update secure workflow response

Author: Balijepalli Vamshi Krishna

main.go

@@ -128,7 +128,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				inputYaml = httpRequest.Body
 			}
 
-			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc, nil)
+			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc)
 
 			if err != nil {
 				response = events.APIGatewayProxyResponse{

remediation/workflow/hardenrunner/addaction.go

@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
 	}
 
 	if updated && pinActions {
-		out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil, nil)
+		out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil)
 		if err != nil {
 			return out, updated, err
 		}

remediation/workflow/permissions/permissions.go

@@ -25,6 +25,7 @@ type SecureWorkflowReponse struct {
 	WorkflowFetchError     bool
 	JobErrors              []JobError
 	MissingActions         []string
+	UsingSecureRepoPAT     bool
 }
 
 type JobError struct {

remediation/workflow/pin/pinactions.go

@@ -3,24 +3,19 @@ package pin
 import (
 	"context"
 	"fmt"
+	"log"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 
 	"github.com/google/go-github/v40/github"
-	"github.com/sirupsen/logrus"
 	metadata "github.com/step-security/secure-repo/remediation/workflow/metadata"
 	"golang.org/x/oauth2"
 	"gopkg.in/yaml.v3"
 )
 
-type StepSecurityAppLogger struct {
-	RequestID string `json:"request_id,omitempty"`
-	*logrus.Logger
-}
-
-func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string, logger *StepSecurityAppLogger) (string, bool, error) {
+func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
@@ -35,7 +30,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap, logger)
+				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
 				if err != nil {
 					return out, updated, err
 				}
@@ -47,9 +42,9 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string, logger *StepSecurityAppLogger) (string, bool, error) {
-
+func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
 	updated := false
+
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
 		return inputYaml, updated, nil // Cannot pin local actions and docker actions
 	}
@@ -73,17 +68,9 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	PAT := os.Getenv("SECURE_REPO_PAT")
 	if PAT == "" {
 		PAT = os.Getenv("PAT")
-		if logger != nil {
-			logger.Logf(logrus.InfoLevel, "SECURE_REPO_PAT is not set, using PAT")
-		} else {
-			logrus.Info("SECURE_REPO_PAT is not set, using PAT")
-		}
+		log.Println("SECURE_REPO_PAT is not set, using PAT")
 	} else {
-		if logger != nil {
-			logger.Logf(logrus.InfoLevel, "SECURE_REPO_PAT is set")
-		} else {
-			logrus.Info("SECURE_REPO_PAT is set")
-		}
+		log.Println("SECURE_REPO_PAT is set")
 	}
 
 	ctx := context.Background()
@@ -287,3 +274,7 @@ func ActionExists(actionName string, patterns []string) bool {
 	}
 	return false
 }
+
+func UsingSecureRepoPAT() bool {
+	return os.Getenv("SECURE_REPO_PAT") != ""
+}

remediation/workflow/pin/pinactions_test.go

@@ -333,7 +333,7 @@ func TestPinActions(t *testing.T) {
 			}
 		}
 
-		output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap, nil)
+		output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap)
 		if tt.wantUpdated != gotUpdated {
 			t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)
 		}

remediation/workflow/secureworkflow.go

@@ -17,7 +17,7 @@ const (
 	HardenRunnerActionName        = "Harden Runner"
 )
 
-func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, logger *pin.StepSecurityAppLogger, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
+func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
 	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions := true, true, true, true, false
 	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions := false, false, false, false
 	ignoreMissingKBs := false
@@ -148,7 +148,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			log.Printf("Pinning GitHub Actions")
 		}
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, actionCommitMap, logger)
+		secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, actionCommitMap)
 		if err != nil {
 			if enableLogging {
 				log.Printf("Error pinning actions: %v", err)
@@ -185,14 +185,16 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
 	secureWorkflowReponse.AddedPermissions = addedPermissions
 	secureWorkflowReponse.AddedMaintainedActions = replacedMaintainedActions
+	secureWorkflowReponse.UsingSecureRepoPAT = pin.UsingSecureRepoPAT()
 
 	if enableLogging {
-		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, HasErrors: %v",
+		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, HasErrors: %v, UsingSecureRepoPAT: %v",
 			secureWorkflowReponse.PinnedActions,
 			secureWorkflowReponse.AddedHardenRunner,
 			secureWorkflowReponse.AddedPermissions,
 			secureWorkflowReponse.AddedMaintainedActions,
-			secureWorkflowReponse.HasErrors)
+			secureWorkflowReponse.HasErrors,
+			secureWorkflowReponse.UsingSecureRepoPAT)
 	}
 
 	return secureWorkflowReponse, nil

remediation/workflow/secureworkflow_test.go

@@ -266,9 +266,9 @@ func TestSecureWorkflow(t *testing.T) {
 			if err != nil {
 				t.Errorf("unable to load the file %s", err)
 			}
-			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil, []string{"actions/*"}, false, actionMap)
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, []string{"actions/*"}, false, actionMap)
 		} else {
-			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil)
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
 		}
 
 		if test.wantError {
@@ -369,7 +369,7 @@ func TestSecureWorkflowContainerJob(t *testing.T) {
 	queryParams["skipHardenRunnerForContainers"] = "true"
 	queryParams["addProjectComment"] = "false"
 
-	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil)
+	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
 
 	if err != nil {
 		t.Errorf("Error not expected")
@@ -474,7 +474,7 @@ func TestSecureWorkflowEmptyPermissions(t *testing.T) {
 	queryParams["addEmptyTopLevelPermissions"] = "true"
 	queryParams["addProjectComment"] = "false"
 
-	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, nil)
+	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
 
 	if err != nil {
 		t.Errorf("Error not expected")