-/global-prefix-1.0.2.tgz", + "integrity": "sha512-5lsx1NUDHtSjfg0eHlmYvZKv8/nVqX4ckFbM+FrGcQ+04KWcWFo9P5MxPZYSzUvyzmdTbI7Eix8Q4IbELDqzKg==", "dev": true, "requires": { "expand-tilde": "^2.0.2", @@ -5285,21 +4795,26 @@ } }, "globby": { - "version": "13.2.2", + "version": "14.1.0", + "resolved": "https://registry.npmjs.org/globby/-/globby-14.1.0.tgz", + "integrity": "sha512-0Ia46fDOaT7k4og1PDW4YbodWWr3scS2vAr2lTbsplOt2WkKp0vQbkI9wKis/T5LV/dqPjO3bpS/z6GTJB82LA==", "dev": true, "requires": { - "dir-glob": "^3.0.1", - "fast-glob": "^3.3.0", - "ignore": "^5.2.4", - "merge2": "^1.4.1", - "slash": "^4.0.0" + "@sindresorhus/merge-streams": "^2.1.0", + "fast-glob": "^3.3.3", + "ignore": "^7.0.3", + "path-type": "^6.0.0", + "slash": "^5.1.0", + "unicorn-magic": "^0.3.0" } }, "glogg": { - "version": "1.0.2", + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/glogg/-/glogg-2.2.0.tgz", + "integrity": "sha512-eWv1ds/zAlz+M1ioHsyKJomfY7jbDDPpwSkv14KQj89bycx1nvK5/2Cj/T9g7kzJcX5Bc7Yv22FjfBZS/jl94A==", "dev": true, "requires": { - "sparkles": "^1.0.0" + "sparkles": "^2.1.0" } }, "gopd": { @@ -5314,39 +4829,171 @@ "dev": true }, "gulp": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", - "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/gulp/-/gulp-5.0.1.tgz", + "integrity": "sha512-PErok3DZSA5WGMd6XXV3IRNO0mlB+wW3OzhFJLEec1jSERg2j1bxJ6e5Fh6N6fn3FH2T9AP4UYNb/pYlADB9sA==", "dev": true, "requires": { - "glob-watcher": "^5.0.3", - "gulp-cli": "^2.2.0", - "undertaker": "^1.2.1", - "vinyl-fs": "^3.0.0" + "glob-watcher": "^6.0.0", + "gulp-cli": "^3.1.0", + "undertaker": "^2.0.0", + "vinyl-fs": "^4.0.2" + }, + "dependencies": { + "convert-source-map": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz", + "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==", + "dev": true + }, + "fs-mkdirp-stream": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/fs-mkdirp-stream/-/fs-mkdirp-stream-2.0.1.tgz", + "integrity": "sha512-UTOY+59K6IA94tec8Wjqm0FSh5OVudGNB0NL/P6fB3HiE3bYOY3VYBGijsnOHNkQSwC1FKkU77pmq7xp9CskLw==", + "dev": true, + "requires": { + "graceful-fs": "^4.2.8", + "streamx": "^2.12.0" + } + }, + "glob-parent": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz", + "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==", + "dev": true, + "requires": { + "is-glob": "^4.0.3" + } + }, + "glob-stream": { + "version": "8.0.3", + "resolved": "https://registry.npmjs.org/glob-stream/-/glob-stream-8.0.3.tgz", + "integrity": "sha512-fqZVj22LtFJkHODT+M4N1RJQ3TjnnQhfE9GwZI8qXscYarnhpip70poMldRnP8ipQ/w0B621kOhfc53/J9bd/A==", + "dev": true, + "requires": { + "@gulpjs/to-absolute-glob": "^4.0.0", + "anymatch": "^3.1.3", + "fastq": "^1.13.0", + "glob-parent": "^6.0.2", + "is-glob": "^4.0.3", + "is-negated-glob": "^1.0.0", + "normalize-path": "^3.0.0", + "streamx": "^2.12.5" + } + }, + "lead": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/lead/-/lead-4.0.0.tgz", + "integrity": "sha512-DpMa59o5uGUWWjruMp71e6knmwKU3jRBBn1kjuLWN9EeIOxNeSAwvHf03WIl8g/ZMR2oSQC9ej3yeLBwdDc/pg==", + "dev": true + }, + "now-and-later": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/now-and-later/-/now-and-later-3.0.0.tgz", + "integrity": "sha512-pGO4pzSdaxhWTGkfSfHx3hVzJVslFPwBp2Myq9MYN/ChfJZF87ochMAXnvz6/58RJSf5ik2q9tXprBBrk2cpcg==", + "dev": true, + "requires": { + "once": "^1.4.0" + } + }, + "replace-ext": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz", + "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==", + "dev": true + }, + "resolve-options": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/resolve-options/-/resolve-options-2.0.0.tgz", + "integrity": "sha512-/FopbmmFOQCfsCx77BRFdKOniglTiHumLgwvd6IDPihy1GKkadZbgQJBcTb2lMzSR1pndzd96b1nZrreZ7+9/A==", + "dev": true, + "requires": { + "value-or-function": "^4.0.0" + } + }, + "to-through": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/to-through/-/to-through-3.0.0.tgz", + "integrity": "sha512-y8MN937s/HVhEoBU1SxfHC+wxCHkV1a9gW8eAdTadYh/bGyesZIVcbjI+mSpFbSVwQici/XjBjuUyri1dnXwBw==", + "dev": true, + "requires": { + "streamx": "^2.12.5" + } + }, + "value-or-function": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/value-or-function/-/value-or-function-4.0.0.tgz", + "integrity": "sha512-aeVK81SIuT6aMJfNo9Vte8Dw0/FZINGBV8BfCraGtqVxIeLAEhJyoWs8SmvRVmXfGss2PmmOwZCuBPbZR+IYWg==", + "dev": true + }, + "vinyl": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-3.0.1.tgz", + "integrity": "sha512-0QwqXteBNXgnLCdWdvPQBX6FXRHtIH3VhJPTd5Lwn28tJXc34YqSCWUmkOvtJHBmB3gGoPtrOKk3Ts8/kEZ9aA==", + "dev": true, + "requires": { + "clone": "^2.1.2", + "remove-trailing-separator": "^1.1.0", + "replace-ext": "^2.0.0", + "teex": "^1.0.1" + } + }, + "vinyl-fs": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/vinyl-fs/-/vinyl-fs-4.0.2.tgz", + "integrity": "sha512-XRFwBLLTl8lRAOYiBqxY279wY46tVxLaRhSwo3GzKEuLz1giffsOquWWboD/haGf5lx+JyTigCFfe7DWHoARIA==", + "dev": true, + "requires": { + "fs-mkdirp-stream": "^2.0.1", + "glob-stream": "^8.0.3", + "graceful-fs": "^4.2.11", + "iconv-lite": "^0.6.3", + "is-valid-glob": "^1.0.0", + "lead": "^4.0.0", + "normalize-path": "3.0.0", + "resolve-options": "^2.0.0", + "stream-composer": "^1.0.2", + "streamx": "^2.14.0", + "to-through": "^3.0.0", + "value-or-function": "^4.0.0", + "vinyl": "^3.0.1", + "vinyl-sourcemap": "^2.0.0" + } + }, + "vinyl-sourcemap": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/vinyl-sourcemap/-/vinyl-sourcemap-2.0.0.tgz", + "integrity": "sha512-BAEvWxbBUXvlNoFQVFVHpybBbjW1r03WhohJzJDSfgrrK5xVYIDTan6xN14DlyImShgDRv2gl9qhM6irVMsV0Q==", + "dev": true, + "requires": { + "convert-source-map": "^2.0.0", + "graceful-fs": "^4.2.10", + "now-and-later": "^3.0.0", + "streamx": "^2.12.5", + "vinyl": "^3.0.0", + "vinyl-contents": "^2.0.0" + } + } } }, "gulp-cli": { - "version": "2.3.0", - "dev": true, - "requires": { - "ansi-colors": "^1.0.1", - "archy": "^1.0.0", - "array-sort": "^1.0.0", - "color-support": "^1.1.3", - "concat-stream": "^1.6.0", - "copy-props": "^2.0.1", - "fancy-log": "^1.3.2", - "gulplog": "^1.0.0", - "interpret": "^1.4.0", - "isobject": "^3.0.1", - "liftoff": "^3.1.0", - "matchdep": "^2.0.0", - "mute-stdout": "^1.0.0", - "pretty-hrtime": "^1.0.0", - "replace-homedir": "^1.0.0", - "semver-greatest-satisfied-range": "^1.1.0", - "v8flags": "^3.2.0", - "yargs": "^7.1.0" + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/gulp-cli/-/gulp-cli-3.1.0.tgz", + "integrity": "sha512-zZzwlmEsTfXcxRKiCHsdyjZZnFvXWM4v1NqBJSYbuApkvVKivjcmOS2qruAJ+PkEHLFavcDKH40DPc1+t12a9Q==", + "dev": true, + "requires": { + "@gulpjs/messages": "^1.1.0", + "chalk": "^4.1.2", + "copy-props": "^4.0.0", + "gulplog": "^2.2.0", + "interpret": "^3.1.1", + "liftoff": "^5.0.1", + "mute-stdout": "^2.0.0", + "replace-homedir": "^2.0.0", + "semver-greatest-satisfied-range": "^2.0.0", + "string-width": "^4.2.3", + "v8flags": "^4.0.0", + "yargs": "^16.2.0" } }, "gulp-typescript": { @@ -5368,10 +5015,12 @@ } }, "gulplog": { - "version": "1.0.0", + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/gulplog/-/gulplog-2.2.0.tgz", + "integrity": "sha512-V2FaKiOhpR3DRXZuYdRLn/qiY0yI5XmqbTKrYbdemJ+xOh2d2MOweI/XFgMzd/9+1twdvMwllnZbWZNJ+BOm4A==", "dev": true, "requires": { - "glogg": "^1.0.0" + "glogg": "^2.2.0" } }, "has": { @@ -5400,27 +5049,47 @@ "version": "1.0.3", "dev": true }, + "hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "dev": true, + "requires": { + "function-bind": "^1.1.2" + } + }, "he": { "version": "1.2.0", "dev": true }, "homedir-polyfill": { "version": "1.0.3", + "resolved": "https://registry.npmjs.org/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz", + "integrity": "sha512-eSmmWE5bZTK2Nou4g0AI3zZ9rswp7GRKoKXS1BLUkvPviOqs4YTN1djQIqrXy9k5gEtdLPy86JjRwsNM9tnDcA==", "dev": true, "requires": { "parse-passwd": "^1.0.0" } }, - "hosted-git-info": { - "version": "2.8.9", - "dev": true + "iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "dev": true, + "requires": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + } }, - "ignore": { - "version": "5.2.4", + "ieee754": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz", + "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==", "dev": true }, - "indent-string": { - "version": "5.0.0", + "ignore": { + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz", + "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==", "dev": true }, "inflight": { @@ -5437,14 +5106,14 @@ }, "ini": { "version": "1.3.8", + "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "dev": true }, "interpret": { - "version": "1.4.0", - "dev": true - }, - "invert-kv": { - "version": "1.0.0", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/interpret/-/interpret-3.1.1.tgz", + "integrity": "sha512-6xwYfHbajpoF0xLW+iwLkhwgvLoZDfjYfoFNu8ftMoXINzwuymNLd9u/KmwtdT2GbR+/Cz66otEGEVVUHX9QLQ==", "dev": true }, "is-absolute": { @@ -5455,15 +5124,13 @@ "is-windows": "^1.0.1" } }, - "is-arrayish": { - "version": "0.2.1", - "dev": true - }, "is-binary-path": { - "version": "1.0.1", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", "dev": true, "requires": { - "binary-extensions": "^1.0.0" + "binary-extensions": "^2.0.0" } }, "is-buffer": { @@ -5471,10 +5138,12 @@ "dev": true }, "is-core-module": { - "version": "2.13.0", + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", "dev": true, "requires": { - "has": "^1.0.3" + "hasown": "^2.0.2" } }, "is-extglob": { @@ -5482,11 +5151,10 @@ "dev": true }, "is-fullwidth-code-point": { - "version": "1.0.0", - "dev": true, - "requires": { - "number-is-nan": "^1.0.0" - } + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "dev": true }, "is-glob": { "version": "4.0.3", @@ -5499,6 +5167,12 @@ "version": "1.0.0", "dev": true }, + "is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true + }, "is-path-cwd": { "version": "3.0.0", "dev": true @@ -5513,6 +5187,8 @@ }, "is-plain-object": { "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", + "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", "dev": true }, "is-relative": { @@ -5580,25 +5256,11 @@ "version": "1.0.1", "dev": true }, - "just-debounce": { - "version": "1.1.0", - "dev": true - }, - "just-extend": { - "version": "4.2.1", - "dev": true - }, - "kind-of": { - "version": "5.1.0", - "dev": true - }, "last-run": { - "version": "1.1.1", - "dev": true, - "requires": { - "default-resolution": "^2.0.0", - "es6-weak-map": "^2.0.1" - } + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/last-run/-/last-run-2.0.0.tgz", + "integrity": "sha512-j+y6WhTLN4Itnf9j5ZQos1BGPCS8DAwmgMroR3OzfxAsBxam0hMw7J8M3KqZl0pLQJ1jNnwIexg5DYpC/ctwEQ==", + "dev": true }, "lazystream": { "version": "1.0.1", @@ -5607,13 +5269,6 @@ "readable-stream": "^2.0.5" } }, - "lcid": { - "version": "1.0.0", - "dev": true, - "requires": { - "invert-kv": "^1.0.0" - } - }, "lead": { "version": "1.0.0", "dev": true, @@ -5622,37 +5277,18 @@ } }, "liftoff": { - "version": "3.1.0", - "dev": true, - "requires": { - "extend": "^3.0.0", - "findup-sync": "^3.0.0", - "fined": "^1.0.1", - "flagged-respawn": "^1.0.0", - "is-plain-object": "^2.0.4", - "object.map": "^1.0.0", - "rechoir": "^0.6.2", - "resolve": "^1.1.7" - }, - "dependencies": { - "is-plain-object": { - "version": "2.0.4", - "dev": true, - "requires": { - "isobject": "^3.0.1" - } - } - } - }, - "load-json-file": { - "version": "1.1.0", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/liftoff/-/liftoff-5.0.1.tgz", + "integrity": "sha512-wwLXMbuxSF8gMvubFcFRp56lkFV69twvbU5vDPbaw+Q+/rF8j0HKjGbIdlSi+LuJm9jf7k9PB+nTxnsLMPcv2Q==", "dev": true, "requires": { - "graceful-fs": "^4.1.2", - "parse-json": "^2.2.0", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0", - "strip-bom": "^2.0.0" + "extend": "^3.0.2", + "findup-sync": "^5.0.0", + "fined": "^2.0.0", + "flagged-respawn": "^2.0.0", + "is-plain-object": "^5.0.0", + "rechoir": "^0.8.0", + "resolve": "^1.20.0" } }, "locate-path": { @@ -5662,92 +5298,30 @@ "p-locate": "^5.0.0" } }, - "lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", - "dev": true - }, - "lodash.get": { - "version": "4.4.2", - "dev": true - }, "log-symbols": { "version": "4.1.0", "dev": true, "requires": { "chalk": "^4.1.0", "is-unicode-supported": "^0.1.0" - }, - "dependencies": { - "chalk": { - "version": "4.1.2", - "dev": true, - "requires": { - "ansi-styles": "^4.1.0", - "supports-color": "^7.1.0" - } - } } }, - "lolex": { - "version": "2.7.5", - "dev": true - }, "lru-cache": { "version": "10.4.3", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", "dev": true }, - "make-iterator": { - "version": "1.0.1", - "dev": true, - "requires": { - "kind-of": "^6.0.2" - }, - "dependencies": { - "kind-of": { - "version": "6.0.3", - "dev": true - } - } - }, "map-cache": { "version": "0.2.2", + "resolved": "https://registry.npmjs.org/map-cache/-/map-cache-0.2.2.tgz", + "integrity": "sha512-8y/eV9QQZCiyn1SprXSrCmqJN0yNRATe+PO8ztwqrvrbdRLA3eYJF0yaR0YayLWkMbsQSKWS9N2gPcGEc4UsZg==", "dev": true }, - "matchdep": { - "version": "2.0.0", - "dev": true, - "requires": { - "findup-sync": "^2.0.0", - "micromatch": ">=4.0.8", - "resolve": "^1.4.0", - "stack-trace": "0.0.10" - }, - "dependencies": { - "findup-sync": { - "version": "2.0.0", - "dev": true, - "requires": { - "detect-file": "^1.0.0", - "is-glob": "^3.1.0", - "micromatch": ">=4.0.8", - "resolve-dir": "^1.0.1" - } - }, - "is-glob": { - "version": "3.1.0", - "dev": true, - "requires": { - "is-extglob": "^2.1.0" - } - } - } - }, "merge2": { "version": "1.4.1", + "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", + "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", "dev": true }, "micromatch": { @@ -5757,17 +5331,19 @@ "dev": true, "requires": { "braces": ">=3.0.3", - "picomatch": "^2.3.1" + "picomatch": ">=2.3.2" } }, "mimic-response": { "version": "4.0.0" }, "minimatch": { - "version": "3.1.2", + "version": "10.2.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz", + "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==", "dev": true, "requires": { - "brace-expansion": "^1.1.7" + "brace-expansion": "^5.0.5" } }, "minipass": { @@ -5793,10 +5369,10 @@ "is-path-inside": "^3.0.3", "js-yaml": "^4.1.0", "log-symbols": "^4.1.0", - "minimatch": "^9.0.5", + "minimatch": ">=3.1.3", "ms": "^2.1.3", "picocolors": "^1.1.1", - "serialize-javascript": "^6.0.2", + "serialize-javascript": ">=7.0.5", "strip-json-comments": "^3.1.1", "supports-color": "^8.1.1", "workerpool": "^9.2.0", @@ -5805,21 +5381,6 @@ "yargs-unparser": "^2.0.0" }, "dependencies": { - "ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true - }, - "brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", - "dev": true, - "requires": { - "balanced-match": "^1.0.0" - } - }, "chokidar": { "version": "4.0.3", "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz", @@ -5867,12 +5428,6 @@ "path-exists": "^4.0.0" } }, - "get-caller-file": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", - "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", - "dev": true - }, "glob": { "version": "10.5.0", "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz", @@ -5881,33 +5436,18 @@ "requires": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", - "minimatch": "^9.0.4", + "minimatch": ">=3.1.3", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" } }, - "is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true - }, "is-path-inside": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz", "integrity": "sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==", "dev": true }, - "minimatch": { - "version": "9.0.5", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", - "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", - "dev": true, - "requires": { - "brace-expansion": "^2.0.1" - } - }, "ms": { "version": "2.1.3", "dev": true @@ -5922,26 +5462,6 @@ "integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==", "dev": true }, - "string-width": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", - "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "dev": true, - "requires": { - "emoji-regex": "^8.0.0", - "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.1" - } - }, - "strip-ansi": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", - "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, - "requires": { - "ansi-regex": "^5.0.1" - } - }, "supports-color": { "version": "8.1.1", "dev": true, @@ -5949,23 +5469,6 @@ "has-flag": "^4.0.0" } }, - "wrap-ansi": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", - "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", - "dev": true, - "requires": { - "ansi-styles": "^4.0.0", - "string-width": "^4.1.0", - "strip-ansi": "^6.0.0" - } - }, - "y18n": { - "version": "5.0.8", - "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", - "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", - "dev": true - }, "yargs": { "version": "17.7.2", "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz", @@ -5990,60 +5493,15 @@ } }, "mute-stdout": { - "version": "1.0.1", - "dev": true - }, - "nan": { - "version": "2.25.0", - "resolved": "https://registry.npmjs.org/nan/-/nan-2.25.0.tgz", - "integrity": "sha512-0M90Ag7Xn5KMLLZ7zliPWP3rT90P6PN+IzVFS0VqmnPktBk3700xUVv8Ikm9EUaUE5SDWdp/BIxdENzVznpm1g==", - "dev": true, - "optional": true - }, - "next-tick": { - "version": "1.1.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/mute-stdout/-/mute-stdout-2.0.0.tgz", + "integrity": "sha512-32GSKM3Wyc8dg/p39lWPKYu8zci9mJFzV1Np9Of0ZEpe6Fhssn/FbI7ywAMd40uX+p3ZKh3T5EeCFv81qS3HmQ==", "dev": true }, - "nise": { - "version": "1.5.3", - "dev": true, - "requires": { - "@sinonjs/formatio": "^3.2.1", - "@sinonjs/text-encoding": "^0.7.1", - "just-extend": "^4.0.2", - "lolex": "^5.0.1", - "path-to-regexp": "^1.7.0" - }, - "dependencies": { - "@sinonjs/formatio": { - "version": "3.2.2", - "dev": true, - "requires": { - "@sinonjs/commons": "^1", - "@sinonjs/samsam": "^3.1.0" - } - }, - "lolex": { - "version": "5.1.2", - "dev": true, - "requires": { - "@sinonjs/commons": "^1.7.0" - } - } - } - }, - "normalize-package-data": { - "version": "2.5.0", - "dev": true, - "requires": { - "hosted-git-info": "^2.1.4", - "resolve": "^1.10.0", - "semver": "2 || 3 || 4 || 5", - "validate-npm-package-license": "^3.0.1" - } - }, "normalize-path": { "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", "dev": true }, "now-and-later": { @@ -6053,10 +5511,6 @@ "once": "^1.3.2" } }, - "number-is-nan": { - "version": "1.0.1", - "dev": true - }, "object-keys": { "version": "1.1.1", "dev": true @@ -6073,6 +5527,8 @@ }, "object.defaults": { "version": "1.1.0", + "resolved": "https://registry.npmjs.org/object.defaults/-/object.defaults-1.1.0.tgz", + "integrity": "sha512-c/K0mw/F11k4dEUBMW8naXUuBuhxRCfG7W+yFy8EcijU/rSmazOUd1XAEEe6bC0OuXY4HUKjTJv7xbxIMqdxrA==", "dev": true, "requires": { "array-each": "^1.0.1", @@ -6081,29 +5537,15 @@ "isobject": "^3.0.0" } }, - "object.map": { - "version": "1.0.1", - "dev": true, - "requires": { - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - } - }, "object.pick": { "version": "1.3.0", + "resolved": "https://registry.npmjs.org/object.pick/-/object.pick-1.3.0.tgz", + "integrity": "sha512-tqa/UMy/CCoYmj+H5qc07qvSL9dqcs/WZENZ1JbtWBlATP+iVOe778gE6MSijnyCnORzDuX6hU+LA4SZ09YjFQ==", "dev": true, "requires": { "isobject": "^3.0.1" } }, - "object.reduce": { - "version": "1.0.1", - "dev": true, - "requires": { - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - } - }, "once": { "version": "1.4.0", "dev": true, @@ -6118,13 +5560,6 @@ "readable-stream": "^2.0.1" } }, - "os-locale": { - "version": "1.4.0", - "dev": true, - "requires": { - "lcid": "^1.0.0" - } - }, "p-limit": { "version": "3.1.0", "dev": true, @@ -6140,11 +5575,10 @@ } }, "p-map": { - "version": "5.5.0", - "dev": true, - "requires": { - "aggregate-error": "^4.0.0" - } + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/p-map/-/p-map-7.0.4.tgz", + "integrity": "sha512-tkAQEw8ysMzmkhgw8k+1U/iPhWNhykKnSk4Rd5zLoPJCuJaGRPo6YposrZgaxHKzDHdDWWZvE/Sk7hsL2X/CpQ==", + "dev": true }, "package-json-from-dist": { "version": "1.0.1", @@ -6154,39 +5588,25 @@ }, "parse-filepath": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/parse-filepath/-/parse-filepath-1.0.2.tgz", + "integrity": "sha512-FwdRXKCohSVeXqwtYonZTXtbGJKrn+HNyWDYVcp5yuJlesTwNH4rsmRZ+GrKAPJ5bLpRxESMeS+Rl0VCHRvB2Q==", "dev": true, "requires": { "is-absolute": "^1.0.0", "map-cache": "^0.2.0", "path-root": "^0.1.1" - } - }, - "parse-json": { - "version": "2.2.0", - "dev": true, - "requires": { - "error-ex": "^1.2.0" - } - }, - "parse-node-version": { - "version": "1.0.1", - "dev": true + } }, "parse-passwd": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/parse-passwd/-/parse-passwd-1.0.0.tgz", + "integrity": "sha512-1Y1A//QUXEZK7YKz+rD9WydcE1+EuPr6ZBgKecAB8tmoW6UFv0NREVJe1p+jRxtThkcbbKkfwIbWJe/IeE6m2Q==", "dev": true }, "path-dirname": { "version": "1.0.2", "dev": true }, - "path-exists": { - "version": "2.1.0", - "dev": true, - "requires": { - "pinkie-promise": "^2.0.0" - } - }, "path-is-absolute": { "version": "1.0.1", "dev": true @@ -6199,10 +5619,14 @@ }, "path-parse": { "version": "1.0.7", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", + "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", "dev": true }, "path-root": { "version": "0.1.1", + "resolved": "https://registry.npmjs.org/path-root/-/path-root-0.1.1.tgz", + "integrity": "sha512-QLcPegTHF11axjfojBIoDygmS2E3Lf+8+jI6wOVmNVenrKSo3mFdSGiIgdSHenczw3wPtlVMQaFVwGmM7BJdtg==", "dev": true, "requires": { "path-root-regex": "^0.1.0" @@ -6210,6 +5634,8 @@ }, "path-root-regex": { "version": "0.1.2", + "resolved": "https://registry.npmjs.org/path-root-regex/-/path-root-regex-0.1.2.tgz", + "integrity": "sha512-4GlJ6rZDhQZFE0DPVKh0e9jmZ5egZfxTkp7bcRDuPlJXbAwhxcl2dINPUAsjLdejqaLsCeg8axcLjIbvBjN4pQ==", "dev": true }, "path-scurry": { @@ -6222,23 +5648,10 @@ "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, - "path-to-regexp": { - "version": "1.9.0", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.9.0.tgz", - "integrity": "sha512-xIp7/apCFJuUHdDLWe8O1HIkb0kQrOMb/0u6FXQjemHn/ii5LrIzU6bdECnsiTF/GjZkMEKg1xdiZwNqDYlZ6g==", - "dev": true, - "requires": { - "isarray": "0.0.1" - }, - "dependencies": { - "isarray": { - "version": "0.0.1", - "dev": true - } - } - }, "path-type": { - "version": "4.0.0", + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/path-type/-/path-type-6.0.0.tgz", + "integrity": "sha512-Vj7sf++t5pBD637NSfkxpHSMfWaeig5+DKWLhcqIYx6mWQz5hdJTGDVMQiJcw1ZYkhs7AazKDGpRVji1LJCZUQ==", "dev": true }, "picocolors": { @@ -6248,24 +5661,11 @@ "dev": true }, "picomatch": { - "version": "2.3.1", - "dev": true - }, - "pify": { - "version": "2.3.0", - "dev": true - }, - "pinkie": { - "version": "2.0.4", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dev": true }, - "pinkie-promise": { - "version": "2.0.1", - "dev": true, - "requires": { - "pinkie": "^2.0.0" - } - }, "plugin-error": { "version": "1.0.1", "dev": true, @@ -6300,8 +5700,10 @@ } } }, - "pretty-hrtime": { - "version": "1.0.3", + "presentable-error": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/presentable-error/-/presentable-error-0.0.1.tgz", + "integrity": "sha512-E6rsNU1QNJgB3sjj7OANinGncFKuK+164sLXw1/CqBjj/EkXSoSdHCtWQGBNlREIGLnL7IEUEGa08YFVUbrhVg==", "dev": true }, "process-nextick-args": { @@ -6327,45 +5729,10 @@ }, "queue-microtask": { "version": "1.2.3", + "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", + "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==", "dev": true }, - "randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "dev": true, - "requires": { - "safe-buffer": "^5.1.0" - } - }, - "read-pkg": { - "version": "1.1.0", - "dev": true, - "requires": { - "load-json-file": "^1.0.0", - "normalize-package-data": "^2.3.2", - "path-type": "^1.0.0" - }, - "dependencies": { - "path-type": { - "version": "1.1.0", - "dev": true, - "requires": { - "graceful-fs": "^4.1.2", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0" - } - } - } - }, - "read-pkg-up": { - "version": "1.0.1", - "dev": true, - "requires": { - "find-up": "^1.0.0", - "read-pkg": "^1.0.0" - } - }, "readable-stream": { "version": "2.3.8", "dev": true, @@ -6380,19 +5747,21 @@ } }, "readdirp": { - "version": "2.2.1", + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", "dev": true, "requires": { - "graceful-fs": "^4.1.11", - "micromatch": ">=4.0.8", - "readable-stream": "^2.0.2" + "picomatch": ">=2.3.2" } }, "rechoir": { - "version": "0.6.2", + "version": "0.8.0", + "resolved": "https://registry.npmjs.org/rechoir/-/rechoir-0.8.0.tgz", + "integrity": "sha512-/vxpCXddiX8NGfGO/mTafwjq4aFa/71pvamip0++IQk3zG8cbCj0fifNPrjjF1XMXUne91jL9OoxmdykoEtifQ==", "dev": true, "requires": { - "resolve": "^1.1.6" + "resolve": "^1.20.0" } }, "remove-bom-buffer": { @@ -6431,33 +5800,30 @@ "dev": true }, "replace-homedir": { - "version": "1.0.0", - "dev": true, - "requires": { - "homedir-polyfill": "^1.0.1", - "is-absolute": "^1.0.0", - "remove-trailing-separator": "^1.1.0" - } + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/replace-homedir/-/replace-homedir-2.0.0.tgz", + "integrity": "sha512-bgEuQQ/BHW0XkkJtawzrfzHFSN70f/3cNOiHa2QsYxqrjaC30X1k74FJ6xswVBP0sr0SpGIdVFuPwfrYziVeyw==", + "dev": true }, "require-directory": { "version": "2.1.1", "dev": true }, - "require-main-filename": { - "version": "1.0.1", - "dev": true - }, "resolve": { - "version": "1.22.6", + "version": "1.22.11", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz", + "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==", "dev": true, "requires": { - "is-core-module": "^2.13.0", + "is-core-module": "^2.16.1", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "resolve-dir": { "version": "1.0.1", + "resolved": "https://registry.npmjs.org/resolve-dir/-/resolve-dir-1.0.1.tgz", + "integrity": "sha512-R7uiTjECzvOsWSfdM0QKFNBVFcK27aHOUwdvK53BcW8zqnGdYp0Fbj82cy54+2A4P2tFM22J5kRfe1R+lM/1yg==", "dev": true, "requires": { "expand-tilde": "^2.0.0", @@ -6472,18 +5838,15 @@ } }, "reusify": { - "version": "1.0.4", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz", + "integrity": "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==", "dev": true }, - "rimraf": { - "version": "3.0.2", - "dev": true, - "requires": { - "glob": "^7.1.3" - } - }, "run-parallel": { "version": "1.2.0", + "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", + "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==", "dev": true, "requires": { "queue-microtask": "^1.2.2" @@ -6493,32 +5856,32 @@ "version": "5.1.2", "dev": true }, - "samsam": { - "version": "1.3.0", + "safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", "dev": true }, "semver": { - "version": "5.7.2", - "dev": true + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", + "dev": true, + "optional": true }, "semver-greatest-satisfied-range": { - "version": "1.1.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/semver-greatest-satisfied-range/-/semver-greatest-satisfied-range-2.0.0.tgz", + "integrity": "sha512-lH3f6kMbwyANB7HuOWRMlLCa2itaCrZJ+SAqqkSZrZKO/cAsk2EOyaKHUtNkVLFyFW9pct22SFesFp3Z7zpA0g==", "dev": true, "requires": { - "sver-compat": "^1.5.0" + "sver": "^1.8.3" } }, "serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", - "dev": true, - "requires": { - "randombytes": "^2.1.0" - } - }, - "set-blocking": { - "version": "2.0.0", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz", + "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==", "dev": true }, "shebang-command": { @@ -6543,33 +5906,21 @@ "dev": true }, "sinon": { - "version": "4.5.0", + "version": "22.0.0", + "resolved": "https://registry.npmjs.org/sinon/-/sinon-22.0.0.tgz", + "integrity": "sha512-sq/6DpdXOrLyfbKlXLg/Usc7xu8YXPeLkOFZRvA3bNUSA2lhbrZ06yuXbH1fkzBPCbz9O10+7hznzUsjaYNm0Q==", "dev": true, "requires": { - "@sinonjs/formatio": "^2.0.0", - "diff": "^3.1.0", - "lodash.get": "^4.4.2", - "lolex": "^2.2.0", - "nise": "^1.2.0", - "supports-color": "^5.1.0", - "type-detect": "^4.0.5" - }, - "dependencies": { - "has-flag": { - "version": "3.0.0", - "dev": true - }, - "supports-color": { - "version": "5.5.0", - "dev": true, - "requires": { - "has-flag": "^3.0.0" - } - } + "@sinonjs/commons": "^3.0.1", + "@sinonjs/fake-timers": "^15.4.0", + "@sinonjs/samsam": "^10.0.2", + "diff": "^9.0.0" } }, "slash": { - "version": "4.0.0", + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/slash/-/slash-5.1.0.tgz", + "integrity": "sha512-ZA6oR3T/pEyuqwMgAKT0/hAv8oAXckzbkmR0UkUosQ+Mc4RxGoJkRmwHgHufaenlyAgE1Mxgpdcrf75y6XcnDg==", "dev": true }, "source-map": { @@ -6577,45 +5928,41 @@ "dev": true }, "sparkles": { - "version": "1.0.1", - "dev": true - }, - "spdx-correct": { - "version": "3.2.0", - "dev": true, - "requires": { - "spdx-expression-parse": "^3.0.0", - "spdx-license-ids": "^3.0.0" - } - }, - "spdx-exceptions": { - "version": "2.3.0", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/sparkles/-/sparkles-2.1.0.tgz", + "integrity": "sha512-r7iW1bDw8R/cFifrD3JnQJX0K1jqT0kprL48BiBpLZLJPmAm34zsVBsK5lc7HirZYZqMW65dOXZgbAGt/I6frg==", "dev": true }, - "spdx-expression-parse": { - "version": "3.0.1", + "stream-composer": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/stream-composer/-/stream-composer-1.0.2.tgz", + "integrity": "sha512-bnBselmwfX5K10AH6L4c8+S5lgZMWI7ZYrz2rvYjCPB2DIMC4Ig8OpxGpNJSxRZ58oti7y1IcNvjBAz9vW5m4w==", "dev": true, "requires": { - "spdx-exceptions": "^2.1.0", - "spdx-license-ids": "^3.0.0" + "streamx": "^2.13.2" } }, - "spdx-license-ids": { - "version": "3.0.15", - "dev": true - }, - "stack-trace": { - "version": "0.0.10", - "dev": true - }, "stream-exhaust": { "version": "1.0.2", + "resolved": "https://registry.npmjs.org/stream-exhaust/-/stream-exhaust-1.0.2.tgz", + "integrity": "sha512-b/qaq/GlBK5xaq1yrK9/zFcyRSTNxmcZwFLGSTG0mXgZl/4Z6GgiyYOXOvY7N3eEvFRAG1bkDRz5EPGSvPYQlw==", "dev": true }, "stream-shift": { "version": "1.0.1", "dev": true }, + "streamx": { + "version": "2.23.0", + "resolved": "https://registry.npmjs.org/streamx/-/streamx-2.23.0.tgz", + "integrity": "sha512-kn+e44esVfn2Fa/O0CPFcex27fjIL6MkVae0Mm6q+E6f0hWv578YCERbv+4m02cjxvDsPKLnmxral/rR6lBMAg==", + "dev": true, + "requires": { + "events-universal": "^1.0.0", + "fast-fifo": "^1.3.2", + "text-decoder": "^1.1.0" + } + }, "string_decoder": { "version": "1.1.1", "dev": true, @@ -6624,12 +5971,14 @@ } }, "string-width": { - "version": "1.0.2", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "dev": true, "requires": { - "code-point-at": "^1.0.0", - "is-fullwidth-code-point": "^1.0.0", - "strip-ansi": "^3.0.0" + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" } }, "string-width-cjs": { @@ -6641,36 +5990,15 @@ "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" - }, - "dependencies": { - "ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true - }, - "is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true - }, - "strip-ansi": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", - "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, - "requires": { - "ansi-regex": "^5.0.1" - } - } } }, "strip-ansi": { - "version": "3.0.1", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": { - "ansi-regex": "^2.0.0" + "ansi-regex": "^5.0.1" } }, "strip-ansi-cjs": { @@ -6680,21 +6008,6 @@ "dev": true, "requires": { "ansi-regex": "^5.0.1" - }, - "dependencies": { - "ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true - } - } - }, - "strip-bom": { - "version": "2.0.0", - "dev": true, - "requires": { - "is-utf8": "^0.2.0" } }, "strip-json-comments": { @@ -6710,14 +6023,35 @@ }, "supports-preserve-symlinks-flag": { "version": "1.0.0", + "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", + "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "dev": true }, - "sver-compat": { - "version": "1.5.0", + "sver": { + "version": "1.8.4", + "resolved": "https://registry.npmjs.org/sver/-/sver-1.8.4.tgz", + "integrity": "sha512-71o1zfzyawLfIWBOmw8brleKyvnbn73oVHNCsu51uPMz/HWiKkkXsI31JjHW5zqXEqnPYkIiHd8ZmL7FCimLEA==", + "dev": true, + "requires": { + "semver": "^6.3.0" + } + }, + "teex": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/teex/-/teex-1.0.1.tgz", + "integrity": "sha512-eYE6iEI62Ni1H8oIa7KlDU6uQBtqr4Eajni3wX7rpfXD8ysFx8z0+dri+KWEPWpBsxXfxu58x/0jvTVT1ekOSg==", + "dev": true, + "requires": { + "streamx": "^2.12.5" + } + }, + "text-decoder": { + "version": "1.2.7", + "resolved": "https://registry.npmjs.org/text-decoder/-/text-decoder-1.2.7.tgz", + "integrity": "sha512-vlLytXkeP4xvEq2otHeJfSQIRyWxo/oZGEbXrtEEF9Hnmrdly59sUbzZ/QgyWuLYHctCHxFF4tRQZNQ9k60ExQ==", "dev": true, "requires": { - "es6-iterator": "^2.0.1", - "es6-symbol": "^3.1.1" + "b4a": "^1.6.4" } }, "through2": { @@ -6746,10 +6080,6 @@ } } }, - "time-stamp": { - "version": "1.1.0", - "dev": true - }, "to-absolute-glob": { "version": "2.0.2", "dev": true, @@ -6765,14 +6095,6 @@ "dev": true, "requires": { "is-number": "^7.0.0" - }, - "dependencies": { - "is-number": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", - "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", - "dev": true - } } }, "to-through": { @@ -6793,22 +6115,20 @@ } }, "tunnel": { - "version": "0.0.6" - }, - "type": { - "version": "1.2.0", - "dev": true + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" }, "type-detect": { "version": "4.0.8", - "dev": true - }, - "typedarray": { - "version": "0.0.6", + "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.0.8.tgz", + "integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==", "dev": true }, "typescript": { - "version": "5.2.2", + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "dev": true }, "unc-path-regex": { @@ -6816,23 +6136,38 @@ "dev": true }, "undertaker": { - "version": "1.3.0", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/undertaker/-/undertaker-2.0.0.tgz", + "integrity": "sha512-tO/bf30wBbTsJ7go80j0RzA2rcwX6o7XPBpeFcb+jzoeb4pfMM2zUeSDIkY1AWqeZabWxaQZ/h8N9t35QKDLPQ==", "dev": true, "requires": { - "arr-flatten": "^1.0.1", - "arr-map": "^2.0.0", - "bach": "^1.0.0", - "collection-map": "^1.0.0", - "es6-weak-map": "^2.0.1", - "fast-levenshtein": "^1.0.0", - "last-run": "^1.1.0", - "object.defaults": "^1.0.0", - "object.reduce": "^1.0.0", - "undertaker-registry": "^1.0.0" + "bach": "^2.0.1", + "fast-levenshtein": "^3.0.0", + "last-run": "^2.0.0", + "undertaker-registry": "^2.0.0" } }, "undertaker-registry": { - "version": "1.0.1", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/undertaker-registry/-/undertaker-registry-2.0.0.tgz", + "integrity": "sha512-+hhVICbnp+rlzZMgxXenpvTxpuvA67Bfgtt+O9WOE5jo7w/dyiF1VmoZVIHvP2EkUjsyKyTwYKlLhA+j47m1Ew==", + "dev": true + }, + "undici": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/undici/-/undici-8.0.2.tgz", + "integrity": "sha512-B9MeU5wuFhkFAuNeA19K2GDFcQXZxq33fL0nRy2Aq30wdufZbyyvxW3/ChaeipXVfy/wUweZyzovQGk39+9k2w==" + }, + "undici-types": { + "version": "7.19.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.19.2.tgz", + "integrity": "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg==", + "dev": true + }, + "unicorn-magic": { + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.3.0.tgz", + "integrity": "sha512-+QBBXBCvifc56fsbuxZQ6Sic3wqqc3WWaqxs58gvJrcOuN83HGTCwz3oS5phzU9LthRNE9VrJCFCLUgHeeFnfA==", "dev": true }, "unique-stream": { @@ -6843,31 +6178,20 @@ "through2-filter": "^3.0.0" } }, - "upath": { - "version": "1.2.0", - "dev": true - }, "util-deprecate": { "version": "1.0.2", "dev": true }, "uuid": { - "version": "8.3.2" + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" }, "v8flags": { - "version": "3.2.0", - "dev": true, - "requires": { - "homedir-polyfill": "^1.0.1" - } - }, - "validate-npm-package-license": { - "version": "3.0.4", - "dev": true, - "requires": { - "spdx-correct": "^3.0.0", - "spdx-expression-parse": "^3.0.0" - } + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/v8flags/-/v8flags-4.0.1.tgz", + "integrity": "sha512-fcRLaS4H/hrZk9hYwbdRM35D0U8IYMfEClhXxCivOojl+yTRAZH3Zy2sSy6qVCiGbV9YAtPssP6jaChqC9vPCg==", + "dev": true }, "value-or-function": { "version": "3.0.0", @@ -6885,6 +6209,36 @@ "replace-ext": "^1.0.0" } }, + "vinyl-contents": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/vinyl-contents/-/vinyl-contents-2.0.0.tgz", + "integrity": "sha512-cHq6NnGyi2pZ7xwdHSW1v4Jfnho4TEGtxZHw01cmnc8+i7jgR6bRnED/LbrKan/Q7CvVLbnvA5OepnhbpjBZ5Q==", + "dev": true, + "requires": { + "bl": "^5.0.0", + "vinyl": "^3.0.0" + }, + "dependencies": { + "replace-ext": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz", + "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==", + "dev": true + }, + "vinyl": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-3.0.1.tgz", + "integrity": "sha512-0QwqXteBNXgnLCdWdvPQBX6FXRHtIH3VhJPTd5Lwn28tJXc34YqSCWUmkOvtJHBmB3gGoPtrOKk3Ts8/kEZ9aA==", + "dev": true, + "requires": { + "clone": "^2.1.2", + "remove-trailing-separator": "^1.1.0", + "replace-ext": "^2.0.0", + "teex": "^1.0.1" + } + } + } + }, "vinyl-fs": { "version": "3.0.3", "dev": true, @@ -6942,15 +6296,13 @@ }, "which": { "version": "1.3.1", + "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz", + "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==", "dev": true, "requires": { "isexe": "^2.0.0" } }, - "which-module": { - "version": "1.0.0", - "dev": true - }, "workerpool": { "version": "9.3.4", "resolved": "https://registry.npmjs.org/workerpool/-/workerpool-9.3.4.tgz", @@ -6958,11 +6310,14 @@ "dev": true }, "wrap-ansi": { - "version": "2.1.0", + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", "dev": true, "requires": { - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1" + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" } }, "wrap-ansi-cjs": { @@ -6974,40 +6329,6 @@ "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" - }, - "dependencies": { - "ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true - }, - "is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true - }, - "string-width": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", - "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "dev": true, - "requires": { - "emoji-regex": "^8.0.0", - "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.1" - } - }, - "strip-ansi": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", - "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, - "requires": { - "ansi-regex": "^5.0.1" - } - } } }, "wrappy": { @@ -7019,35 +6340,31 @@ "dev": true }, "y18n": { - "version": "3.2.2", + "version": "5.0.8", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", + "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", "dev": true }, "yargs": { - "version": "7.1.2", + "version": "16.2.0", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-16.2.0.tgz", + "integrity": "sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw==", "dev": true, "requires": { - "camelcase": "^3.0.0", - "cliui": "^3.2.0", - "decamelize": "^1.1.1", - "get-caller-file": "^1.0.1", - "os-locale": "^1.4.0", - "read-pkg-up": "^1.0.1", + "cliui": "^7.0.2", + "escalade": "^3.1.1", + "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", - "require-main-filename": "^1.0.1", - "set-blocking": "^2.0.0", - "string-width": "^1.0.2", - "which-module": "^1.0.0", - "y18n": "^3.2.1", - "yargs-parser": "^5.0.1" + "string-width": "^4.2.0", + "y18n": "^5.0.5", + "yargs-parser": "^20.2.2" } }, "yargs-parser": { - "version": "5.0.1", - "dev": true, - "requires": { - "camelcase": "^3.0.0", - "object.assign": "^4.1.0" - } + "version": "20.2.9", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.9.tgz", + "integrity": "sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==", + "dev": true }, "yargs-unparser": { "version": "2.0.0", diff --git a/package.json b/package.json index 7f43ea2e..c77e3973 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,11 @@ "description": "Node dependencies for the microsoft/security-devops-action.", "overrides": { "braces": ">=3.0.3", - "micromatch": ">=4.0.8" + "micromatch": ">=4.0.8", + "picomatch": ">=2.3.2", + "minimatch": ">=3.1.3", + "serialize-javascript": ">=7.0.5", + "undici": ">=6.24.1" }, "scripts": { "build": "npx gulp", @@ -15,21 +19,21 @@ "author": "Microsoft Corporation", "license": "MIT", "dependencies": { - "@actions/core": "1.10.0", - "@actions/exec": "1.1.1", + "@actions/core": "2.0.3", + "@actions/exec": "2.0.0", "@microsoft/security-devops-actions-toolkit": "1.11.0" }, "devDependencies": { - "@types/mocha": "^2.2.44", - "@types/node": "^20.3.1", - "@types/q": "^1.0.6", - "@types/sinon": "^4.1.2", - "del": "^7.0.0", - "gulp": "^4.0.2", - "gulp-cli": "^2.3.0", + "@types/mocha": "^10.0.10", + "@types/node": "^25.6.0", + "@types/q": "^1.5.8", + "@types/sinon": "^21.0.1", + "del": "^8.0.1", + "gulp": "^5.0.1", + "gulp-cli": "^3.1.0", "gulp-typescript": "^6.0.0-alpha.1", "mocha": "^11.7.5", - "sinon": "^4.1.3", - "typescript": "^5.1.3" + "sinon": "^22.0.0", + "typescript": "^5.9.3" } } diff --git a/sda.sarif b/sda.sarif deleted file mode 100644 index 46a3e920..00000000 --- a/sda.sarif +++ /dev/null @@ -1,9259 +0,0 @@ -{ - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "antimalware", - "rules": [ - { - "id": "NoThreatsFound", - "name": "No threats were found by AntiMalware." - } - ], - "properties": { - "RawName": "antimalware" - } - } - }, - "invocations": [ - { - "commandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24090.11-0\\MpCmdRun.exe\" -Scan -ScanType 3 -DisableRemediation -File D:\\source\\security-devops-action", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "results": [], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "antimalware>>0>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "bandit", - "properties": { - "RawName": "bandit" - } - } - }, - "invocations": [ - { - "endTimeUtc": "2024-11-07T04:56:49.000Z", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "results": [], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "metrics": {"_totals":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"CONFIDENCE.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"CONFIDENCE.LOW":0.0,"SEVERITY.MEDIUM":0.0,"CONFIDENCE.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.HIGH":0.0},"D:\\source\\security-devops-action\\samples\\insecure.py":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"SEVERITY.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.UNDEFINED":0.0,"CONFIDENCE.LOW":0.0,"CONFIDENCE.MEDIUM":0.0,"CONFIDENCE.HIGH":0.0}}, - "toolInfoId": "bandit>>1>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "credscan", - "organization": "Microsoft Corporation", - "product": "Microsoft Security Credential Scanner Client", - "fullName": "CredentialScanner 2.5.1.13", - "version": "2.5.1.13", - "semanticVersion": "2.5.1", - "rules": [ - { - "id": "CSCAN-GENERAL0020", - "name": "X.509 Certificate Private Key", - "fullDescription": { - "text": "used as a private component in SSL certificates." - }, - "shortDescription": { - "text": "X.509 Certificate Private Key." - }, - "messageStrings": { - "Default": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - } - }, - "helpUri": "https://aka.ms/CredScanDocs" - } - ], - "properties": { - "Comments": "CredentialScanner is an Azure security tool to scan for credentials & other sensitive data in source code and/or system files.", - "RawName": "credscan" - } - }, - "properties": { - "IsPreview": true - } - }, - "invocations": [ - { - "startTimeUtc": "2024-11-07T04:57:07.500Z", - "endTimeUtc": "2024-11-07T04:57:15.725Z", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "originalUriBaseIds": { - "file:///D:/source/security-devops-action/": { - "uri": "file:///D:/source/security-devops-action/" - } - }, - "results": [ - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "ad80df55e021c410c64bbdc3c768739c9b7fd32cfe9d37e5049efe305a7cabbe", - "gdnAlternativeSignature0": "471e593e20b5c75c62e499b8249c85f1835dc7f99dc9553a8a66b1be2550515d" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 19, - "startColumn": 1, - "endLine": 19, - "endColumn": 31 - } - } - } - ], - "fingerprints": { - "HashCode": "fdZwTjfxyQHIYf+BmyPXyLEOqdG4U2NLBuFNLckqc/s=", - "gdnPrimarySignature": "8c4f1c7c24033f5c2d1af110b7167b907f6c213c8da0388cc94da267b3b26053", - "gdnAlternativeSignature0": "370b8fdda16cd6662fa9f668df5eb3d0a34e6a7df7f9a47aa8e76ca6db6d7ceb" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "e0143173968f10743c164db98a97f2f2ad51665ef207fc2e5ed568dadf16daa4", - "gdnAlternativeSignature0": "6a0059872bc6e5a9f1910e1c20b82a8c9770991596470214159c8d720884cf3c" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 37 - } - } - } - ], - "fingerprints": { - "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", - "gdnPrimarySignature": "81cfc42c1d0b6a44b58032508492c13a1da8709259d9b955b7818b54375d7454", - "gdnAlternativeSignature0": "a3834b8e54bd96dedf30634b2195d9c1b45ffc9ac2d0cf9e7d72fb01ab2be4b6" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "a5673d23e7575ac45ddbdc1d2e29a20164ef7e82f569408bffe292ceb779806a", - "gdnAlternativeSignature0": "13b90a64372a219e131bd44c942fb99d2e0499c28a050af144f432498b71b0b7" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "0e05cea19167aed8b8ae01c841a7334ccb9c7fd7b993406580ff2832d15f7ce5", - "gdnAlternativeSignature0": "17f42847401af81a1d829e8aeac516090ae6c41935d0265f19c20dc5208ce44b" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "cc2c869c6af3917c188f3405a5cab29825b895ad248b5e8d5657be11a3575e97", - "gdnAlternativeSignature0": "77b87003353fbbbdd842e915e87ceb94a00295aaa14b394e046cfc2e3d4c70a3" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "c778616f1b5c561f1c66d5843f0e4759cbccf82ba1868f8af267ba96077086df", - "gdnAlternativeSignature0": "c387065dadee4e1320aee04842ec83e45758e802066fcc8deba5055695bfe565" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "07fc5532f6969723a59a30bbf4679124b3408c52ad141644aefd5a5ee5ce3187", - "gdnAlternativeSignature0": "c3edc90bf722fd1545c98c99e988dc5405b162ce917767cb0aa7f53ac4954506" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "4d5d643001bdc9ca750ddc12572d03f20c6ea6b00ccec260daad81b2cbaad937", - "gdnAlternativeSignature0": "5940924f309382ed130dc9019b7ddc750982599de02152e9f2badb1a4def1c77" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 37 - } - } - } - ], - "fingerprints": { - "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", - "gdnPrimarySignature": "78f7c576f77b65667382d3cd1f98088d2a5e607d39cc22af6729d55e1f62f28c", - "gdnAlternativeSignature0": "45c71b1ac1f0538e9be6aba276dcb1484749f62e1ed6c955b8d06b3a034f4295" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "1f4b7943f9d0c70caa2b1022c17ac1978128ebd3cf36afb1375dbd8dade2cd89", - "gdnAlternativeSignature0": "47585da2145382121fadbbbe66ef8b7f20a193b4b38372d031552b996edb0fea" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "credscan>>2>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "eslint", - "version": "8.56.0", - "informationUri": "https://eslint.org", - "properties": { - "RawName": "eslint" - } - } - }, - "invocations": [ - { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/gulpfile.js", - "index": 0 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js", - "index": 1 - }, - "region": { - "startLine": 36, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/main.js", - "index": 2 - }, - "region": { - "startLine": 35, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js", - "index": 3 - }, - "region": { - "startLine": 7, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/msdo.js", - "index": 5 - }, - "region": { - "startLine": 36, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/post.js", - "index": 6 - }, - "region": { - "startLine": 35, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/pre.js", - "index": 7 - }, - "region": { - "startLine": 35, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/samples/insecure.js", - "index": 8 - }, - "region": { - "startLine": 1, - "startColumn": 5 - } - } - } - ], - "message": { - "text": "Parsing error: Unexpected token injection" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts", - "index": 9 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/main.ts", - "index": 10 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts", - "index": 11 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts", - "index": 12 - }, - "region": { - "startLine": 4, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'export' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/msdo.ts", - "index": 13 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/post.ts", - "index": 14 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/pre.ts", - "index": 15 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/test/post.tests.ts", - "index": 16 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts", - "index": 17 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/test/testCommon.ts", - "index": 18 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - } - ], - "executionSuccessful": false - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "artifacts": [ - { - "location": { - "uri": "file:///D:/source/security-devops-action/gulpfile.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/main.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/msdo-interface.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/msdo.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/post.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/pre.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/samples/insecure.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/main.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/msdo.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/post.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/pre.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/test/post.tests.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/test/testCommon.ts" - } - } - ], - "results": [], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "eslint>>3>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "iacfilescanner", - "organization": "Microsoft", - "fullName": "IaC File Scanner", - "version": "0.1.3", - "rules": [ - { - "id": "IFS-1", - "name": "TagForResource", - "help": { - "text": "An IaC tag(s) was found on this resource. If there is a supported mapping tag, it will be used for code-to-cloud mapping." - }, - "shortDescription": { - "text": "An IaC tag(s) was found on this resource." - }, - "messageStrings": { - "default": { - "text": "An IaC tag(s) was found on this resource." - } - } - } - ], - "properties": { - "RawName": "iacfilescanner" - } - } - }, - "invocations": [ - { - "startTimeUtc": "2024-11-07T04:57:38.817Z", - "endTimeUtc": "2024-11-07T04:57:38.863Z", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///D:/source/security-devops-action" - } - }, - "artifacts": [ - { - "location": { - "uri": "samples/IaCMapping/main.tf", - "uriBaseId": "ROOTPATH" - } - } - ], - "results": [ - { - "ruleId": "IFS-1", - "ruleIndex": 0, - "level": "note", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - }, - "logicalLocations": [ - { - "fullyQualifiedName": "iacmapping1212", - "kind": "azurerm_storage_account" - } - ], - "properties": { - "mappingTagDictionary": {"mapping_tag":"6189b638-15a5-42ec-b934-0d2b8e035ce1"} - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6a2b2a71245a88c5e349c7097ea77bb21272924e2d7d7fb032670e63664912bd", - "gdnAlternativeSignature0": "21dbf0708629d98ff73f008fe2a43b6e0848c2e9ab665049176189097f037ace" - } - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "iacfilescanner>>4>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "templateanalyzer", - "organization": "Microsoft", - "fullName": "Template Analyzer", - "version": "0.8.0+1ba73133c28786a16b2c19e5d5eef09eb2324538", - "informationUri": "https://github.com/Azure/template-analyzer", - "rules": [ - { - "id": "TA-000001", - "name": "AppService.EnableDiagnosticLogs", - "fullDescription": { - "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." - }, - "help": { - "text": "Enable diagnostic logs in App Service." - }, - "shortDescription": { - "text": "Diagnostic logs in App Service should be enabled." - }, - "messageStrings": { - "default": { - "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000001-diagnostic-logs-in-app-service-should-be-enabled" - }, - { - "id": "TA-000003", - "name": "AppServiceAPIApp.OnlyFTPS", - "fullDescription": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "help": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "shortDescription": { - "text": "FTPS only should be required in your API app." - }, - "messageStrings": { - "default": { - "text": "Enable FTPS enforcement for enhanced security." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000003-ftps-only-should-be-required-in-your-api-app" - }, - { - "id": "TA-000004", - "name": "AppServiceAPIApp.OnlyHTTPS", - "fullDescription": { - "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - }, - "help": { - "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." - }, - "shortDescription": { - "text": "API app should only be accessible over HTTPS." - }, - "messageStrings": { - "default": { - "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004-api-app-should-only-be-accessible-over-https" - }, - { - "id": "TA-000005", - "name": "AppServiceAPIApp.UseLatestTLS", - "fullDescription": { - "text": "API apps should require the latest TLS version." - }, - "help": { - "text": "Upgrade to the latest TLS version." - }, - "shortDescription": { - "text": "Latest TLS version should be used in your API app." - }, - "messageStrings": { - "default": { - "text": "API apps should require the latest TLS version." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000005-latest-tls-version-should-be-used-in-your-api-app" - }, - { - "id": "TA-000006", - "name": "AppServiceAPIApp.RestrictCORSAccess", - "fullDescription": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." - }, - "help": { - "text": "Allow only required domains to interact with your API app." - }, - "shortDescription": { - "text": "CORS should not allow every resource to access your API app." - }, - "messageStrings": { - "default": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." - } - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000006-cors-should-not-allow-every-resource-to-access-your-api-app" - }, - { - "id": "TA-000007", - "name": "AppServiceAPIApp.UseManagedIdentity", - "fullDescription": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - }, - "help": { - "text": "Use a managed identity for enhanced authentication security." - }, - "shortDescription": { - "text": "Managed identity should be used in your API app." - }, - "messageStrings": { - "default": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000007-managed-identity-should-be-used-in-your-api-app" - }, - { - "id": "TA-000009", - "name": "AppServiceFunctionApp.OnlyFTPS", - "fullDescription": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "help": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "shortDescription": { - "text": "FTPS only should be required in your function app." - }, - "messageStrings": { - "default": { - "text": "Enable FTPS enforcement for enhanced security." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000009-ftps-only-should-be-required-in-your-function-app" - }, - { - "id": "TA-000010", - "name": "AppServiceFunctionApp.OnlyHTTPS", - "fullDescription": { - "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - }, - "help": { - "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." - }, - "shortDescription": { - "text": "Function app should only be accessible over HTTPS." - }, - "messageStrings": { - "default": { - "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000010-function-app-should-only-be-accessible-over-https" - }, - { - "id": "TA-000011", - "name": "AppServiceFunctionApp.UseLatestTLS", - "fullDescription": { - "text": "Function apps should require the latest TLS version." - }, - "help": { - "text": "Upgrade to the latest TLS version." - }, - "shortDescription": { - "text": "Latest TLS version should be used in your function app." - }, - "messageStrings": { - "default": { - "text": "Function apps should require the latest TLS version." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000011-latest-tls-version-should-be-used-in-your-function-app" - }, - { - "id": "TA-000012", - "name": "AppServiceFunctionApp.RestrictCORSAccess", - "fullDescription": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." - }, - "help": { - "text": "Allow only required domains to interact with your function app." - }, - "shortDescription": { - "text": "CORS should not allow every resource to access your function app." - }, - "messageStrings": { - "default": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." - } - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000012-cors-should-not-allow-every-resource-to-access-your-function-app" - }, - { - "id": "TA-000013", - "name": "AppServiceFunctionApp.UseManagedIdentity", - "fullDescription": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - }, - "help": { - "text": "Use a managed identity for enhanced authentication security." - }, - "shortDescription": { - "text": "Managed identity should be used in your function app." - }, - "messageStrings": { - "default": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000013-managed-identity-should-be-used-in-your-function-app" - }, - { - "id": "TA-000015", - "name": "AppServiceWebApp.OnlyFTPS", - "fullDescription": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "help": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "shortDescription": { - "text": "FTPS only should be required in your web app." - }, - "messageStrings": { - "default": { - "text": "Enable FTPS enforcement for enhanced security." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000015-ftps-only-should-be-required-in-your-web-app" - }, - { - "id": "TA-000016", - "name": "AppServiceWebApp.OnlyHTTPS", - "fullDescription": { - "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - }, - "help": { - "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." - }, - "shortDescription": { - "text": "Web apps should only be accessible over HTTPS." - }, - "messageStrings": { - "default": { - "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000016-web-apps-should-only-be-accessible-over-https" - }, - { - "id": "TA-000017", - "name": "AppServiceWebApp.UseLatestTLS", - "fullDescription": { - "text": "Web apps should require the latest TLS version." - }, - "help": { - "text": "Upgrade to the latest TLS version." - }, - "shortDescription": { - "text": "Latest TLS version should be used in your web app." - }, - "messageStrings": { - "default": { - "text": "Web apps should require the latest TLS version." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000017-latest-tls-version-should-be-used-in-your-web-app" - }, - { - "id": "TA-000018", - "name": "AppServiceWebApp.RestrictCORSAccess", - "fullDescription": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." - }, - "help": { - "text": "Allow only required domains to interact with your web app." - }, - "shortDescription": { - "text": "CORS should not allow every resource to access your web apps." - }, - "messageStrings": { - "default": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." - } - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000018-cors-should-not-allow-every-resource-to-access-your-web-apps" - }, - { - "id": "TA-000019", - "name": "AppServiceWebApp.UseManagedIdentity", - "fullDescription": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - }, - "help": { - "text": "Use a managed identity for enhanced authentication security." - }, - "shortDescription": { - "text": "Managed identity should be used in your web app." - }, - "messageStrings": { - "default": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000019-managed-identity-should-be-used-in-your-web-app" - } - ], - "properties": { - "RawName": "templateanalyzer" - } - } - }, - "invocations": [ - { - "startTimeUtc": "2024-11-07T04:57:57.369Z", - "endTimeUtc": "2024-11-07T04:58:02.943Z", - "toolExecutionNotifications": [ - { - "message": { - "text": "Discovered 1 template-parameter pairs to analyze" - }, - "level": "note" - } - ], - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///D:/source/security-devops-action" - } - }, - "artifacts": [ - { - "location": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - } - } - ], - "results": [ - { - "ruleId": "TA-000001", - "ruleIndex": 0, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 264 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "be38ef4a5beacf017f220b3d98472e58b2a22f36fd9be444d705a6da0156fd74", - "gdnAlternativeSignature0": "ed2c5f6d187878540408f5bbb17875166e824df9cd545c2071e66b80f6c4bb01" - } - }, - { - "ruleId": "TA-000001", - "ruleIndex": 0, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 280 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d37d8282e31133b27146eb024c2736f1d7b65bdd6a42c08607bdb2bead9b5423", - "gdnAlternativeSignature0": "4c40d2cc63ce679ba6157fdc72d12b40481a893ab13296c36239c7ed8622cb86" - } - }, - { - "ruleId": "TA-000003", - "ruleIndex": 1, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 165 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3549d0b318441c8b49bd89ca36ea85f70bf45f022ab8c0609706ff5f5a88d2d8", - "gdnAlternativeSignature0": "0edb0e1b59eb8e8d3fc182d647d80d92147876a0454f610aa836842fb52181e5" - } - }, - { - "ruleId": "TA-000003", - "ruleIndex": 1, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 195 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8dbbe99de40dee0eb3c9eb6568f8e48c5effeec820c694f77be3999efaad513b", - "gdnAlternativeSignature0": "f244a0d31df3eeaba0ca511703721d84fe79f8beb849b3cc4453a7f7e9ffc9c1" - } - }, - { - "ruleId": "TA-000004", - "ruleIndex": 2, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 29 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d1a766811373af8220668a1819fa53325b88ba36dffbf2706701e95dfa1e0aed", - "gdnAlternativeSignature0": "f0153f08d6d8174a8d76708b6935ba0ef2b38e06ff62758758e948d72ef1be52" - } - }, - { - "ruleId": "TA-000004", - "ruleIndex": 2, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 44 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6e9b1515330559d9ab46e4c5b6afdd2ee9a07fc5122b6c3748c3688cfeca2789", - "gdnAlternativeSignature0": "c0dd2c03abc529e58717d3191f4fd5e673d3316a39093ba7bd9b964920239290" - } - }, - { - "ruleId": "TA-000005", - "ruleIndex": 3, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 165 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7e1a7ec5ef845a37f73c0407622bd567cdd07b2dfedc75a099d29862f374762", - "gdnAlternativeSignature0": "1cdb3b2f11971c7558e88df98da50f7e9a361b97dd3668a26543df13716d7597" - } - }, - { - "ruleId": "TA-000005", - "ruleIndex": 3, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 195 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4643d07151b417ee81f093352a1a712e3536febd4f9c68cb9774bc20578541ec", - "gdnAlternativeSignature0": "c90df3b94d648eb7354b444cbe823e580310b5eda0a5391f3f4c80b4c05317f9" - } - }, - { - "ruleId": "TA-000006", - "ruleIndex": 4, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 218 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "65526fef72a3bd5686e08978f894f58ee0c94d6b14333616137c1197168771c2", - "gdnAlternativeSignature0": "6738218eca8210aa235b6a000d75d9cd8ec306669ef6783344d819eea5ad16a3" - } - }, - { - "ruleId": "TA-000006", - "ruleIndex": 4, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 199 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "74875f7d2bcd35300850f78ef8d77d9ccba6f1f3e01f8aa8126148d78a157a60", - "gdnAlternativeSignature0": "02e4138fc76c7af81aa05894a92ac4d606d31021aa410b0aa62abbdd6eba5eed" - } - }, - { - "ruleId": "TA-000007", - "ruleIndex": 5, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 187 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "be7e0b3fdbf227e31c46e9fd7b3a36bd67a5577fe93fabe7de457fb26f58dc34", - "gdnAlternativeSignature0": "b76e97cfdd95980416531f989be2fa221fd4f3689c9ca167b515e573bc729d04" - } - }, - { - "ruleId": "TA-000009", - "ruleIndex": 6, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 309 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "265486bd8e28eea8810483d45dcc81f731cd9776eed60a7893943e33d9b07b6f", - "gdnAlternativeSignature0": "ed44340ff877ba9d68523648797c4f0f7b56c7c028d93312e55d5c4dc2cdf0a8" - } - }, - { - "ruleId": "TA-000009", - "ruleIndex": 6, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 325 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d70937da25c2f4c4bf54334ccc495634c22918258a3b46e45fcd389fd482855f", - "gdnAlternativeSignature0": "34c1f242e862c9a4b1ccceb99a33b1aac0df47aadcc5e6b4cc6a9957bfa60ddb" - } - }, - { - "ruleId": "TA-000010", - "ruleIndex": 7, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 70 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f09e415fda3660cc86a250ca8b35c87db6d6f5d15c69693c1cee3d5a1bd841c4", - "gdnAlternativeSignature0": "c11ab3206f07476269883239e183c0a38d77630a64dc0a0fac178d45f7f0cb8b" - } - }, - { - "ruleId": "TA-000010", - "ruleIndex": 7, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 85 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b3eb7244e83ec91b3b2fdcadbdd498b8f8095140b6c23b74883b5ca61878a994", - "gdnAlternativeSignature0": "3a37f05c16ebd9b493c603024eeb1c5f9c35a5a44d2378a11b6c33003fba815f" - } - }, - { - "ruleId": "TA-000011", - "ruleIndex": 8, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 309 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "03a4354b8e006461fb34be109fe4601b633f817d7b237a02dbf2f1346d91e0b4", - "gdnAlternativeSignature0": "c490246cd2a3ee33ab981814e002c687938d33fba3eefb891fd8db2c7a92d64c" - } - }, - { - "ruleId": "TA-000011", - "ruleIndex": 8, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 325 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "24126068b178d605ced2a12989a4fa2ebd4d15eb30c7c2c37b9d3c6cab349686", - "gdnAlternativeSignature0": "c5923a6a520bd145ef3957d75a6c9d8cbf1025fcd4915449e60bbb02bd10a9e8" - } - }, - { - "ruleId": "TA-000012", - "ruleIndex": 9, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 313 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "36e23dcaac28961df21b197c601391bc76f0c90d72380a56f1fa29327bd0017c", - "gdnAlternativeSignature0": "3fa84bc1cc49b60bb7204fb88c7fada8faa63e5f8c9984e10e1b83d3b95bb9e7" - } - }, - { - "ruleId": "TA-000012", - "ruleIndex": 9, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 218 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b20e23b6ed47125967e4d087e615c9d4a9aba6d7dd9e2176ed151efcebb82d02", - "gdnAlternativeSignature0": "2ee68544e8b6b6a54363c95df7bd3d1422cf1c193ed005dddba038439e9650d7" - } - }, - { - "ruleId": "TA-000013", - "ruleIndex": 10, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 319 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ed0363b6f87f1d4e7c0807f68e051e1b3787bafbd2455d4528a10bf4d94b9edf", - "gdnAlternativeSignature0": "72d1e7c2a57d35fa08e178c56264746e48ed563a4da2d7f5dc8570438ed5d90c" - } - }, - { - "ruleId": "TA-000015", - "ruleIndex": 11, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 264 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ec6f5ed98134d472df3077d9c883d07c25923b8e2f9f0ee4ad62438d0a72b4f4", - "gdnAlternativeSignature0": "5e86cd98e6560ffb14e4eb72c99c8a11042feb183a1713a37c682f8417eca214" - } - }, - { - "ruleId": "TA-000015", - "ruleIndex": 11, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 280 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "38abf206aa092efe2a8fa6d3546f1a342e08c86f4b25be558b8afd5bcb532651", - "gdnAlternativeSignature0": "f53e1db90f911dfc29b77e08c01fc16a609b9720473da74edae88428a4e2bc1c" - } - }, - { - "ruleId": "TA-000016", - "ruleIndex": 12, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 111 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "408e1546a1bb4ad4b304b67d08fe6d99943c94a173d95edb8ddaa25a03798989", - "gdnAlternativeSignature0": "84d16425f679ebd232bade7a449c0cdbfef3776b9b928279599f00b71fbcfb22" - } - }, - { - "ruleId": "TA-000016", - "ruleIndex": 12, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 125 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "bce4367d8d17dfed8e0504a56bdbde591cfc253f3632a2f21142dffcac9e33a5", - "gdnAlternativeSignature0": "e76df0666939f84d4c4ef2f13e863a131ecb5f7e36060126730de3bd7aee8734" - } - }, - { - "ruleId": "TA-000017", - "ruleIndex": 13, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 264 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "84b7be1aa526d0d05c2de90d3e202c9ac537835e7b3140c871e452ee53505cf7", - "gdnAlternativeSignature0": "059a393d058cffaa8cdbe2fad159ee89d4f04ea63fcbee3981408888a39432e8" - } - }, - { - "ruleId": "TA-000017", - "ruleIndex": 13, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 280 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c8faed1d99ea5b1ced01439da3370660d482769c59a7665dda694f69f336bc76", - "gdnAlternativeSignature0": "216e7a3be42bfa5aae23ed3abf7bccf0d48aa5ad6ae0f617088f0de77723da89" - } - }, - { - "ruleId": "TA-000018", - "ruleIndex": 14, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 268 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b17d79fb40da84e43645bcdc62e3f720f8039e9be3454fd847cbef27623eea6f", - "gdnAlternativeSignature0": "4050ebca29a424898a464da3b851e5ae90c32384f653b4478a38a331c2639fa8" - } - }, - { - "ruleId": "TA-000018", - "ruleIndex": 14, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 218 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "478c565e6f29f52f64c42e08aca4fe0c94a9ed37a629ab4529d58c764580df69", - "gdnAlternativeSignature0": "0a4753c9c18e6f31fb4d238774fa74f694731b7aff4566b256d7a4f2c93536cd" - } - }, - { - "ruleId": "TA-000019", - "ruleIndex": 15, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 274 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7f8fadd8a0cbc8600952d828f4f4f59c163cd99350430230e976a126d8c9a89", - "gdnAlternativeSignature0": "1dad07739d9b4f2d7845f7a709da12b240d41c1a3536217dc80b23b104ea5362" - } - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "templateanalyzer>>5>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "checkov", - "organization": "bridgecrew", - "version": "3.2.199", - "informationUri": "https://checkov.io", - "rules": [ - { - "id": "CKV_AZURE_59", - "name": "Ensure that Storage accounts disallow public access", - "fullDescription": { - "text": "Ensure that Storage accounts disallow public access" - }, - "help": { - "text": "Ensure that Storage accounts disallow public access\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access" - }, - { - "id": "CKV_AZURE_33", - "name": "Ensure Storage logging is enabled for Queue service for read, write and delete requests", - "fullDescription": { - "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" - }, - "help": { - "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service" - }, - { - "id": "CKV_AZURE_44", - "name": "Ensure Storage Account is using the latest version of TLS encryption", - "fullDescription": { - "text": "Ensure Storage Account is using the latest version of TLS encryption" - }, - "help": { - "text": "Ensure Storage Account is using the latest version of TLS encryption\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2" - }, - { - "id": "CKV_AZURE_190", - "name": "Ensure that Storage blobs restrict public access", - "fullDescription": { - "text": "Ensure that Storage blobs restrict public access" - }, - "help": { - "text": "Ensure that Storage blobs restrict public access\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-190" - }, - { - "id": "CKV2_AZURE_40", - "name": "Ensure storage account is not configured with Shared Key authorization", - "fullDescription": { - "text": "Ensure storage account is not configured with Shared Key authorization" - }, - "help": { - "text": "Ensure storage account is not configured with Shared Key authorization\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-40" - }, - { - "id": "CKV2_AZURE_47", - "name": "Ensure storage account is configured without blob anonymous access", - "fullDescription": { - "text": "Ensure storage account is configured without blob anonymous access" - }, - "help": { - "text": "Ensure storage account is configured without blob anonymous access\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-47" - }, - { - "id": "CKV2_AZURE_33", - "name": "Ensure storage account is configured with private endpoint", - "fullDescription": { - "text": "Ensure storage account is configured with private endpoint" - }, - "help": { - "text": "Ensure storage account is configured with private endpoint\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-33" - }, - { - "id": "CKV2_AZURE_41", - "name": "Ensure storage account is configured with SAS expiration policy", - "fullDescription": { - "text": "Ensure storage account is configured with SAS expiration policy" - }, - "help": { - "text": "Ensure storage account is configured with SAS expiration policy\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41" - }, - { - "id": "CKV2_AZURE_38", - "name": "Ensure soft-delete is enabled on Azure storage account", - "fullDescription": { - "text": "Ensure soft-delete is enabled on Azure storage account" - }, - "help": { - "text": "Ensure soft-delete is enabled on Azure storage account\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-38" - }, - { - "id": "CKV2_AZURE_1", - "name": "Ensure storage for critical data are encrypted with Customer Managed Key", - "fullDescription": { - "text": "Ensure storage for critical data are encrypted with Customer Managed Key" - }, - "help": { - "text": "Ensure storage for critical data are encrypted with Customer Managed Key\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key" - }, - { - "id": "CKV_K8S_25", - "name": "Minimize the admission of containers with added capability", - "fullDescription": { - "text": "Minimize the admission of containers with added capability" - }, - "help": { - "text": "Minimize the admission of containers with added capability\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24" - }, - { - "id": "CKV_K8S_20", - "name": "Containers should not run with allowPrivilegeEscalation", - "fullDescription": { - "text": "Containers should not run with allowPrivilegeEscalation" - }, - "help": { - "text": "Containers should not run with allowPrivilegeEscalation\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19" - }, - { - "id": "CKV_K8S_21", - "name": "The default namespace should not be used", - "fullDescription": { - "text": "The default namespace should not be used" - }, - "help": { - "text": "The default namespace should not be used\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20" - }, - { - "id": "CKV_K8S_28", - "name": "Minimize the admission of containers with the NET_RAW capability", - "fullDescription": { - "text": "Minimize the admission of containers with the NET_RAW capability" - }, - "help": { - "text": "Minimize the admission of containers with the NET_RAW capability\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27" - }, - { - "id": "CKV_K8S_43", - "name": "Image should use digest", - "fullDescription": { - "text": "Image should use digest" - }, - "help": { - "text": "Image should use digest\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39" - }, - { - "id": "CKV_K8S_8", - "name": "Liveness Probe Should be Configured", - "fullDescription": { - "text": "Liveness Probe Should be Configured" - }, - "help": { - "text": "Liveness Probe Should be Configured\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7" - }, - { - "id": "CKV_K8S_37", - "name": "Minimize the admission of containers with capabilities assigned", - "fullDescription": { - "text": "Minimize the admission of containers with capabilities assigned" - }, - "help": { - "text": "Minimize the admission of containers with capabilities assigned\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34" - }, - { - "id": "CKV_K8S_29", - "name": "Apply security context to your pods and containers", - "fullDescription": { - "text": "Apply security context to your pods and containers" - }, - "help": { - "text": "Apply security context to your pods and containers\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers" - }, - { - "id": "CKV_K8S_22", - "name": "Use read-only filesystem for containers where possible", - "fullDescription": { - "text": "Use read-only filesystem for containers where possible" - }, - "help": { - "text": "Use read-only filesystem for containers where possible\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21" - }, - { - "id": "CKV_K8S_23", - "name": "Minimize the admission of root containers", - "fullDescription": { - "text": "Minimize the admission of root containers" - }, - "help": { - "text": "Minimize the admission of root containers\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22" - }, - { - "id": "CKV_K8S_40", - "name": "Containers should run as a high UID to avoid host conflict", - "fullDescription": { - "text": "Containers should run as a high UID to avoid host conflict" - }, - "help": { - "text": "Containers should run as a high UID to avoid host conflict\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37" - }, - { - "id": "CKV_K8S_31", - "name": "Ensure that the seccomp profile is set to docker/default or runtime/default", - "fullDescription": { - "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" - }, - "help": { - "text": "Ensure that the seccomp profile is set to docker/default or runtime/default\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29" - }, - { - "id": "CKV_K8S_38", - "name": "Ensure that Service Account Tokens are only mounted where necessary", - "fullDescription": { - "text": "Ensure that Service Account Tokens are only mounted where necessary" - }, - "help": { - "text": "Ensure that Service Account Tokens are only mounted where necessary\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35" - }, - { - "id": "CKV2_K8S_6", - "name": "Minimize the admission of pods which lack an associated NetworkPolicy", - "fullDescription": { - "text": "Minimize the admission of pods which lack an associated NetworkPolicy" - }, - "help": { - "text": "Minimize the admission of pods which lack an associated NetworkPolicy\nResource: Pod.default.cassandra.app-cassandra" - }, - "defaultConfiguration": { - "level": "error" - } - }, - { - "id": "CKV_AZURE_225", - "name": "Ensure the App Service Plan is zone redundant", - "fullDescription": { - "text": "Ensure the App Service Plan is zone redundant" - }, - "help": { - "text": "Ensure the App Service Plan is zone redundant\nResource: Microsoft.Web/serverfarms.serverFarm" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azure-225" - }, - { - "id": "CKV_AZURE_17", - "name": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set", - "fullDescription": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "help": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7" - }, - { - "id": "CKV_AZURE_78", - "name": "Ensure FTP deployments are disabled", - "fullDescription": { - "text": "Ensure FTP deployments are disabled" - }, - "help": { - "text": "Ensure FTP deployments are disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-ftp-deployments-are-disabled" - }, - { - "id": "CKV_AZURE_18", - "name": "Ensure that 'HTTP Version' is the latest if used to run the web app", - "fullDescription": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "help": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8" - }, - { - "id": "CKV_AZURE_14", - "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service", - "fullDescription": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "help": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-5" - }, - { - "id": "CKV_AZURE_16", - "name": "Ensure that Register with Azure Active Directory is enabled on App Service", - "fullDescription": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "help": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1" - }, - { - "id": "CKV_AZURE_71", - "name": "Ensure that Managed identity provider is enabled for web apps", - "fullDescription": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "help": { - "text": "Ensure that Managed identity provider is enabled for web apps\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services" - }, - { - "id": "CKV_AZURE_15", - "name": "Ensure web app is using the latest version of TLS encryption", - "fullDescription": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "help": { - "text": "Ensure web app is using the latest version of TLS encryption\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-6" - }, - { - "id": "CKV_AZURE_222", - "name": "Ensure that Azure Web App public network access is disabled", - "fullDescription": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "help": { - "text": "Ensure that Azure Web App public network access is disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-63" - }, - { - "id": "CKV_AZURE_153", - "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot", - "fullDescription": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "help": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-azure-web-app-redirects-all-http-traffic-to-https-in-azure-app-service-slot" - }, - { - "id": "CKV_AZURE_67", - "name": "Ensure that 'HTTP Version' is the latest, if used to run the Function app", - "fullDescription": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "help": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-http-version-is-the-latest-if-used-to-run-the-function-app" - }, - { - "id": "CKV_AZURE_70", - "name": "Ensure that Function apps is only accessible over HTTPS", - "fullDescription": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "help": { - "text": "Ensure that Function apps is only accessible over HTTPS\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-function-apps-is-only-accessible-over-https" - }, - { - "id": "CKV_AZURE_13", - "name": "Ensure App Service Authentication is set on Azure App Service", - "fullDescription": { - "text": "Ensure App Service Authentication is set on Azure App Service" - }, - "help": { - "text": "Ensure App Service Authentication is set on Azure App Service\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azr-general-2" - }, - { - "id": "CKV_AZURE_65", - "name": "Ensure that App service enables detailed error messages", - "fullDescription": { - "text": "Ensure that App service enables detailed error messages" - }, - "help": { - "text": "Ensure that App service enables detailed error messages\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages" - }, - { - "id": "CKV_AZURE_80", - "name": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app", - "fullDescription": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" - }, - "help": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app" - }, - { - "id": "CKV_AZURE_66", - "name": "Ensure that App service enables failed request tracing", - "fullDescription": { - "text": "Ensure that App service enables failed request tracing" - }, - "help": { - "text": "Ensure that App service enables failed request tracing\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing" - }, - { - "id": "CKV_AZURE_63", - "name": "Ensure that App service enables HTTP logging", - "fullDescription": { - "text": "Ensure that App service enables HTTP logging" - }, - "help": { - "text": "Ensure that App service enables HTTP logging\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging" - }, - { - "id": "CKV_AZURE_88", - "name": "Ensure that app services use Azure Files", - "fullDescription": { - "text": "Ensure that app services use Azure Files" - }, - "help": { - "text": "Ensure that app services use Azure Files\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files" - }, - { - "id": "CKV_DOCKER_2", - "name": "Ensure that HEALTHCHECK instructions have been added to container images", - "fullDescription": { - "text": "Ensure that HEALTHCHECK instructions have been added to container images" - }, - "help": { - "text": "Ensure that HEALTHCHECK instructions have been added to container images\nResource: /samples\\Dockerfile." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images" - }, - { - "id": "CKV_DOCKER_3", - "name": "Ensure that a user for the container has been created", - "fullDescription": { - "text": "Ensure that a user for the container has been created" - }, - "help": { - "text": "Ensure that a user for the container has been created\nResource: /samples\\Dockerfile." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created" - } - ], - "properties": { - "RawName": "checkov" - } - } - }, - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "results": [ - { - "ruleId": "CKV_DOCKER_2", - "ruleIndex": 42, - "level": "note", - "message": { - "text": "Ensure that HEALTHCHECK instructions have been added to container images" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/Dockerfile" - }, - "region": { - "startLine": 1, - "endLine": 2, - "snippet": { - "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d575ad4cda6d50d0a5b22693f2455c3705f7c36bb4b15adc9192690133bf9374", - "gdnAlternativeSignature0": "b638b75acb82e58442ebe3ecff85569f7009ac136ba3db701680ba599b613c84" - }, - "attachments": [] - }, - { - "ruleId": "CKV_DOCKER_3", - "ruleIndex": 43, - "level": "note", - "message": { - "text": "Ensure that a user for the container has been created" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/Dockerfile" - }, - "region": { - "startLine": 1, - "endLine": 2, - "snippet": { - "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "1242a262a0e0dc6e681ad67a81a121ae66f0b2562d1d669a066233daaa7a615a", - "gdnAlternativeSignature0": "81662655dc607bf53d1554c1d9b11df48d1d564eac1529173b8d0a2e61969e63" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_225", - "ruleIndex": 24, - "message": { - "text": "Ensure the App Service Plan is zone redundant" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 14, - "endLine": 19, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/serverfarms\",\n \"name\": \"serverFarm\",\n \"location\": \"[parameters('location')]\"\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5221a67299814f524df6a6522077373a0fd22c2d3f1748e6025a8552333f7141", - "gdnAlternativeSignature0": "e6aab96518196be0b417589447f9a67fea4ac7f6f0a89667d1394f61195916f6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2052f152b6d5766a7b59a9c7b4f1d29a0f7bb9060b894b7a65b9e58207a28318", - "gdnAlternativeSignature0": "e18fdea947ebaa5eeda8e3c09e3f041d81794a440563fc2ff6526653c22c9300" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5f73cccef9e3e5de304868ce267f1b16ddbbad0c9c52f4c39866f9e347b7d5d2", - "gdnAlternativeSignature0": "7806091df62a7f1ac9e2fd4c6a8f834a76f61fa22e8e6b577272499b3e942104" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b9354cf1c73339ba30adcd102787a08181f25aaff9f6782332e185ca65fb9a6b", - "gdnAlternativeSignature0": "c95f4a7cc4fb4eab5c51d2885069bf453fc79e65aac23ff2d04b015fe36717d0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "be5f727a2ce11c634799422c02b8a4786d9b57ab5402571c6025b43e6b077b3d", - "gdnAlternativeSignature0": "30eef084050fc6c74f476b1ce8aa4c766974299647bbfbf548e37ddd1fc1ceb1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8ec0cf28cfe77f1886c419e78389f8a6102878cb7612535c76516fd29c664889", - "gdnAlternativeSignature0": "b35de61bb549b7a7050bd10b59810d2d6c10f19155d87b4bd9b1f6a92ac87ae8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ee7a8721be19f071f11af14aaa7aca9576415f4d4d1e62346a853f58100c82e4", - "gdnAlternativeSignature0": "ec622e49b27f8e22a9e6f643cf8cf907eb559102eae22be4e991b94720701355" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ef9b889940362ecd85475a4717800814cf44656011817a1d3370a3bcab0f9006", - "gdnAlternativeSignature0": "e8b887b9e4630d128d846a53822b5d4d36f7078245f4e138644f951d5da1c04b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e1dc47b6e2369dd39565addd153d327dd0d76de16d44d15949739b4ece89857b", - "gdnAlternativeSignature0": "d43a14c244c9f2b15c1ba3cec391a15f1baf94ac985c7db47cad796ef60a075e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "97d7ca490bf520d069c13ebdb0d71a09b89fcd7769dde3ce13a56b628553002e", - "gdnAlternativeSignature0": "4900509f0378a44b7fbeba8ec8bf1dbc277cdf17e6f3726e7111c71d23884b5a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c56f175caf69b08d44542457468251bc934009d1db105d9b7bbebcbcb3beb452", - "gdnAlternativeSignature0": "913aa909429d17a84df0c1e8748ff6aea024d4ef99d8904de01b8ebfebb6ef2c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2f45d4e06de44a01421e37f361501aad833ff822c1204548527c417f387a4bfd", - "gdnAlternativeSignature0": "c1176515ad6f738679a0735507229cb7137334a387d241a6f6f16e99fe2c2751" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "77217b91fc3a35c94077b14d569129379554bc6c475fef0ed13e21ee3f64e356", - "gdnAlternativeSignature0": "a92fd4c7fd1c82fb5c7c4e2b973b97bd202817cb9be0631ec7ec94540eca12a0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "96272a03ccdc56a5a8b96c5109daa200cb64585bf6cb129647e817d4f08a4bfd", - "gdnAlternativeSignature0": "3e23e70479065b8d7df9e45448b64661427e6438fbe37d04a36266ce32bee78a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "67cba71b0950ef66e3a3a355b9a91d2d202c0813fe7f8b95e741f7812d7033fc", - "gdnAlternativeSignature0": "fbff0c06779ae5a02c627c32a5286e16208ac4855c442d93ca1238f9c34e1d11" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2f0e38a86c95c2a52024f64d67bcd131909536c1a0e5b97ad5e093d03574efea", - "gdnAlternativeSignature0": "5ecca9431ae6ccf7833666998b89928bef027106342ff5293dbcea4fbfd8985f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "047e97aec3e3db452cd6494fac807837f79de6dbf49057a6af9fa720f29866cd", - "gdnAlternativeSignature0": "4d3bb1bfb723ab4e801290b50a7f708428b9978d60d75e9d4b421ce3261e987e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "60a28f98c4f08919941b75af5cb9983b3d6d0d4fdbdfd72f0090398ec41d78b8", - "gdnAlternativeSignature0": "81e9acc15fdef5820327f3e7ba5bb7d63c7bc0ff05365b47c155fc8b5bf089f7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "661df7e8e64bd5bdd34a1d439102b29529c13c746e5feb730fac1b89383a4443", - "gdnAlternativeSignature0": "20930ab9036a0597b410e4bbb9a3ae46121270bb3384764cabfe9af8664ee4c2" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "eef8e08eefe99efe6383c19a6c2f6896c9ef94af166789c535a44e439faff96b", - "gdnAlternativeSignature0": "d9cfc31c8fd621cb84b4ac6e4aebe8fbdc58ac745ec38f3cad71e0d6516cac75" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b6eaac00912ec69927074d73bba19050e90b93d7c2863034c5f57ac14b6c3f56", - "gdnAlternativeSignature0": "63b91b45615d3139f0c8994573f3c9045d8602acb32fa9a2b56ff7b1e8c030d3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "1a28305cc04bfcb6e7d6cd127478774b1bee41fc46643d7798536ede530ea751", - "gdnAlternativeSignature0": "0f393c4096130800e7805e4a66f1950cf2d771868201e4632b04ce44be71df65" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7e0569871e364eb4f1ad13804f6bbac0225d2b791ccc53683c54d880a8d56ad", - "gdnAlternativeSignature0": "558d0b90f8a67d09495fad85b33c5877cb89b0319b670c21c57f4959cca1eaf1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "aaddab01eb68ff517e9444b2e9d93377d31950dea3e82ddb8ab944c5dfee7c1f", - "gdnAlternativeSignature0": "57cebe241ad3cf45ef799f306169e2b2264d43b4510f8e0752726be7131ab490" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "590ff9987116abb8a3400496eddeb58c1f024d384c76051a44dc2c39e4e49283", - "gdnAlternativeSignature0": "61d1b562f5d44f6ddbc3c5c2814e820572971c9d99d41830d74ee6dab9e8b1b8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "db280dfff3e2790244c8b505a80423b5448fc8e75d59a62250b7a79536cf7ff1", - "gdnAlternativeSignature0": "ac8dbe3cffb76f8661fc62b1f0f4da58be581b4d0ef2caa7f3cd204caca2463e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "aea92e244aca978f643e2e1ac665f53ebba318185bd336a66cd47a0b665060ec", - "gdnAlternativeSignature0": "b48782f8c3aa23c586d734684f31424229a47093f158458dc6b2d60685e3d769" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "798c50dcd9acde7329ed5009c3d07a2217acf11fec1f31004c527083961c540d", - "gdnAlternativeSignature0": "165dd9555e9c9161445bf7503e05d3cbed8dcbb6302f42637d6b45ccaca0ff58" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4c5dfc4574f7685bcd89ddc5a65c7d0c511987abf75c9de4430457d1727af8af", - "gdnAlternativeSignature0": "d2ce914431dc4d3c206c55b66c4b6dca1bb2031972528496dbf84c655535f145" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "44c94e00b2108329c9f76c78147b2604cc20cabbf31e7f8e4299bf4d2fd94f14", - "gdnAlternativeSignature0": "61c01b83b4d60836ee555f3f704f36d40cb7a30c25a0d5dcd09b5f172423448a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "235d3319b06d373c3b2babd6236b29e3ee46066a92409d48434ecf54474c4f3d", - "gdnAlternativeSignature0": "781e42feb7fc10ca262f5cce84e3a566206e0d9abfe2465ba0a1fb45a98eef9e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3645ea9051ae5673c813896b86a7ba9dd2b3b5e32c23cafc80908b2f2524f944", - "gdnAlternativeSignature0": "3f5299a9cafa29f11de4de69e3fd6545bbed0d8ef6dfdc23e989ccbd39b25cdd" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ca7a9cc04d61e4c2746e08d814a13bfce97322ab3330c23ac6a3a046e1da28cb", - "gdnAlternativeSignature0": "7223771f7f45cc448238ef3189a578bb9838dc9dcd6954b1769a77b8828299a3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "71dc14fcd10f9c9553a4da8ac502b6435b2ed0db62277cd987cca6d551c6d181", - "gdnAlternativeSignature0": "d43fc88acb8d338e40410db7c591108b80e3d46c28060e62437919f14f722dfe" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3c0093298905723cba273ae4a7665878ab158eed129e338a933ea628f12cea27", - "gdnAlternativeSignature0": "3e6753aa3addf5ba0305dc624bf944236f65feb3fb342a87052ac03331c29086" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d1a5aac95999bad7e7b5c9e0e255d9d2ca11a7cea6fa5dc385222d4feaf488c3", - "gdnAlternativeSignature0": "33369208b079f75cbe0cab69fc1bf20ac7c43ea8f2b7536e1b4f13a771190cb6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d73af49617110ba351d090184b05165dc8855332c51a8857ed25280cf9afad44", - "gdnAlternativeSignature0": "09a999b4a9287158b3cca86c7e300c895a1350f7ef5816c5b55efc9f3ea7ce55" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "03753151129aae06d95a6bf05714f3962691cc58c210d7d9e1834d8fd0ccfbf9", - "gdnAlternativeSignature0": "ee019a6f911abaec8264daa5ce7e95edb613bb130a37c20e98d07b6ce408aa71" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b8b0b37b159d4ac33da5cc0f6c8e629f574c8e2989630facb7ed998b4fbd3e2b", - "gdnAlternativeSignature0": "c33ac75db46382ebd17cb142c0ac1e4ad6899e74b3a7aba6452e31cff4a58b91" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e964440f1574351b358e9ad24c3716799d68e1fff901003018bb171fe1731425", - "gdnAlternativeSignature0": "d665f8f5eb905b17e8a1114333ea0f968495576f17e39f7aa042a5e10d58f6dd" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "46bcafa5ef7682f49218b2cdae86203af9bd2d6676b1305517ff82ed2534c8a4", - "gdnAlternativeSignature0": "3aa93e2f42f94795cf57ca2abb96bbaf98d85c457a25083f5dc76fd25f6c828d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8897f68b7d0cfd331d551cfe62263a1a37c12f1b2fa6cc72ced0fb70f1d07bea", - "gdnAlternativeSignature0": "1e32293b35ee682f0207bfc6b97b03f98947a3c42b123d602986180ab02349dd" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e19ab0fdf6b41c60416ec1789e435d14b225c9059e0cb0e72b85621eaa9a6a86", - "gdnAlternativeSignature0": "9c76d0ac3067ddae324af883867178b01d2394b6293865422cfd1c2a0d8f2322" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9ccd2eec805423da588e0e4fb39a20af8824e7b43e64c3e4b69ef404665c32cc", - "gdnAlternativeSignature0": "f564ab2518131f06da69f86eb0b8f61753018f7a7779cfb057eddd15551977ee" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9359461703908a57a96cb32c9d317be3fe28b28f0bf8392611a279a831e3c47d", - "gdnAlternativeSignature0": "4e87df39b2999630b9a10e9ecb92008f17baf6e351e0b208887f85e9931397af" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "52979741c27ad8788e0a869cb9c45f1dd101ad482c8c5157b8812f78991baf31", - "gdnAlternativeSignature0": "5058e736e60a56f62767c611d9a6aa94a5845c6ee0c4aa10fb6626a2aa2a70bf" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "31f0c7f30ad4509ee75d1a179af6e021694beb27d3a38ff0b5bcf0fd5d9bfec0", - "gdnAlternativeSignature0": "1129123e54ead9a5143b8feca94087caf7d35b5ae8251eafbe5b7cc169c2321e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0768d45c77ded4c1385d2feae675b811f3c643696bda9156a8bfccd599aff704", - "gdnAlternativeSignature0": "a60f942f7a1141f3ee5bceb13b7991b3a42f1f9d9b467e82a0d3f2b9ba339d7c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6401e6c3c7b71999c46c38b67aac9488aa986bc7b294124d85576bda8a4c0a9a", - "gdnAlternativeSignature0": "4dfd2fb00d7468e4b5ec7f9be6f463d7ce9654014d94abd3d367315c073cb7bb" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e32c0ff998fcef5e2c8dc7044fad00fee70e804ea115377e31bb12a7f59a2c10", - "gdnAlternativeSignature0": "439c05a50fad4d75ec8d278a58719987c9009948631a2f11782251d73c8f4200" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a5c04b13d6677bc41f4b3715f1e01ce95036675d6de4df8dc0439de074a03d73", - "gdnAlternativeSignature0": "49b98e30d0dd7ce696a9b0b481e3281fd671f0fd70de26dd6fb7510b705e0f87" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e6301a23f58d4b667b0f9399522c3093c2289a6533a91c5cdcf22d245d526fa9", - "gdnAlternativeSignature0": "6091c16fd0d417e61913fb8a205a0381ceb3beab6ee091ecdef880751180c796" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0f2797770c6de1cf13dc915a59ed4540e23f915d86778fdb7e6b17a631c027fa", - "gdnAlternativeSignature0": "7f942a785576efce2530b9d5e5138b37b95f67caaaf4f068e03450ac35bc9b27" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8a917df4e8c678506a78db5559479538775f940b8c14aa146822e79c821a287e", - "gdnAlternativeSignature0": "536e095efb39b0a59bf24cda2950cc9d7a939e228a53bf159bf8cd0fb1b8da6e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "012a7cc9d1337a51d3b90f52d7866f9183fa75c796a6b444a5792554db38986e", - "gdnAlternativeSignature0": "a0b181e8b990ea5f29718c2f802c61d0e3d160d0fea9394c335ce70582b89c12" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "07162ca3946165f6599af87465895d93e3a4672e03b47519894ce51b2c5cc9bd", - "gdnAlternativeSignature0": "74128bc18a6b19a6678aa9cbd0384858bae0f0270c9c36bed84570fd26bfbaca" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a69519b3c5b094db4ab476ddeb127f3a19304d1a0dceaaa0990a3438551fa084", - "gdnAlternativeSignature0": "be3bd3018a1fbfa842ccab409f12e02b083c1afa3058a47b84c9fff1d4da82b3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "736147b83648552df9d3f8b2b392ab48a9bf9ab58620fb7a3818f40f07bbfc61", - "gdnAlternativeSignature0": "f27f79c0de60ef21728d0f1fc1410e6a2cea4efb033b119007e4e6ab0626384a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a4b11836c10056ef0cdbbdb6afefc25c31906aaa79ca3bdbc1bdb18ed2d011b7", - "gdnAlternativeSignature0": "07b6c44a303c8c16e35003d2412596b49a13368ed484ff649ffa144d2b5771f8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ac27e5bae66e1875d76fc175bccaf11c9f0a10e45ac8385025f5dde90c69e4fb", - "gdnAlternativeSignature0": "9a5fdc81a5d1e596583d75f0a2da7b28dd82d0c9155a0baf2b57fd32cf33e21d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d06586685b31f55d3be4de5084e13b421c700e4c87a7437bffe41291bf65d35b", - "gdnAlternativeSignature0": "dcb4c97d8e1a7a14524f2c6534312187b0272594e87ed98fe98e172b43b7dff9" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0207769333b739f934c6c2472c0f269001ca3b1e973fe1cce2d2472d8bc56399", - "gdnAlternativeSignature0": "c00d75f61dc4dfb1d452c9fa66da4eea57d1fd4fada176b36c66d53d5b9b1cb0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5d7890ffeb37cacd07b107299144f625fa773f8e8fb28a62a7c0dea16025a0ee", - "gdnAlternativeSignature0": "089e7957dda409a966a18b7e294c4573d4ec68ad4e24b23938e321a8e82b030d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c29ee62ee70b4965bc0d67ef69030f6b70e617d9fcd3ac8200b68198192b7dc1", - "gdnAlternativeSignature0": "b4ba90b3e3e84e928c796f1c7ebb2e6797dea862b0e44cef5199dbe9bfe5e6aa" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ee8d746b0689b235f3208999ce7df1653fa45d2711d41a5d6e7ba90fd50c388c", - "gdnAlternativeSignature0": "ea3506129a69e11e59a2393a8e401e15c35473f82a143746cf124f0aceb0f013" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7b591f479f9723771411f3c953ee4ab3beda88856ae3ab53a88a64d61214e01d", - "gdnAlternativeSignature0": "0ac09190fd50243610f0dc1cefc1f8f5bf5340c6554465ca85333d39814c3094" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f3eef46d00d6fe15f0b4da40bda2f0ab16e3c91fcec06df3545e1c7fe7d8ff6d", - "gdnAlternativeSignature0": "6d2fd3507d1f39e715802fc90b4f9779fa4a250936446362dfb3a3c8675b600b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "52578dfe3657d9104db6fe82cafe200490942428064ed7a2ba755d780c8365a3", - "gdnAlternativeSignature0": "c54bc8f04da699379969061f974819212592deb962782dc7070937bd22ff33c6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a5c0013a8fd9f0097d45e444d88054036ed8f442fe330587d0eae9d3714ec87c", - "gdnAlternativeSignature0": "10e9ab48939200696e4f91afa907175cea23e4c9aea63613a7ca13160da48477" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c8b8eb4f5fd69ed893f62f660e2df19dc69d3bb4a56c750d27505476f1cfd972", - "gdnAlternativeSignature0": "3bc11347887444d838588cd7d6dfcda7b36d4137a8406b9064dff980db330958" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7a9df9fe206d31f6b88c7461cbbedd1791b9500136c048ba6c5a1a70390f97ac", - "gdnAlternativeSignature0": "69eb37c4e01e77eaee89dd5c5159883cb79b66d176282e18fcb6e2926e00a887" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "67339bfd8472664e8e86c3dc86cc304bf7b9e1d32dfd00de0e6fbaeb2beea398", - "gdnAlternativeSignature0": "3e179c62893671bd328f85697d3c649cb45309fb6525b65b76a9aa5a649adc58" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4f72f1e4d99a8378d05b185cebfa8825d333a71cd5ef5b0bf186468bdbefea17", - "gdnAlternativeSignature0": "c78d4a844035a2ce61548f8d60784616fb2403fb930f340915bc4bfcc468716f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "cd8cdaf3f142d7a4565c43f60507169bdc01b2286039cf1255d61c596ba3101f", - "gdnAlternativeSignature0": "bd5c17ecc6b46d6513f8eca0a60db649dd30c9a1eb735d04fbc624a1b4b79f51" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f7e0232cacef22c54066a9584d66a2197c9c74c0e03f83d8eb7c4e0134444dd0", - "gdnAlternativeSignature0": "7d8d600175945563c3b4bfe9e2c144473bb0a6ad19b8148501a70cdc8061004d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ae3081631a2091bd9163df6f1ee42da0cb7854cc3bd2d6b398ceb8157d47c295", - "gdnAlternativeSignature0": "89901158631e4d71235d05997a134e895b4ccc2e4ef71ec40ae5b8fe13439adb" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "255f7613ce31bf6755bb2ecceee14742ed8cff561d5a310b501ef17b7a9297d3", - "gdnAlternativeSignature0": "b96b4d533c88a6a70fd777af318af980187826608f3a569474d34858e2dfe22c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0b1fb05ccebfce0be5690acbadf661f9c2c441ad9d90eadd8db28efb2a5c574a", - "gdnAlternativeSignature0": "8835bcf442c7e87a2f87b12a5afeea783d9963935c9e670d58841eeee02b0fe0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2b2824300dc3a47d41fe35895bcc7cad5518ad6adbeecd51da01c157e6c984c0", - "gdnAlternativeSignature0": "7649a4df3f008f0807c7e8a88a1a2dc1343615f1b82341ecdf1c0191b0c59f89" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "91cfeca6c81755244c63c7c01d9c91da11cbcf416444876ee05b92c981358129", - "gdnAlternativeSignature0": "c4fc2fbf31a7a52d60660e3c94d040c2abb912507c60f5b084cb0d8eae09c334" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "12fdacf2d5aa3a1ee71cd5c41c350cfba3e252cd7cbe4d579fed9cb23ab77388", - "gdnAlternativeSignature0": "26f89be242e3ae985b8f53b8ee3c67bead4ae71123378bf3dee7dc2d8263e6d5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "54ced1e9e7299882c21663f45e6f27de7eb21223e77344e814efcd89b8eed40a", - "gdnAlternativeSignature0": "33f9e2f7e0ddc2d74628ef9e4d55b535c2ddb446f42351f4ba30926022834e1a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "288291d4755ccee48c5333b7d63f37c8e0706cf06714117660c84507a289ebc0", - "gdnAlternativeSignature0": "f5a45e007c2154338b28247a0731d64cd6c700e52b86171ebfab23be42290c88" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "08008df0f45ad8f64f4f9486ca9d1d20053d77608610e41a01834c68b1cc3a09", - "gdnAlternativeSignature0": "7f7317b8b44e4c8b52c5da46edf6e775d451d85bc442fbf7d98ac9b0ecdf9b1a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a2fcaa633cbc5e8689c4c980a1b76805afde139435d0d92003f29dbc1adb25d2", - "gdnAlternativeSignature0": "02fc484de3908421bf498b943a3501de05c15edb775e37cb7257ad89b4e1ea9b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "bf112ad4ff0c1f3dbda36d12b6d980c83e9448f3cea1fab2124874b363e2ac33", - "gdnAlternativeSignature0": "ddde80d77251f9ab96e8180febb6470c41bad8598a1751ecf3205201e04032d6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "adf211c29e22998dc5e478d0f175052925f2426ac7b3c077d75a3d438bf01a71", - "gdnAlternativeSignature0": "4b079ac338cf1fa4d757290e73fb9b247e37983f28925e314c9d61debdca8a29" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "12cdce98f0d5aa4daf69793f9157ef1dd1dfd49ee3ef333f6d57ae4bad06477b", - "gdnAlternativeSignature0": "9ddb0eff72c95cda99852373789fe69e358faf69c9dd5a9fb90d415e957f67f3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a01b7d7f752ca024104d998b10919091141c26bbd9d73412d05e9b7df9363f16", - "gdnAlternativeSignature0": "7df932c190b3ca666346a7f0465861d381530f106e254076b900a704cda36707" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "92ce11dc062621efb46ffb9f89dfd1b9c12dded0b94b04f3b0595f9420c0511a", - "gdnAlternativeSignature0": "7305d34c7a68da6a3a1c357d001602242c92f53fa425b0b2b7cac8681b8720c0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "66c95de9831d167d19805f23da1ed5e5e7187f6b898fd2c379923be413ebaed2", - "gdnAlternativeSignature0": "493078216959af69095559e71e4e85917a9850e8ea90fd13cae9e6e6378b602b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "dae96b9aa7c9155ac642e29b28b9fd890e6e1c9fa6412927d964aa22c026cce4", - "gdnAlternativeSignature0": "9b8c72895461d25ee31a8c5b1b5bdda37dc3c8b032c14663c43538cf838a7484" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0e15991fa47fbdff46caf4d88b4a2be08fb7309de35a5105df283f2cd3ef226f", - "gdnAlternativeSignature0": "b0664718fd5e7c63444d10f083239952773ba1744dbab54ba4179b90213c162b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f413c46ab964537bc7ae7dfcb7b2ffcef2f4859e417da785d2d693af373bbc72", - "gdnAlternativeSignature0": "90284155b27b35d9aa40959078e6e324d16c9ad43994fb20812c5b87ab3da8fe" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7720ed6c8b5f7baf81abe1e027fc660ee7213935e400dae0edcfd3446026ac34", - "gdnAlternativeSignature0": "19a91cb4fc78c2570287be6094778b7b3129af76dc046331d5a63c1adc857126" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "31eeaa41cb930b4da2b791b254b14fe3f8abf8fb09a3f4592f23195d8b3d32ac", - "gdnAlternativeSignature0": "852e81a1be9daed64c584b0a57f48572b61750d22f9558ca1b3cc6dabca55ddf" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d41a5fe9e3ea723beaa68eaf7d4285ce450d5356436fcf3239c57109fab2e3f3", - "gdnAlternativeSignature0": "2a0982291cb4f11f796e6292520001696fa061f3549a3b4b6874c119b0dc8939" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0ae6105850f99ccaf95cf627c1995f3d7919bd31dc28f2945bcbf79f503fe118", - "gdnAlternativeSignature0": "72596372d73524682d0e517eb7a46d563f86d56830f27c9461e4d32ba4a781f2" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7681cb3edcfb2659c2d32f2e7974f467446481d6b8f2b69ebae4df96958593db", - "gdnAlternativeSignature0": "a0af6fe2a04fe4a682850851dd4abb0ce07f4da5c8164df732c5042397d0f297" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4df01be86e5e4147c31aff5bef0d87d3e3a0fea9898be19a88df8f6060c6e582", - "gdnAlternativeSignature0": "a3bda844d97fdd08c544d09a457ab85e6f4f33118537eec7ee0be628841a0253" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7622258391e9aeb5136bfc53200e4631c118a10864775710c6e20c3a1c237687", - "gdnAlternativeSignature0": "481a7ad24af6150821e083f9d4f23bb233fc2533beddacef31c29768569b84d6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ed1a58b3b54cc84e53c7bf600f8fab74e9c11af3031a3f091ec16ba9718b6009", - "gdnAlternativeSignature0": "15c3e8d74638416369e18b9d5385946a799c5d6e07556598bad7ffab2362586e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3182a4a340f4f50c65cd416eee5fbc9ded7a6ef32624b4c7474bc837466e224b", - "gdnAlternativeSignature0": "d8a84c842901bc6695e4d2872e84deb0a7baa06a702117331a93c6feadf5a546" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2c00ee00a620c96918dc4b9545112008c52cc88c30ac68e0b8478f877a16c74f", - "gdnAlternativeSignature0": "0fe0595ae36ffe8d3f8292c1f39136832913fff70668f658520a5a08513d411e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6cdcbc4da68c2815a6d3f0bd78504303b0825e880d14097332cb170407c80128", - "gdnAlternativeSignature0": "1fe507dd25e0339cdc76945f0b74a799aa63dcc0b23cad0285faf8848457d916" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f3ac1d65124943989cd407b1862791529fab3c4e0eedc65511c90e43edf3404b", - "gdnAlternativeSignature0": "298513397a838c0f2a237b8c715b3e500bcd2a54a0f1f6163bd77768da9dbcca" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "bd6450c773eed311a8e88ceb126978f5c3988a64c332b8ec936cd28ea7aa295b", - "gdnAlternativeSignature0": "f234d72c8e49b23ce2aa32bda1a3f909baa6ad9b4fbbf65d4211d56cbf976848" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_13", - "ruleIndex": 36, - "message": { - "text": "Ensure App Service Authentication is set on Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4764b062aa2d198673df7c5f6d2c0e9c01286e83909a609e2372747b782c1ab7", - "gdnAlternativeSignature0": "528e2e7673c1c9c45f2e03b442261956045574d01f03c9004d1d2bef6c09bea0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_65", - "ruleIndex": 37, - "level": "note", - "message": { - "text": "Ensure that App service enables detailed error messages" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7a5a598012ddeb8be2fd66b67a61ffcdc2b743ee4bdec4d88ff3ec3b35747b5", - "gdnAlternativeSignature0": "1cef927286d0a4b4ea6cf8c1b9c129beffa0889f29a77ce4d2b443c9d83d3669" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_80", - "ruleIndex": 38, - "level": "note", - "message": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3f0e499426cfa4fe5bdb96a9894cb77d781ce58b0d391af6741cbbb23829d7c9", - "gdnAlternativeSignature0": "e237636bdd6a09fe032da4732bf99d542b96c319747ff963d56185e4298297e4" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_66", - "ruleIndex": 39, - "level": "note", - "message": { - "text": "Ensure that App service enables failed request tracing" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ecda7f10c676f4fb72429cae500da0aa6d3a253664f489dd99c37140cc4adbdd", - "gdnAlternativeSignature0": "456c9b0bbba231ac9f76aeb80c65a8f2e4f2395fb0cbc94b7aa38df4ba418c4f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_63", - "ruleIndex": 40, - "level": "note", - "message": { - "text": "Ensure that App service enables HTTP logging" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0debc8b4bed8e61fddb6166094e0f30c9823a2a4bc6e21990d839ce42bbe7faf", - "gdnAlternativeSignature0": "119c560594404bbb1f85c2a4a64be3ba7f355cd183dcc2efa31fd0bc552f5ad5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5c6cabb001d3b83d407085e00b359528524e83c168685191c6a9258098a9d366", - "gdnAlternativeSignature0": "3664e4a542b0f7100774ae71190236958f7e845d9a1d5079ba8b85ebf4ecfd1d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_88", - "ruleIndex": 41, - "level": "note", - "message": { - "text": "Ensure that app services use Azure Files" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6f0de3fde830219d08c3c4083fce6ccd9966859a6cd4143ec03fe04798472dee", - "gdnAlternativeSignature0": "6d432a9079e10e7a68453f21043b67398f44a7095b3b4337ad2a97b879c6adc4" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "dcd550d66ea4f3ffc89adf365fe7cd5bf8d63462acecd1cccb341a7335e9fbc6", - "gdnAlternativeSignature0": "5831a40aa6b645473d2ba22c02586e6993565e63f22aec548d3af0fa06b9fd22" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6b0c6b35c56eaa234e454e964d8305e90681f1bb57225e8b47b7d84d4bd9c52f", - "gdnAlternativeSignature0": "25b4881300990c178e3af646a347540425e737d05e462e73ac054f3c73691340" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9fb5162913194706fc251e38d156beebe0887f9bb6ee8c03671cd6755a952833", - "gdnAlternativeSignature0": "99d41b0689e4d871f9d62281e26dfbfd83c98541d8a02fcc05cae59e1c6e1e61" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e11b584dd233a10ac72c56c29b0abb0a46b40eec0fd60d073902939bb2fa1a7c", - "gdnAlternativeSignature0": "0094ff86f766a290f1f59fd99f98729982d98a5c48687076a1fef7cf652dc8c1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4750d98ad7c586d98825c46bea9511b196f12dc4264fb696186efd16ab3d94a2", - "gdnAlternativeSignature0": "b8e824ce01520cea292f1a7f62c7bcb8a5f77c5151b5bc056b1412295ff3497a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6618f89bf0f657561f12e6f711f090337aa8f3864239d9b428ecc00ca4e734d8", - "gdnAlternativeSignature0": "020034ec5f28ee65e82f5e48c62ebc00c918318b37fb5530d365b705686fd720" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "257663068ac706eb48e30972d5ef65ae59a81b05935937b81969fbce76b54284", - "gdnAlternativeSignature0": "7162b78e9cff93e85080d9d077dbd2f6d9c5a765d0da6485890b044204b68786" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2dae51e3df9996d76d22a1ae6f75f332e4bf5bad3f4272e79c26b2b7c999ac94", - "gdnAlternativeSignature0": "8259e76b9c016c2688d043c19e0143fe202feb2d893e108efc9e81c9d35ce4f5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_13", - "ruleIndex": 36, - "message": { - "text": "Ensure App Service Authentication is set on Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0e8af6cde44520ef4bcab2e8711c2dda5a7fd48878091674e03dc681118a266f", - "gdnAlternativeSignature0": "146cabdfaf6092c02eb82036132680f7b6808bdd5432312d46330c9bd3585e72" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_65", - "ruleIndex": 37, - "level": "note", - "message": { - "text": "Ensure that App service enables detailed error messages" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ef81362c707d65d3863cae808daf52e6f7ef001be334504a099e1b9ff50e232b", - "gdnAlternativeSignature0": "6b075093c48fdb089dd2354278746e6a51fe721cabb128f140a431cf005127d3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_80", - "ruleIndex": 38, - "level": "note", - "message": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0b92428b5f8d657f24f7b113a8e844c8b9f0eb0582cb7ceea6933aa04dafd8ff", - "gdnAlternativeSignature0": "817496a6ee1a0d6d64bb24701e78f9cba8b3fc06268f0bade0689ce46999e311" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_66", - "ruleIndex": 39, - "level": "note", - "message": { - "text": "Ensure that App service enables failed request tracing" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3e9ad501881045e5d7309b74094c547164a1dab831701c7dfea6dac72f78ad39", - "gdnAlternativeSignature0": "8d2d4e5f2e7fb6ffe5a3d690ad5075c7a4194060994f0f063c517791e6bd4150" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_63", - "ruleIndex": 40, - "level": "note", - "message": { - "text": "Ensure that App service enables HTTP logging" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4f45838aff932f565433ff3fd599bc9de4d7bd434bf4511cee319935dfb28950", - "gdnAlternativeSignature0": "d7afaaf97a739bde64c18fb27889fb4d931b2ba29561244209ab5f03659f4b71" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7d1e0a2597990637571695421255bca16f0c42cb2ec39b943ec7ec98dbf64e8", - "gdnAlternativeSignature0": "1d2b4a62840a1bb054f7389ba3c9215d640240d28ecac6c4dd75531648052b7c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_88", - "ruleIndex": 41, - "level": "note", - "message": { - "text": "Ensure that app services use Azure Files" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7ac28937c766ad8aca6f80f4c1b203c09f14c9b030a09850ddf94906052d3cff", - "gdnAlternativeSignature0": "86dfaece04781f7765ed78900613f50af845e94a4498b5bfe133a0567832350b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b0458996e102d04b1269a39e6ad2f6d6fa741a778b7821a91a590d13708de75c", - "gdnAlternativeSignature0": "ba1b6ae6482744c512163ee84d83124346fdff55efcc553c93a117827b277dae" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8e375b5a9dc4728fd4ba4a21882993369de923f2eac2ed78cf8491552d8facaa", - "gdnAlternativeSignature0": "853de3499062ba5a2cb953cc5283596ec4b8e90b4b1b51d5d7ed7fd9ef487dd5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a127ae6cec02825e2f917c367e3db26bf8017f68b1998857a4ebb175353f6a51", - "gdnAlternativeSignature0": "e1bb268111081a04f49ac60c72a63ed0738145f62892adb59d43e0cdb4181ffc" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d351baa7f806ab65257e43138c406148e9c81bb988521fe221f56f7e72e21818", - "gdnAlternativeSignature0": "5c32a35a8c57bffbbce0105bb252897bba594b8d564d6be228aa0d086db40eb6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "34cf1285b6c9b01e2163c4235369bba2bd1740e57a71fa21d4945fee87438740", - "gdnAlternativeSignature0": "e681471f7211744f1008218a8212ef79deecebeb44aaf693cb5c6a2ff0c30fbc" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e25dee6e2c2afa0f90032dee4f66872f8022716e6e1870e697e282669a0e6bea", - "gdnAlternativeSignature0": "44100aca6dd76613f2e92578a73695780785c3777bbba30651b6e632ad118318" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "da1a3fa73f790c28a05f8d7c42c7961059009ddc9e050d309066a52dc28f2964", - "gdnAlternativeSignature0": "b97d0c99d154acece432cd4b25ed97cebdc3307aff68dff7034a8814c9407ae1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c469692cea7b7ca010669e9d28957de550b80aca420639dab41c3b50acb673fd", - "gdnAlternativeSignature0": "0280a30c60f721964ef8f0e1f057cc3823c08e2c877a2f35ecc0bf0cba67aa73" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4fd9a062f86a13872b9dad7a38cfe0d953f929b117ea32a74b12949f94482d1e", - "gdnAlternativeSignature0": "4313f93aeba30524fe4b597801c38b1eff909f6cbc2cb6ac96c9fc11b4acd52a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6ee562e5d732261eee58f4880f619fded377b21bb88bcc90f9b5abad30ed6398", - "gdnAlternativeSignature0": "e931b536ca4eb49838ef185e4d0af6477b51badbaa93242a6c4ff1b2e1298bf8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "143778d4f31ab73a5bb75054896253c16373f69b3e0441b850b0369d1bddf1c4", - "gdnAlternativeSignature0": "03129ed6590e6f4bf2f43e9281e29c697a95962f5878ba90589b6fe88fe04380" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8e4a04fbf2e32b4f92897087315fb87884e9f2888146d04906779b927323f6c4", - "gdnAlternativeSignature0": "f321e049084aef0145e1b33f9c49fbfd5cdeb2ab03c824e93f910fbd3adbbd44" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3c4d99dfa4a6499c4718cdbe5c7c7b5fb1667ca31c16bddbc1f0d50f201b0eec", - "gdnAlternativeSignature0": "fe55bb9000959302368aa07dd560c68c98caed221602cf2a2f997e85d4bdd6f6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "eb4bed8fbe96c4a4bda2d5714d30a37fe5af249e7983c2e529ed2555b2302577", - "gdnAlternativeSignature0": "e5ada8bedea49618df2290b727da8e0b3564bbc4cad4ad22aee82b8a6afd2581" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c7c28aa1f6eb6c981b8dab94041a68bab23a9b72de245b2058c9280c612cac81", - "gdnAlternativeSignature0": "53b134cf1cec93348d12102916d6e3bd4072019df2f026de26b3ef6db3543505" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "23dc3709b4a9455bce85771532889a8fb832f85ad458d4f285fe9fb2eb7807ae", - "gdnAlternativeSignature0": "7fa5336cda8b5f2d8c41c95ffc7b95cd3ace43f023bd72dfbf479b585045984b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4e8cc7e2a4b582670ab605572ebf449e0b91a874db1ab9ef2e8e1202651fb74b", - "gdnAlternativeSignature0": "7fca34e471d5ec9837849486a2e299f93b5ee49824bfbaf0059ddade380c33c5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "32f70b90c9398c6ab47faf4896ca724cc667414fbdd61f9d37ab64180039afa9", - "gdnAlternativeSignature0": "74ac563e5ceaa5a0e09e489b9fa579c8be0ec02947aed0617c6faddf0243f60c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f565d488d0ee136a77ca481e53820893ff8ba50cacc9abe76f757c1a84865639", - "gdnAlternativeSignature0": "3fe95bf85179982d04d6323aeb899d481688025a708d5e171859bd82cc1cdd76" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "88848a38797205708edddcc47234828b56efc3e522b2f791a287bd2e1362ca36", - "gdnAlternativeSignature0": "0c58696e023f4bb523561bf26c5c02916c2411086a669f73ace694130370fd8b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "df545930bb8458e5f4d491540b41367072287dd41d4cc413670e820d053b3c59", - "gdnAlternativeSignature0": "b156e3e128bdada88119590b89491ba5637d828eb52a1fd7cb66709f886f4015" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a4a0f2a5361ad3d1b9eae1eee98796fd4b9cb48e588e5ff7e991e03b1fd406f6", - "gdnAlternativeSignature0": "273d89c35b3928f35b2b753a0285d00ac263f3183a4a1488c2f7a79177415611" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9719571b68e5b3a885fa6fd8f779399b128f621f8c56f6fab08675f5bab6bad4", - "gdnAlternativeSignature0": "e0db6d935221b8f1a1c87a50acb333285eeab2b10c099cfc8c0e1842c3a55397" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c99607a3189b9bc5ab42ae5c2d7df75995a965340270a602883d37aeed0923d9", - "gdnAlternativeSignature0": "95c9c99f71bb81429ee8ccb9608f889801fd91e170be93bd519d0c4aa56ab001" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ab35f47a9966e5318d1be863b2ec0f17d58d977c71e868ebff0db5b49b68af09", - "gdnAlternativeSignature0": "9c833adad252c499f44a089a84712b55a0a006a47a9aba6c530d01a1bc94f558" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "602fdea611aaa3d22235f4e83203311f5ffe8e9e22833d6184d440e68f024bf5", - "gdnAlternativeSignature0": "5c17ba6738b8da7c912c45aebf73499fbce4dc65cf6407b66f5a4c274679619c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "20d3cf16494d80ca62033400936f0feb57be0a8ab23b9cc9b162b2247897388e", - "gdnAlternativeSignature0": "cd1e03ef8f9614165ea4d7a0973270f4bbab817cb3cc52ad0cf36cb647c3b6d9" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "78cc949070f476ebc74b2dda7f5c41ae43b805ea3b7daf49d3078c058f79e5a1", - "gdnAlternativeSignature0": "a55b806fb31cb3bf0e6b5c3d01f6ffd490c3b886bb80a722866cc000586f0f8a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "15dc91ac7c730ca245aabad00f156494d8a29ee9b357748967d76f05344eda7f", - "gdnAlternativeSignature0": "5847938307c50605c0610b36925ab50eefcc6634ed7e565f480bda53984af466" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ea83d615bfff6cce7ff0679906857f978db31bcc20aaf8362758e87312e2d941", - "gdnAlternativeSignature0": "c039abcf9cf88918b4dd9167119722b1a5108ce5e38d75043c0b750fd2981ec3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b051219a1626ff89706e92b04e25fb0932c1d985ea27f8aecbf7f743c04dc659", - "gdnAlternativeSignature0": "cabf626aade2ee1d730330c88d2aa7d8895dd4c93938eeb77c63f03a052c7679" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6b115656ed41348ad449cf25c954970b70b571ade5d19e1105620b4e7717e2fe", - "gdnAlternativeSignature0": "aa6295e81aa6a4ae09a54ac0c497bf6291b50dd88a72b6e830bd210a1a68aceb" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "14fcb885307e08a2c5ada1206158c9a84bbe32823e0d5c615704e0bafa8aee79", - "gdnAlternativeSignature0": "fb7374d63bc8d8ab31652d206739a312b4868d345ca64543f8d31991d5b46cfa" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5ed1b342d8a0f06c5b0bb3d15388f5670cf2b409bf65da4b74e438912627892a", - "gdnAlternativeSignature0": "9f5a5eef4cfdb3f4462b7862dcba4b5bef7ef10e97449da469e0495432b1aa9c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f769bd7202fd3a2674861afca95fa1cfc0664bd0b76619913a2f39f87fd2fe8a", - "gdnAlternativeSignature0": "5992da2c97b93015cd5ff7d85e7dca064eea8c61012c16fd094729db911f95a8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5bcdda995b38f39e6e644a8b926bad1dda898d677c7095948d0787f601427d9b", - "gdnAlternativeSignature0": "13ea3d62cdfd23a6f501449536936b1c6db8485e0dff7c99196f039ded5323e3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "01e261f9a2c80b85eac147e32d3398613aacdcc9aba1ad95bed4948b25697177", - "gdnAlternativeSignature0": "06726daca90067656a51c927384b29c2fa63923f996cd8820a67beaac37a348a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "72e5f5c502813f23c86f6954f698b653e4357d2982e8bb56333ee89c838fcfad", - "gdnAlternativeSignature0": "faae5ac2227e01f41f73eda05f5b00d5de49e9d7c812dc34cbea14b50d6e9f77" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "64bf46cc4a2b1a39786b447ec202c2052f0686c787af51cc562ff3cb2baeadac", - "gdnAlternativeSignature0": "370f91c60e0d1be39570b5bc47e69e0826dd5835293145c9f61e8fcecac252b6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4040613d3dfb88a05ae97881bd42b488d51f9ab73eb119fc0554a783ca548f34", - "gdnAlternativeSignature0": "aa1ce087240db3e7202e98fb6d5d42a12644148791a444e2923686fe70b74fc5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7aa4dc87ad0a059efeb183e063efb6d08c9643371ef92a08431c2d59dbe6d7d8", - "gdnAlternativeSignature0": "efa930281f9711759aae2cbd30e4f5f6dfa8935213ef9d897b14266716dc3a50" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e921d31bfff9b531e071fb26ffdf65b6ad8bbe22352067af06b35cb28e82fb8c", - "gdnAlternativeSignature0": "17ce881dab034d29e0a5df168f9e1c52bdd2c5c975e4fdda06fa613e032d79bf" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a1c9a388790b96bca8c54d7e1af1d480c30c7478de1cdf397833aefa8611697a", - "gdnAlternativeSignature0": "6550ec87cae9d511c54e0c344a4cdd2c0de2f8cd89c915cdadf98545ba96361f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5f201d5437de55fd80955e36fa892fc93cfb30c65f554f53a86a4df19d91f7a6", - "gdnAlternativeSignature0": "24eb4b238d28c37f127ee733bc68e96c101b7c274ec58a964bb4ef8f105a07ad" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "eb2f9b348b74a7a30a2ccf85154a95c66cbbd999d7f0db1a5515dc50033cd858", - "gdnAlternativeSignature0": "ee26900668b5c483ff485bc262a9dda64ddedd4b96a4e5f956797fc4e31c4d1e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "752975926aaa31a34fc4bb75edb0955f8b1b2b7cdd24081443961bd594ef684e", - "gdnAlternativeSignature0": "55cf1c6618e5e7a3be0f2feae175940eb5ec736d17afe66f0895df6997ab216e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "26f0a1a83d914e1d5687c693993f2e09d71b52f756d23a5682778f4a2085ff5e", - "gdnAlternativeSignature0": "5a8642e916010fccd880c8c0e73e83f149b9d44c76710d50d541dbd4d3c7d72a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5add9273a9903c496a94184e7c5ae16aa8c53067ea2f4eecb7f6cc9876a3145b", - "gdnAlternativeSignature0": "a1cb801109625b1081f5c08bf8d85057df4fa338901c035a3c779845e8d973ca" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3f3a80ee3024489c35085570b02f970bafaaf551396274635a00a4b79ac0eae2", - "gdnAlternativeSignature0": "917035e9a96adddabea41ba383c24edf46e1ec39e5e02fc8be4ddbeb01bc5b4e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8493bbcbf96e7e1068c6296f576527e894ef7245800bcd2116bc07e72079b43d", - "gdnAlternativeSignature0": "755512e4b82449a08f44e7eaebdb946e29314098160f8e1f39b9870f19dc43f7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d15577475858e078e31e0a5a4560d3e46f04f5c0af458457d9c46525545d0add", - "gdnAlternativeSignature0": "34f10bce44f8b65d8306df6efd6b8a73666704ebe97281cf5bb20c27415a99c5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "21939dfe4c3d1e60adaaab7f75ef7a0b94b4377b2a2950f7670c9afd424de80f", - "gdnAlternativeSignature0": "0054487d755a01b77de504fc5157faecd817a0ecae44d1e4aa91fd1a46e0be8b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "47829e0ae136b8b26a4176f73de53c99044bba251a284cf106812e2600802361", - "gdnAlternativeSignature0": "0a441e95438cb23ebbfb5ba5d34958a96417b8b4a440e329223843a090eab255" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0563668dc60ab562ba7553e4059ccb2600d2aee6505b99813a4d2edad7d7cab8", - "gdnAlternativeSignature0": "71db655b881a2f569a03dc4a80cf4f01371a09611c4f9780e1ac3eba24b4e2f8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4f0638c743b2d1843ef77d55d462748d273aee152bbb618ceaa5a51f793330fc", - "gdnAlternativeSignature0": "e4025758f0b783be95138fa9820d245cb4c1db229e4353bd0a20f699ee9e616a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ca846feb1e4469b819a99002b3cec670caeab114d5f1c85c81ed5830745e8c77", - "gdnAlternativeSignature0": "962bde0a801111d2d1cefcb5d5bb60e8c031e3c31f4e4527dc4ab9fb05b23991" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_25", - "ruleIndex": 10, - "level": "note", - "message": { - "text": "Minimize the admission of containers with added capability" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a73a10ebaed1bcca5045392cd0e24ff11412eeae435f8a66bd90d64a40f09958", - "gdnAlternativeSignature0": "681910e9bced9366623d2dd9e93781a0f1a15f148fa6523a13e9a0058492d662" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_20", - "ruleIndex": 11, - "message": { - "text": "Containers should not run with allowPrivilegeEscalation" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "692c38842f145cb9c1ee25b48643b65a41b423830a016a149dc12712814602af", - "gdnAlternativeSignature0": "970e4c551a08367b382ed411f7ccca59e201e8e34e32717929767a568630af1e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_21", - "ruleIndex": 12, - "level": "note", - "message": { - "text": "The default namespace should not be used" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0378eb8b121cbc93bfe8a78bc75aeb8987f5e31d530ec0adf577e7cf03ee717d", - "gdnAlternativeSignature0": "fffebb6a7b3891cdd01cc402002cc3f81150a080fef1ea60dfe1e2f6f69eb601" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_28", - "ruleIndex": 13, - "level": "note", - "message": { - "text": "Minimize the admission of containers with the NET_RAW capability" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "70f66e4afeb0264ac95ebee5085b90a23e7a9a54107832fb271bd1f1aa298522", - "gdnAlternativeSignature0": "0f11dc2ccb44a7216c78769edb10df097f8a1fc681f56dfdfa93d7c2b802f9b7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_43", - "ruleIndex": 14, - "level": "note", - "message": { - "text": "Image should use digest" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d54de20ef46f5565573d6411cce2a3baaf5b309cdc9e73bd2e0948dd98363d46", - "gdnAlternativeSignature0": "4e3e18739d7eee6105acea4f65c463484b66649a68e864755fc68c7030743359" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_8", - "ruleIndex": 15, - "level": "note", - "message": { - "text": "Liveness Probe Should be Configured" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2e737794eca54186f3ad53c5fe3a9a7e34d4e9617064e5f844c785e4082877e3", - "gdnAlternativeSignature0": "1efa25c9281d5272c63c1bd7aa7a55673eeb2696c3df5d258c0291cb3d22eff6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_37", - "ruleIndex": 16, - "level": "note", - "message": { - "text": "Minimize the admission of containers with capabilities assigned" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "09e2a7056dc2cd2bb024c4a44a0111d6f1e72d32b6b4a76c8f02e14817384044", - "gdnAlternativeSignature0": "d3bc404f8a377bc479f16b07ba7be8098c6d7a10735ee0bc15be7f48c5f089f4" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_29", - "ruleIndex": 17, - "level": "note", - "message": { - "text": "Apply security context to your pods and containers" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2fb25b212960e5a8760b6523d4a4c2b47c5a0482186059c1d23c41446faf72b7", - "gdnAlternativeSignature0": "85a6f0ad55f847141b45ccf6ef907b5a180d07d0d29cac32bcc1829e8eb8b2ea" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_22", - "ruleIndex": 18, - "level": "note", - "message": { - "text": "Use read-only filesystem for containers where possible" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "da115818e9e2ffadf20a6b9d1cb1c02e963eb192dae03af8c39e6fce8bcc097e", - "gdnAlternativeSignature0": "d8c06cf85b8fbddd0ad8ba2f86285da2ad52245291c6cab6fd69f3fce31127d7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_23", - "ruleIndex": 19, - "message": { - "text": "Minimize the admission of root containers" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c1be36e7556627562c7357f53bacdfea88d2fd6839ffad11f41bff594ddd0f83", - "gdnAlternativeSignature0": "e149f6402cc34c6663973655fb12e532f6c670a7e0374081fae82fd6575dab65" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_40", - "ruleIndex": 20, - "level": "note", - "message": { - "text": "Containers should run as a high UID to avoid host conflict" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "25c05ca1359bd4c2edaee66ac2d7fdc6c213eebfa5d139a0555ed06ea2c573c7", - "gdnAlternativeSignature0": "a73c63b0f812757918d4198fe20e0100bcf3d60c9a9a37f67cd321a74a14f72b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_31", - "ruleIndex": 21, - "level": "note", - "message": { - "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "70378cd13d8568d09ced49362abbf35160b842273ca5ec57bf69c71c378a6321", - "gdnAlternativeSignature0": "3bfe46e3cda430aa1ce3f452e781cdc43697d087821cc36fd104604f940ae43a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_38", - "ruleIndex": 22, - "level": "note", - "message": { - "text": "Ensure that Service Account Tokens are only mounted where necessary" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "97d3e19a31f43aac84ccd148a5c258209c1727f5900e0b2b1435e8ab08b647b3", - "gdnAlternativeSignature0": "218768ca543d9e02181e0769e8f9a3c7e5e2318fb0742bed2736ea116b7b8f4e" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_K8S_6", - "ruleIndex": 23, - "message": { - "text": "Minimize the admission of pods which lack an associated NetworkPolicy" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2c09fe5d58637920ffb2f45d2e9e47b6d24f94f9a5a6318e86d5b119d90dc136", - "gdnAlternativeSignature0": "52664a33e0000747d7d55032ea8ff784c99f191108fd7b0a4405b4b4b1787c90" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_59", - "ruleIndex": 0, - "level": "note", - "message": { - "text": "Ensure that Storage accounts disallow public access" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d7f32900926833945cac2ead4c1ed6c351aabf9fee418b413e3bfe46c8fc54f3", - "gdnAlternativeSignature0": "a3fc19e10564a2494f31f34241b921013aeb4aef2a9ef7ef9731f2fe7fd95ce9" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_33", - "ruleIndex": 1, - "message": { - "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "641b61a3a4b3c0d759acd57a321d6db4044b47347cd764c152f071e8341faea0", - "gdnAlternativeSignature0": "83a8dfca2a610d8e67e683b30391980c336f3c1722ce80fb2afacb2a01b0a799" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_44", - "ruleIndex": 2, - "message": { - "text": "Ensure Storage Account is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9805631179c91f5535eda5e1f2a9d29d2295ca1bec013d3174a1285a9be83d60", - "gdnAlternativeSignature0": "05b8f7f1708c13235397e5a11b0fd243e02f41d8c5085efc269c1d4e73d2b39a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_190", - "ruleIndex": 3, - "level": "error", - "message": { - "text": "Ensure that Storage blobs restrict public access" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a34ff2ab3988f90969a68250eef2b1c1e687c5b58396f198c2615a955b8db206", - "gdnAlternativeSignature0": "9c23a512d4110d27fefdb36bb130958e046b17463df5a7ef245d584c9f943363" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_40", - "ruleIndex": 4, - "message": { - "text": "Ensure storage account is not configured with Shared Key authorization" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e9deaf9a38127ba6222b800492a1b840017f9907c25f9fba842d8c85ae861f33", - "gdnAlternativeSignature0": "bf8101fb23c886bf671ac5c24d8b62f3028e2d9b5e8fc2e106d6789aa8070b76" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_47", - "ruleIndex": 5, - "message": { - "text": "Ensure storage account is configured without blob anonymous access" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "1d3bb7599e6f934ddc2badeee51d506051093f4e718c3199d4efd83c6e74ec12", - "gdnAlternativeSignature0": "edfaa2046c397a63e4856e499fc9a7166c96e5bb51978d37f2426cefa1af8457" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_33", - "ruleIndex": 6, - "message": { - "text": "Ensure storage account is configured with private endpoint" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "43638c4e55b51ed9f346ab462c059ca30a19b570565c7de7ea7b5daee1d6d9ef", - "gdnAlternativeSignature0": "4b4ba219a803a0d61f213eab7cfdf2792eda5bd536ccf4992d1b5d9342e26ac3" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_41", - "ruleIndex": 7, - "message": { - "text": "Ensure storage account is configured with SAS expiration policy" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "761254b9af4e347b1a2a05bc08bd77da3c0a640e44671e27f0fa7cbbc88d2b93", - "gdnAlternativeSignature0": "3358ef85a8762cda2cea0b4f31eebe014dc97571753cefc4394067b9f23cf0f2" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_38", - "ruleIndex": 8, - "message": { - "text": "Ensure soft-delete is enabled on Azure storage account" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8fdd2b7bd19cdd5ce21a89b95330d3a80ecd9efbe30f89c35f0b146a42a65d0f", - "gdnAlternativeSignature0": "e05ba2b227cc43fd36ea7fe66359bf553cdf88de6ff3aa184fc24ed97fa3c3c4" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_1", - "ruleIndex": 9, - "level": "error", - "message": { - "text": "Ensure storage for critical data are encrypted with Customer Managed Key" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b6600702be50525edb979f621ecf387776351f02b51dc4d37b822d660e575787", - "gdnAlternativeSignature0": "d1feda229fb89c3ecbaaaf3edec8f23599c5bccd3a725020863ea9b593ae4375" - }, - "attachments": [] - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "checkov>>6>>202411062057" - } - } - ], - "properties": { - "producer": "MicrosoftSecurityDevOps", - "pipelineRunUrl": "Unknown", - "sourcePipelineId": "Unknown" - } -} \ No newline at end of file diff --git a/src/container-mapping.ts b/src/v1/container-mapping.ts similarity index 97% rename from src/container-mapping.ts rename to src/v1/container-mapping.ts index 67dc1f82..05ba0240 100644 --- a/src/container-mapping.ts +++ b/src/v1/container-mapping.ts @@ -1,292 +1,292 @@ -import { IMicrosoftSecurityDevOps } from "./msdo-interface"; -import * as https from "https"; -import * as core from '@actions/core'; -import * as exec from '@actions/exec'; -import * as os from 'os'; - -const sendReportRetryCount: number = 1; -const GetScanContextURL: string = "https://dfdinfra-afdendpoint-prod-d5fqbucbg7fue0cf.z01.azurefd.net/github/v1/auth-push/GetScanContext?context=authOnly"; -const ContainerMappingURL: string = "https://dfdinfra-afdendpoint-prod-d5fqbucbg7fue0cf.z01.azurefd.net/github/v1/container-mappings"; - -/** - * Represents the tasks for container mapping that are used to fetch Docker images pushed in a job run. - */ -export class ContainerMapping implements IMicrosoftSecurityDevOps { - readonly succeedOnError: boolean; - - constructor() { - this.succeedOnError = true; - } - - /** - * Container mapping pre-job commands wrapped in exception handling. - */ - public runPreJob() { - try { - core.info("::group::Microsoft Defender for DevOps container mapping pre-job - https://go.microsoft.com/fwlink/?linkid=2231419"); - this._runPreJob(); - } - catch (error) { - // Log the error - core.info("Error in Container Mapping pre-job: " + error); - } - finally { - // End the collapsible section - core.info("::endgroup::"); - } - } - - - /* - * Set the start time of the job run. - */ - private _runPreJob() { - const startTime = new Date().toISOString(); - core.saveState('PreJobStartTime', startTime); - core.info(`PreJobStartTime: ${startTime}`); - } - - /** - * Placeholder / interface satisfier for main operations - */ - public async runMain() { - // No commands - } - - /** - * Container mapping post-job commands wrapped in exception handling. - */ - public async runPostJob() { - try { - core.info("::group::Microsoft Defender for DevOps container mapping post-job - https://go.microsoft.com/fwlink/?linkid=2231419"); - await this._runPostJob(); - } catch (error) { - // Log the error - core.info("Error in Container Mapping post-job: " + error); - } finally { - // End the collapsible section - core.info("::endgroup::"); - } - } - - /* - * Using the start time, fetch the docker events and docker images in this job run and log the encoded output - * Send the report to Defender for DevOps - */ - private async _runPostJob() { - let startTime = core.getState('PreJobStartTime'); - if (startTime.length <= 0) { - startTime = new Date(new Date().getTime() - 10000).toISOString(); - core.debug(`PreJobStartTime not defined, using now-10secs`); - } - core.info(`PreJobStartTime: ${startTime}`); - - let reportData = { - dockerVersion: "", - dockerEvents: [], - dockerImages: [] - }; - - let bearerToken: string | void = await core.getIDToken() - .then((token) => { return token; }) - .catch((error) => { - throw new Error("Unable to get token: " + error); - }); - - if (!bearerToken) { - throw new Error("Empty OIDC token received"); - } - - // Don't run the container mapping workload if this caller isn't an active customer. - var callerIsOnboarded: boolean = await this.checkCallerIsCustomer(bearerToken, sendReportRetryCount); - if (!callerIsOnboarded) { - core.info("Client is not onboarded to Defender for DevOps. Skipping container mapping workload.") - return; - } - core.info("Client is onboarded for container mapping."); - - // Initialize the commands - let dockerVersionOutput = await exec.getExecOutput('docker --version'); - if (dockerVersionOutput.exitCode != 0) { - core.info(`Unable to get docker version: ${dockerVersionOutput}`); - core.info(`Skipping container mapping since docker not found/available.`); - return; - } - reportData.dockerVersion = dockerVersionOutput.stdout.trim(); - - await this.execCommand(`docker events --since ${startTime} --until ${new Date().toISOString()} --filter event=push --filter type=image --format ID={{.ID}}`, reportData.dockerEvents) - .catch((error) => { - throw new Error("Unable to get docker events: " + error); - }); - - await this.execCommand(`docker images --format CreatedAt={{.CreatedAt}}::Repo={{.Repository}}::Tag={{.Tag}}::Digest={{.Digest}}`, reportData.dockerImages) - .catch((error) => { - throw new Error("Unable to get docker images: " + error); - }); - - core.debug("Finished data collection, starting API calls."); - - var reportSent: boolean = await this.sendReport(JSON.stringify(reportData), bearerToken, sendReportRetryCount); - if (!reportSent) { - throw new Error("Unable to send report to backend service"); - }; - core.info("Container mapping data sent successfully."); - } - - /** - * Execute command and setup the listener to capture the output - * @param command Command to execute - * @param listener Listener to capture the output - * @returns a Promise - */ - private async execCommand(command: string, listener: string[]): Promise { - return exec.getExecOutput(command) - .then((result) => { - if(result.exitCode != 0) { - return Promise.reject(`Command execution failed: ${result}`); - } - result.stdout.trim().split(os.EOL).forEach(element => { - if(element.length > 0) { - listener.push(element); - } - }); - }); - } - - /** - * Sends a report to Defender for DevOps and retries on the specified count - * @param data the data to send - * @param retryCount the number of time to retry - * @param bearerToken the GitHub-generated OIDC token - * @returns a boolean Promise to indicate if the report was sent successfully or not - */ - private async sendReport(data: string, bearerToken: string, retryCount: number = 0): Promise { - core.debug(`attempting to send report: ${data}`); - return await this._sendReport(data, bearerToken) - .then(() => { - return true; - }) - .catch(async (error) => { - if (retryCount == 0) { - return false; - } else { - core.info(`Retrying API call due to error: ${error}.\nRetry count: ${retryCount}`); - retryCount--; - return await this.sendReport(data, bearerToken, retryCount); - } - }); - } - - /** - * Sends a report to Defender for DevOps - * @param data the data to send - * @returns a Promise - */ - private async _sendReport(data: string, bearerToken: string): Promise { - return new Promise(async (resolve, reject) => { - let apiTime = new Date().getMilliseconds(); - let options = { - method: 'POST', - timeout: 2500, - headers: { - 'Content-Type': 'application/json', - 'Authorization': 'Bearer ' + bearerToken, - 'Content-Length': data.length - } - }; - core.debug(`${options['method'].toUpperCase()} ${ContainerMappingURL}`); - - const req = https.request(ContainerMappingURL, options, (res) => { - let resData = ''; - res.on('data', (chunk) => { - resData += chunk.toString(); - }); - - res.on('end', () => { - core.debug('API calls finished. Time taken: ' + (new Date().getMilliseconds() - apiTime) + "ms"); - core.debug(`Status code: ${res.statusCode} ${res.statusMessage}`); - core.debug('Response headers: ' + JSON.stringify(res.headers)); - if (resData.length > 0) { - core.debug('Response: ' + resData); - } - if (res.statusCode < 200 || res.statusCode >= 300) { - return reject(`Received Failed Status code when calling url: ${res.statusCode} ${resData}`); - } - resolve(); - }); - }); - - req.on('error', (error) => { - reject(new Error(`Error calling url: ${error}`)); - }); - - req.write(data); - req.end(); - }); - } - - /** - * Queries Defender for DevOps to determine if the caller is onboarded for container mapping. - * @param retryCount the number of time to retry - * @param bearerToken the GitHub-generated OIDC token - * @returns a boolean Promise to indicate if the report was sent successfully or not - */ - private async checkCallerIsCustomer(bearerToken: string, retryCount: number = 0): Promise { - return await this._checkCallerIsCustomer(bearerToken) - .then(async (statusCode) => { - if (statusCode == 200) { // Status 'OK' means the caller is an onboarded customer. - return true; - } else if (statusCode == 403) { // Status 'Forbidden' means caller is not a customer. - return false; - } else { - core.debug(`Unexpected status code: ${statusCode}`); - return await this.retryCall(bearerToken, retryCount); - } - }) - .catch(async (error) => { - core.info(`Unexpected error: ${error}.`); - return await this.retryCall(bearerToken, retryCount); - }); - } - - private async retryCall(bearerToken: string, retryCount: number): Promise { - if (retryCount == 0) { - core.info(`All retries failed.`); - return false; - } else { - core.info(`Retrying checkCallerIsCustomer.\nRetry count: ${retryCount}`); - retryCount--; - return await this.checkCallerIsCustomer(bearerToken, retryCount); - } - } - - private async _checkCallerIsCustomer(bearerToken: string): Promise { - return new Promise(async (resolve, reject) => { - let options = { - method: 'GET', - timeout: 2500, - headers: { - 'Content-Type': 'application/json', - 'Authorization': 'Bearer ' + bearerToken, - } - }; - core.debug(`${options['method'].toUpperCase()} ${GetScanContextURL}`); - - const req = https.request(GetScanContextURL, options, (res) => { - - res.on('end', () => { - resolve(res.statusCode); - }); - res.on('data', function(d) { - }); - }); - - req.on('error', (error) => { - reject(new Error(`Error calling url: ${error}`)); - }); - - req.end(); - }); - } - +import { IMicrosoftSecurityDevOps } from "./msdo-interface"; +import * as https from "https"; +import * as core from '@actions/core'; +import * as exec from '@actions/exec'; +import * as os from 'os'; + +const sendReportRetryCount: number = 1; +const GetScanContextURL: string = "https://dfdinfra-afdendpoint-prod-d5fqbucbg7fue0cf.z01.azurefd.net/github/v1/auth-push/GetScanContext?context=authOnly"; +const ContainerMappingURL: string = "https://dfdinfra-afdendpoint-prod-d5fqbucbg7fue0cf.z01.azurefd.net/github/v1/container-mappings"; + +/** + * Represents the tasks for container mapping that are used to fetch Docker images pushed in a job run. + */ +export class ContainerMapping implements IMicrosoftSecurityDevOps { + readonly succeedOnError: boolean; + + constructor() { + this.succeedOnError = true; + } + + /** + * Container mapping pre-job commands wrapped in exception handling. + */ + public runPreJob() { + try { + core.info("::group::Microsoft Defender for DevOps container mapping pre-job - https://go.microsoft.com/fwlink/?linkid=2231419"); + this._runPreJob(); + } + catch (error) { + // Log the error + core.info("Error in Container Mapping pre-job: " + error); + } + finally { + // End the collapsible section + core.info("::endgroup::"); + } + } + + + /* + * Set the start time of the job run. + */ + private _runPreJob() { + const startTime = new Date().toISOString(); + core.saveState('PreJobStartTime', startTime); + core.info(`PreJobStartTime: ${startTime}`); + } + + /** + * Placeholder / interface satisfier for main operations + */ + public async runMain() { + // No commands + } + + /** + * Container mapping post-job commands wrapped in exception handling. + */ + public async runPostJob() { + try { + core.info("::group::Microsoft Defender for DevOps container mapping post-job - https://go.microsoft.com/fwlink/?linkid=2231419"); + await this._runPostJob(); + } catch (error) { + // Log the error + core.info("Error in Container Mapping post-job: " + error); + } finally { + // End the collapsible section + core.info("::endgroup::"); + } + } + + /* + * Using the start time, fetch the docker events and docker images in this job run and log the encoded output + * Send the report to Defender for DevOps + */ + private async _runPostJob() { + let startTime = core.getState('PreJobStartTime'); + if (startTime.length <= 0) { + startTime = new Date(new Date().getTime() - 10000).toISOString(); + core.debug(`PreJobStartTime not defined, using now-10secs`); + } + core.info(`PreJobStartTime: ${startTime}`); + + let reportData = { + dockerVersion: "", + dockerEvents: [], + dockerImages: [] + }; + + let bearerToken: string | void = await core.getIDToken() + .then((token) => { return token; }) + .catch((error) => { + throw new Error("Unable to get token: " + error); + }); + + if (!bearerToken) { + throw new Error("Empty OIDC token received"); + } + + // Don't run the container mapping workload if this caller isn't an active customer. + var callerIsOnboarded: boolean = await this.checkCallerIsCustomer(bearerToken, sendReportRetryCount); + if (!callerIsOnboarded) { + core.info("Client is not onboarded to Defender for DevOps. Skipping container mapping workload.") + return; + } + core.info("Client is onboarded for container mapping."); + + // Initialize the commands + let dockerVersionOutput = await exec.getExecOutput('docker --version'); + if (dockerVersionOutput.exitCode != 0) { + core.info(`Unable to get docker version: ${dockerVersionOutput}`); + core.info(`Skipping container mapping since docker not found/available.`); + return; + } + reportData.dockerVersion = dockerVersionOutput.stdout.trim(); + + await this.execCommand(`docker events --since ${startTime} --until ${new Date().toISOString()} --filter event=push --filter type=image --format ID={{.ID}}`, reportData.dockerEvents) + .catch((error) => { + throw new Error("Unable to get docker events: " + error); + }); + + await this.execCommand(`docker images --format CreatedAt={{.CreatedAt}}::Repo={{.Repository}}::Tag={{.Tag}}::Digest={{.Digest}}`, reportData.dockerImages) + .catch((error) => { + throw new Error("Unable to get docker images: " + error); + }); + + core.debug("Finished data collection, starting API calls."); + + var reportSent: boolean = await this.sendReport(JSON.stringify(reportData), bearerToken, sendReportRetryCount); + if (!reportSent) { + throw new Error("Unable to send report to backend service"); + }; + core.info("Container mapping data sent successfully."); + } + + /** + * Execute command and setup the listener to capture the output + * @param command Command to execute + * @param listener Listener to capture the output + * @returns a Promise + */ + private async execCommand(command: string, listener: string[]): Promise { + return exec.getExecOutput(command) + .then((result) => { + if(result.exitCode != 0) { + return Promise.reject(`Command execution failed: ${result}`); + } + result.stdout.trim().split(os.EOL).forEach(element => { + if(element.length > 0) { + listener.push(element); + } + }); + }); + } + + /** + * Sends a report to Defender for DevOps and retries on the specified count + * @param data the data to send + * @param retryCount the number of time to retry + * @param bearerToken the GitHub-generated OIDC token + * @returns a boolean Promise to indicate if the report was sent successfully or not + */ + private async sendReport(data: string, bearerToken: string, retryCount: number = 0): Promise { + core.debug(`attempting to send report: ${data}`); + return await this._sendReport(data, bearerToken) + .then(() => { + return true; + }) + .catch(async (error) => { + if (retryCount == 0) { + return false; + } else { + core.info(`Retrying API call due to error: ${error}.\nRetry count: ${retryCount}`); + retryCount--; + return await this.sendReport(data, bearerToken, retryCount); + } + }); + } + + /** + * Sends a report to Defender for DevOps + * @param data the data to send + * @returns a Promise + */ + private async _sendReport(data: string, bearerToken: string): Promise { + return new Promise(async (resolve, reject) => { + let apiTime = new Date().getMilliseconds(); + let options = { + method: 'POST', + timeout: 2500, + headers: { + 'Content-Type': 'application/json', + 'Authorization': 'Bearer ' + bearerToken, + 'Content-Length': data.length + } + }; + core.debug(`${options['method'].toUpperCase()} ${ContainerMappingURL}`); + + const req = https.request(ContainerMappingURL, options, (res) => { + let resData = ''; + res.on('data', (chunk) => { + resData += chunk.toString(); + }); + + res.on('end', () => { + core.debug('API calls finished. Time taken: ' + (new Date().getMilliseconds() - apiTime) + "ms"); + core.debug(`Status code: ${res.statusCode} ${res.statusMessage}`); + core.debug('Response headers: ' + JSON.stringify(res.headers)); + if (resData.length > 0) { + core.debug('Response: ' + resData); + } + if (res.statusCode < 200 || res.statusCode >= 300) { + return reject(`Received Failed Status code when calling url: ${res.statusCode} ${resData}`); + } + resolve(); + }); + }); + + req.on('error', (error) => { + reject(new Error(`Error calling url: ${error}`)); + }); + + req.write(data); + req.end(); + }); + } + + /** + * Queries Defender for DevOps to determine if the caller is onboarded for container mapping. + * @param retryCount the number of time to retry + * @param bearerToken the GitHub-generated OIDC token + * @returns a boolean Promise to indicate if the report was sent successfully or not + */ + private async checkCallerIsCustomer(bearerToken: string, retryCount: number = 0): Promise { + return await this._checkCallerIsCustomer(bearerToken) + .then(async (statusCode) => { + if (statusCode == 200) { // Status 'OK' means the caller is an onboarded customer. + return true; + } else if (statusCode == 403) { // Status 'Forbidden' means caller is not a customer. + return false; + } else { + core.debug(`Unexpected status code: ${statusCode}`); + return await this.retryCall(bearerToken, retryCount); + } + }) + .catch(async (error) => { + core.info(`Unexpected error: ${error}.`); + return await this.retryCall(bearerToken, retryCount); + }); + } + + private async retryCall(bearerToken: string, retryCount: number): Promise { + if (retryCount == 0) { + core.info(`All retries failed.`); + return false; + } else { + core.info(`Retrying checkCallerIsCustomer.\nRetry count: ${retryCount}`); + retryCount--; + return await this.checkCallerIsCustomer(bearerToken, retryCount); + } + } + + private async _checkCallerIsCustomer(bearerToken: string): Promise { + return new Promise(async (resolve, reject) => { + let options = { + method: 'GET', + timeout: 2500, + headers: { + 'Content-Type': 'application/json', + 'Authorization': 'Bearer ' + bearerToken, + } + }; + core.debug(`${options['method'].toUpperCase()} ${GetScanContextURL}`); + + const req = https.request(GetScanContextURL, options, (res) => { + + res.on('end', () => { + resolve(res.statusCode); + }); + res.on('data', function(d) { + }); + }); + + req.on('error', (error) => { + reject(new Error(`Error calling url: ${error}`)); + }); + + req.end(); + }); + } + } \ No newline at end of file diff --git a/src/main.ts b/src/v1/main.ts similarity index 96% rename from src/main.ts rename to src/v1/main.ts index 1f45f9d1..d843109d 100644 --- a/src/main.ts +++ b/src/v1/main.ts @@ -1,34 +1,34 @@ -import * as core from '@actions/core'; -import { MicrosoftSecurityDevOps } from './msdo'; -import { getExecutor } from './msdo-interface'; -import * as common from '@microsoft/security-devops-actions-toolkit/msdo-common'; -import { Tools } from './msdo-helpers'; - -async function runMain() { - if (shouldRunMain()) - { - await getExecutor(MicrosoftSecurityDevOps).runMain(); - } - else { - console.log("Scanning is not enabled. Skipping..."); - } -} - -runMain().catch(error => { - core.setFailed(error); -}); - -/** - * Returns false if the 'tools' input is specified and the only tool on the list is 'container-mapping'. - * This is because the MicrosoftSecurityDevOps executer does not have a workload for the container-mapping tool. -*/ -function shouldRunMain() { - let toolsString: string = core.getInput('tools'); - if (!common.isNullOrWhiteSpace(toolsString)) { - let tools = toolsString.split(','); - if (tools.length == 1 && tools[0].trim() == Tools.ContainerMapping) { - return false; - } - } - return true; +import * as core from '@actions/core'; +import { MicrosoftSecurityDevOps } from './msdo'; +import { getExecutor } from './msdo-interface'; +import * as common from '@microsoft/security-devops-actions-toolkit/msdo-common'; +import { Tools } from './msdo-helpers'; + +async function runMain() { + if (shouldRunMain()) + { + await getExecutor(MicrosoftSecurityDevOps).runMain(); + } + else { + console.log("Scanning is not enabled. Skipping..."); + } +} + +runMain().catch(error => { + core.setFailed(error); +}); + +/** + * Returns false if the 'tools' input is specified and the only tool on the list is 'container-mapping'. + * This is because the MicrosoftSecurityDevOps executer does not have a workload for the container-mapping tool. +*/ +function shouldRunMain() { + let toolsString: string = core.getInput('tools'); + if (!common.isNullOrWhiteSpace(toolsString)) { + let tools = toolsString.split(','); + if (tools.length == 1 && tools[0].trim() == Tools.ContainerMapping) { + return false; + } + } + return true; } \ No newline at end of file diff --git a/src/msdo-helpers.ts b/src/v1/msdo-helpers.ts similarity index 96% rename from src/msdo-helpers.ts rename to src/v1/msdo-helpers.ts index 72b13f14..39959174 100644 --- a/src/msdo-helpers.ts +++ b/src/v1/msdo-helpers.ts @@ -1,96 +1,96 @@ -import os from 'os'; -import { Writable } from "stream"; - -/** - * Enum for the possible inputs for the task (specified in action.yml) - */ -export enum Inputs { - Command = 'command', - Config = 'config', - Policy = 'policy', - Categories = 'categories', - Languages = 'languages', - Tools = 'tools', - IncludeTools = 'includeTools', - ExistingFilename = 'existingFilename' -} - -/** - * Enum for the runner of the action. - */ -export enum RunnerType { - Main = 'main', - Pre = 'pre', - Post = 'post' -} - -/* -* Enum for the possible values for the Inputs.Tools (specified in action.yml) -*/ -export enum Tools { - Bandit = 'bandit', - Binskim = 'binskim', - Checkov = 'checkov', - ContainerMapping = 'container-mapping', - ESLint = 'eslint', - TemplateAnalyzer = 'templateanalyzer', - Terrascan = 'terrascan', - Trivy = 'trivy' -} - -/** - * Enum for defining constants used in the task. - */ -export enum Constants { - Unknown = "unknown", - PreJobStartTime = "PREJOBSTARTTIME" -} - -/** - * Encodes a string to base64. - * - * @param str - The string to encode. - * @returns The base64 encoded string. - */ -export const encode = (str: string):string => Buffer.from(str, 'binary').toString('base64'); - -/** - * Returns the encoded content of the Docker version, Docker events, and Docker images in the pre-defined format - - * DockerVersion - * Version: TaskVersion - * Events: - * DockerEvents - * Images: - * DockerImages - * - * @param dockerVersion - The version of Docker. - * @param dockerEvents - The Docker events. - * @param dockerImages - The Docker images. - * @param taskVersion - Optional version of the task. Defaults to the version in the action.yml file. - * @param sectionDelim - Optional delimiter to separate sections in the encoded content. Defaults to ":::". - * @returns The encoded content of the Docker version, Docker events, and Docker images. - */ -export function getEncodedContent( - dockerVersion: string, - dockerEvents: string, - dockerImages: string -): string { - let data : string[] = []; - data.push("DockerVersion: " + dockerVersion); - data.push("DockerEvents:"); - data.push(dockerEvents); - data.push("DockerImages:"); - data.push(dockerImages); - return encode(data.join(os.EOL)); -} - -/** - * Writes the specified data to the specified output stream, followed by the platform-specific end-of-line character. - * If no output stream is specified, the data is written to the standard output stream. - * - * @param data - The data to write to the output stream. - * @param outStream - Optional. The output stream to write the data to. Defaults to the standard output stream. - */ -export function writeToOutStream(data: string, outStream: Writable = process.stdout): void { - outStream.write(data.trim() + os.EOL); +import os from 'os'; +import { Writable } from "stream"; + +/** + * Enum for the possible inputs for the task (specified in action.yml) + */ +export enum Inputs { + Command = 'command', + Config = 'config', + Policy = 'policy', + Categories = 'categories', + Languages = 'languages', + Tools = 'tools', + IncludeTools = 'includeTools', + ExistingFilename = 'existingFilename' +} + +/** + * Enum for the runner of the action. + */ +export enum RunnerType { + Main = 'main', + Pre = 'pre', + Post = 'post' +} + +/* +* Enum for the possible values for the Inputs.Tools (specified in action.yml) +*/ +export enum Tools { + Bandit = 'bandit', + Binskim = 'binskim', + Checkov = 'checkov', + ContainerMapping = 'container-mapping', + ESLint = 'eslint', + TemplateAnalyzer = 'templateanalyzer', + Terrascan = 'terrascan', + Trivy = 'trivy' +} + +/** + * Enum for defining constants used in the task. + */ +export enum Constants { + Unknown = "unknown", + PreJobStartTime = "PREJOBSTARTTIME" +} + +/** + * Encodes a string to base64. + * + * @param str - The string to encode. + * @returns The base64 encoded string. + */ +export const encode = (str: string):string => Buffer.from(str, 'binary').toString('base64'); + +/** + * Returns the encoded content of the Docker version, Docker events, and Docker images in the pre-defined format - + * DockerVersion + * Version: TaskVersion + * Events: + * DockerEvents + * Images: + * DockerImages + * + * @param dockerVersion - The version of Docker. + * @param dockerEvents - The Docker events. + * @param dockerImages - The Docker images. + * @param taskVersion - Optional version of the task. Defaults to the version in the action.yml file. + * @param sectionDelim - Optional delimiter to separate sections in the encoded content. Defaults to ":::". + * @returns The encoded content of the Docker version, Docker events, and Docker images. + */ +export function getEncodedContent( + dockerVersion: string, + dockerEvents: string, + dockerImages: string +): string { + let data : string[] = []; + data.push("DockerVersion: " + dockerVersion); + data.push("DockerEvents:"); + data.push(dockerEvents); + data.push("DockerImages:"); + data.push(dockerImages); + return encode(data.join(os.EOL)); +} + +/** + * Writes the specified data to the specified output stream, followed by the platform-specific end-of-line character. + * If no output stream is specified, the data is written to the standard output stream. + * + * @param data - The data to write to the output stream. + * @param outStream - Optional. The output stream to write the data to. Defaults to the standard output stream. + */ +export function writeToOutStream(data: string, outStream: Writable = process.stdout): void { + outStream.write(data.trim() + os.EOL); } \ No newline at end of file diff --git a/src/msdo-interface.ts b/src/v1/msdo-interface.ts similarity index 97% rename from src/msdo-interface.ts rename to src/v1/msdo-interface.ts index af50977e..9a02bad5 100644 --- a/src/msdo-interface.ts +++ b/src/v1/msdo-interface.ts @@ -1,29 +1,29 @@ -/* -* Interface for the MicrosoftSecurityDevOps task -*/ -export interface IMicrosoftSecurityDevOps { - readonly succeedOnError: boolean; - /* param source - The source of the task: main, pre, or post. */ - runPreJob(): any; - runMain(): any; - runPostJob(): any; -} - -/** - * Factory interface for creating instances of the `IMicrosoftSecurityDevOps` interface. - * This factory enforces the inputs that can be used for creation of the `IMicrosoftSecurityDevOps` instances. - */ -export interface IMicrosoftSecurityDevOpsFactory { - new (): IMicrosoftSecurityDevOps; -} - -/** - * Returns an instance of IMicrosoftSecurityDevOps based on the input runner and command type. - * (This is used to enforce strong typing for the inputs for the runner). - * @param runner - The runner to use to create the instance of IMicrosoftSecurityDevOps. - * @param commandType - The input command type. - * @returns An instance of IMicrosoftSecurityDevOps. - */ -export function getExecutor(runner: IMicrosoftSecurityDevOpsFactory): IMicrosoftSecurityDevOps { - return new runner(); +/* +* Interface for the MicrosoftSecurityDevOps task +*/ +export interface IMicrosoftSecurityDevOps { + readonly succeedOnError: boolean; + /* param source - The source of the task: main, pre, or post. */ + runPreJob(): any; + runMain(): any; + runPostJob(): any; +} + +/** + * Factory interface for creating instances of the `IMicrosoftSecurityDevOps` interface. + * This factory enforces the inputs that can be used for creation of the `IMicrosoftSecurityDevOps` instances. + */ +export interface IMicrosoftSecurityDevOpsFactory { + new (): IMicrosoftSecurityDevOps; +} + +/** + * Returns an instance of IMicrosoftSecurityDevOps based on the input runner and command type. + * (This is used to enforce strong typing for the inputs for the runner). + * @param runner - The runner to use to create the instance of IMicrosoftSecurityDevOps. + * @param commandType - The input command type. + * @returns An instance of IMicrosoftSecurityDevOps. + */ +export function getExecutor(runner: IMicrosoftSecurityDevOpsFactory): IMicrosoftSecurityDevOps { + return new runner(); } \ No newline at end of file diff --git a/src/msdo.ts b/src/v1/msdo.ts similarity index 97% rename from src/msdo.ts rename to src/v1/msdo.ts index de7afadb..8d9680f1 100644 --- a/src/msdo.ts +++ b/src/v1/msdo.ts @@ -1,108 +1,108 @@ -import * as core from '@actions/core'; -import { IMicrosoftSecurityDevOps } from './msdo-interface'; -import { Tools } from './msdo-helpers'; -import * as client from '@microsoft/security-devops-actions-toolkit/msdo-client'; -import * as common from '@microsoft/security-devops-actions-toolkit/msdo-common'; - -/* -* Microsoft Security DevOps analyzers runner. -*/ -export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps { - readonly succeedOnError: boolean; - - constructor() { - this.succeedOnError = false; - } - - public async runPreJob() { - // No pre-job commands yet - } - - public async runPostJob() { - // No post-job commands yet - } - - public async runMain() { - core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...'); - - let args: string[] = undefined; - - // Check job type - might be existing file - let existingFilename = core.getInput('existingFilename'); - if (!common.isNullOrWhiteSpace(existingFilename)) { - args = ['upload', '--file', existingFilename]; - } - - // Nope, run the tool as intended - else { - args = ['run']; - - let config: string = core.getInput('config'); - if (!common.isNullOrWhiteSpace(config)) { - args.push('-c'); - args.push(config); - } - - let policy: string = core.getInput('policy'); - if (common.isNullOrWhiteSpace(policy)) { - policy = "GitHub"; - } - - args.push('-p'); - args.push(policy); - - let categoriesString: string = core.getInput('categories'); - if (!common.isNullOrWhiteSpace(categoriesString)) { - args.push('--categories'); - let categories = categoriesString.split(','); - for (let i = 0; i < categories.length; i++) { - let category = categories[i]; - if (!common.isNullOrWhiteSpace(category)) { - args.push(category.trim()); - } - } - } - - let languagesString: string = core.getInput('languages'); - if (!common.isNullOrWhiteSpace(languagesString)) { - args.push('--languages'); - let languages = languagesString.split(','); - for (let i = 0; i < languages.length; i++) { - let language = languages[i]; - if (!common.isNullOrWhiteSpace(language)) { - args.push(language.trim()); - } - } - } - - let toolsString: string = core.getInput('tools'); - let includedTools = []; - if (!common.isNullOrWhiteSpace(toolsString)) { - let tools = toolsString.split(','); - for (let i = 0; i < tools.length; i++) { - let tool = tools[i]; - let toolTrimmed = tool.trim(); - if (!common.isNullOrWhiteSpace(tool) - && tool != Tools.ContainerMapping // This tool is not handled by this executor - && includedTools.indexOf(toolTrimmed) == -1) { - if (includedTools.length == 0) { - args.push('--tool'); - } - args.push(toolTrimmed); - includedTools.push(toolTrimmed); - } - } - } - - args.push('--github'); - } - - let breakOnDetections: string = core.getInput('break-on-detections'); - if (breakOnDetections && breakOnDetections.trim().toUpperCase() === 'TRUE') { - process.env.MSDO_BREAK = 'true'; - core.debug('break-on-detections is enabled, set MSDO_BREAK=true'); - } - - await client.run(args, 'microsoft/security-devops-action'); - } +import * as core from '@actions/core'; +import { IMicrosoftSecurityDevOps } from './msdo-interface'; +import { Tools } from './msdo-helpers'; +import * as client from '@microsoft/security-devops-actions-toolkit/msdo-client'; +import * as common from '@microsoft/security-devops-actions-toolkit/msdo-common'; + +/* +* Microsoft Security DevOps analyzers runner. +*/ +export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps { + readonly succeedOnError: boolean; + + constructor() { + this.succeedOnError = false; + } + + public async runPreJob() { + // No pre-job commands yet + } + + public async runPostJob() { + // No post-job commands yet + } + + public async runMain() { + core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...'); + + let args: string[] = undefined; + + // Check job type - might be existing file + let existingFilename = core.getInput('existingFilename'); + if (!common.isNullOrWhiteSpace(existingFilename)) { + args = ['upload', '--file', existingFilename]; + } + + // Nope, run the tool as intended + else { + args = ['run']; + + let config: string = core.getInput('config'); + if (!common.isNullOrWhiteSpace(config)) { + args.push('-c'); + args.push(config); + } + + let policy: string = core.getInput('policy'); + if (common.isNullOrWhiteSpace(policy)) { + policy = "GitHub"; + } + + args.push('-p'); + args.push(policy); + + let categoriesString: string = core.getInput('categories'); + if (!common.isNullOrWhiteSpace(categoriesString)) { + args.push('--categories'); + let categories = categoriesString.split(','); + for (let i = 0; i < categories.length; i++) { + let category = categories[i]; + if (!common.isNullOrWhiteSpace(category)) { + args.push(category.trim()); + } + } + } + + let languagesString: string = core.getInput('languages'); + if (!common.isNullOrWhiteSpace(languagesString)) { + args.push('--languages'); + let languages = languagesString.split(','); + for (let i = 0; i < languages.length; i++) { + let language = languages[i]; + if (!common.isNullOrWhiteSpace(language)) { + args.push(language.trim()); + } + } + } + + let toolsString: string = core.getInput('tools'); + let includedTools = []; + if (!common.isNullOrWhiteSpace(toolsString)) { + let tools = toolsString.split(','); + for (let i = 0; i < tools.length; i++) { + let tool = tools[i]; + let toolTrimmed = tool.trim(); + if (!common.isNullOrWhiteSpace(tool) + && tool != Tools.ContainerMapping // This tool is not handled by this executor + && includedTools.indexOf(toolTrimmed) == -1) { + if (includedTools.length == 0) { + args.push('--tool'); + } + args.push(toolTrimmed); + includedTools.push(toolTrimmed); + } + } + } + + args.push('--github'); + } + + let breakOnDetections: string = core.getInput('break-on-detections'); + if (breakOnDetections && breakOnDetections.trim().toUpperCase() === 'TRUE') { + process.env.MSDO_BREAK = 'true'; + core.debug('break-on-detections is enabled, set MSDO_BREAK=true'); + } + + await client.run(args, 'microsoft/security-devops-action'); + } } \ No newline at end of file diff --git a/src/post.ts b/src/v1/post.ts similarity index 96% rename from src/post.ts rename to src/v1/post.ts index ab75224f..36946894 100644 --- a/src/post.ts +++ b/src/v1/post.ts @@ -1,11 +1,11 @@ -import * as core from '@actions/core'; -import { ContainerMapping } from './container-mapping'; -import { getExecutor } from './msdo-interface'; - -async function runPost() { - await getExecutor(ContainerMapping).runPostJob(); -} - -runPost().catch((error) => { - core.debug(error); +import * as core from '@actions/core'; +import { ContainerMapping } from './container-mapping'; +import { getExecutor } from './msdo-interface'; + +async function runPost() { + await getExecutor(ContainerMapping).runPostJob(); +} + +runPost().catch((error) => { + core.debug(error); }); \ No newline at end of file diff --git a/src/pre.ts b/src/v1/pre.ts similarity index 96% rename from src/pre.ts rename to src/v1/pre.ts index f717e43a..602af8a8 100644 --- a/src/pre.ts +++ b/src/v1/pre.ts @@ -1,11 +1,11 @@ -import * as core from '@actions/core'; -import { ContainerMapping } from './container-mapping'; -import { getExecutor } from './msdo-interface'; - -async function runPre() { - await getExecutor(ContainerMapping).runPreJob(); -} - -runPre().catch((error) => { - core.debug(error); +import * as core from '@actions/core'; +import { ContainerMapping } from './container-mapping'; +import { getExecutor } from './msdo-interface'; + +async function runPre() { + await getExecutor(ContainerMapping).runPreJob(); +} + +runPre().catch((error) => { + core.debug(error); }); \ No newline at end of file diff --git a/test/post.tests.ts b/test/post.tests.ts index 8464a9f6..6341c693 100644 --- a/test/post.tests.ts +++ b/test/post.tests.ts @@ -1,129 +1,76 @@ -import assert from 'assert'; -import https from 'https'; import sinon from 'sinon'; import * as core from '@actions/core'; -import * as exec from '@actions/exec'; -import { run, sendReport, _sendReport } from '../lib/post'; +import { ContainerMapping } from '../lib/v1/container-mapping'; -describe('postjob run', function() { - let execStub: sinon.SinonStub; - let sendReportStub: sinon.SinonStub; +describe('postjob runPostJob', function() { + let getIDTokenStub: sinon.SinonStub; + let getStateStub: sinon.SinonStub; + let debugStub: sinon.SinonStub; + let infoStub: sinon.SinonStub; beforeEach(() => { - execStub = sinon.stub(exec, 'exec'); - sendReportStub = sinon.stub(sendReport); + infoStub = sinon.stub(core, 'info'); + debugStub = sinon.stub(core, 'debug'); + getStateStub = sinon.stub(core, 'getState').returns('2023-01-23T12:34:56.789Z'); + getIDTokenStub = sinon.stub(core, 'getIDToken'); }); afterEach(() => { - execStub.restore(); - sendReport.restore(); + infoStub.restore(); + debugStub.restore(); + getStateStub.restore(); + getIDTokenStub.restore(); }); - it('should run three docker commands and send the report', async () => { - await run(); + it('should handle missing OIDC token gracefully', async () => { + getIDTokenStub.rejects(new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable')); - sinon.assert.callCount(execStub, 3); - sinon.assert.calledWith(execStub, 'docker --version'); - sinon.assert.calledWith(execStub, 'docker images --format CreatedAt={{.CreatedAt}}::Repo={{.Repository}}::Tag={{.Tag}}::Digest={{.Digest}}'); + const cm = new ContainerMapping(); + // runPostJob catches all errors internally + await cm.runPostJob(); - sinon.assert.calledOnce(sendReport); - }); -}); - -describe('postjob sendReport', function() { - let _sendReportStub: sinon.SinonStub; - let data: Object; - - beforeEach(() => { - _sendReportStub = sinon.stub(_sendReport); - data = { - "key.fake": "value.fake" - }; - }); - - afterEach(() => { - _sendReportStub.restore(); - }); - - it('should still call _sendReport once if retryCount < 1', async () => { - await sendReport(data, -1); - sinon.assert.calledOnce(_sendReport); + sinon.assert.calledOnce(getIDTokenStub); }); - it('should succeed if _sendReport succeeds', async () => { - _sendReportStub.throws(new Error('_sendReport().Error')); - - await sendReport(data, 0); - sinon.assert.calledOnce(_sendReport); + it('should skip container mapping if caller is not onboarded', async () => { + getIDTokenStub.resolves('mock-token'); + + // Stub the https request for checkCallerIsCustomer to return 403 (not onboarded) + const https = require('https'); + const requestStub = sinon.stub(https, 'request'); + requestStub.callsFake((_url: string, _options: any, callback: any) => { + const res = { + statusCode: 403, + on: (event: string, handler: any) => { + if (event === 'end') handler(); + if (event === 'data') { /* no data */ } + } + }; + callback(res); + return { on: sinon.stub(), end: sinon.stub(), write: sinon.stub() }; + }); + + const cm = new ContainerMapping(); + await cm.runPostJob(); + + sinon.assert.calledOnce(getIDTokenStub); + requestStub.restore(); }); - it('should succeed if _sendReport succeeds', async () => { + it('should use fallback start time when PreJobStartTime is not set', async () => { + getStateStub.returns(''); + getIDTokenStub.rejects(new Error('no token')); + const cm = new ContainerMapping(); + await cm.runPostJob(); - await sendReport(data, 0); - sinon.assert.calledOnce(_sendReport); + sinon.assert.calledWith(debugStub, sinon.match('PreJobStartTime not defined')); }); - - // should still call _sendReport once if retryCount < 1 - // should succeed if _sendReport succeeds - // should fail if _sendReport fails and retryCount == 0 - // should succeed if _sendReport fails the first time and succeeds the second if retryCount > 0 - // should fail if _sendReport fails for all retries - }); - -describe('postjob _sendReport', function() { - let core_getIDTokenStub: sinon.SinonStub; - let https_requestStub: sinon.SinonStub; - let clientRequestStub; - let data: Object; - const expectedUrl = 'https://dfdinfra-afdendpoint2-dogfood-edb5h5g7gyg7h3hq.z01.azurefd.net/github/v1/container-mappings'; - - beforeEach(() => { - core_getIDTokenStub = sinon.stub(core, 'getIDToken'); - https_requestStub = sinon.stub(https, 'request'); - clientRequestStub = sinon.stub(); - clientRequestStub.end = sinon.stub(); - - core_getIDTokenStub.resolves('bearerToken.mock'); - https_requestStub - .callsArgWith(2, { - on: (event, callback) => { - if (event === 'data') { - callback(); - } else if (event === 'end') { - callback(); - } - }, - end: () => {} - }) - .returns(clientRequestStub); - - data = { - "key.fake": "value.fake" - }; +describe('postjob ContainerMapping properties', function() { + it('should have succeedOnError set to true', () => { + const cm = new ContainerMapping(); + sinon.assert.match(cm.succeedOnError, true); }); - - afterEach(() => { - core_getIDTokenStub.restore(); - https_requestStub.restore(); - clientRequestStub.restore(); - }); - - it('should still call _sendReport once if retryCount < 1', async () => { - await _sendReport(data, -1); - sinon.assert.calledOnce(core_getIDTokenStub); - sinon.assert.calledOnce(https_requestStub); - - // { - // method: 'POST', - // timeout: 2500, - // headers: { - // 'Content-Type': 'application/json', - // 'Authorization': 'Bearer bearerToken.mock' - // }, - // data: data - // }; - }); -}); \ No newline at end of file +}); diff --git a/test/pre.tests.ts b/test/pre.tests.ts index 5bd2d553..02968d0e 100644 --- a/test/pre.tests.ts +++ b/test/pre.tests.ts @@ -1,27 +1,38 @@ import sinon from 'sinon'; import * as core from '@actions/core'; -import { run } from '../lib/pre'; +import { ContainerMapping } from '../lib/v1/container-mapping'; describe('prejob run', () => { let saveStateStub: sinon.SinonStub; - let dateSub: sinon.SinonStub; + let infoStub: sinon.SinonStub; beforeEach(() => { saveStateStub = sinon.stub(core, 'saveState'); - dateSub = sinon.stub(global, 'Date'); + infoStub = sinon.stub(core, 'info'); }); afterEach(() => { saveStateStub.restore(); + infoStub.restore(); }); - it('should save the current time as PreJobStartTime', async () => { - dateSub.returns({ - toISOString: () => '2023-01-23T45:12:34.567Z' - }); + it('should save the current time as PreJobStartTime', () => { + const fakeDate = new Date('2023-01-23T12:34:56.789Z'); + const dateStub = sinon.useFakeTimers(fakeDate.getTime()); - await run(); + const cm = new ContainerMapping(); + cm.runPreJob(); - sinon.assert.calledWithExactly(saveStateStub, 'PreJobStartTime', '2023-01-23T45:12:34.567Z'); + sinon.assert.calledWithExactly(saveStateStub, 'PreJobStartTime', '2023-01-23T12:34:56.789Z'); + + dateStub.restore(); + }); + + it('should not throw on error', () => { + saveStateStub.throws(new Error('test error')); + + const cm = new ContainerMapping(); + // runPreJob catches errors internally, should not throw + cm.runPreJob(); }); -}); \ No newline at end of file +});