Merge pull request #8 from Contrast-Security-OSS/PRODSEC-483-actions-folder

PRODSEC-483 - scan .github/actions and subfolders

Author: DavidMContrast

CHANGELOG.md

@@ -4,9 +4,22 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [v1.0.6](https://github.com/Contrast-Security-OSS/actionbot/compare/v1.0.4...v1.0.6)
+
+- Prodsec 475 - Logs [`#7`](https://github.com/Contrast-Security-OSS/actionbot/pull/7)
+- Prodsec 462 - fix policyUrl context [`#6`](https://github.com/Contrast-Security-OSS/actionbot/pull/6)
+- Prodsec 462 - fix policy url [`#5`](https://github.com/Contrast-Security-OSS/actionbot/pull/5)
+- PRODDSEC-462 - Add support to policies hosted in private Github repositories [`#4`](https://github.com/Contrast-Security-OSS/actionbot/pull/4)
+- chore: Logs more readable [`1909c15`](https://github.com/Contrast-Security-OSS/actionbot/commit/1909c15fcc7b4ee0d5684406dc4083fe7468347d)
+- chore: build [`0cdbb1e`](https://github.com/Contrast-Security-OSS/actionbot/commit/0cdbb1e07d25532a1f06842dee4cc7242d181e61)
+- fix: scan subdirectories in workflows and actions folder [`f11daf4`](https://github.com/Contrast-Security-OSS/actionbot/commit/f11daf4baf8cea627e2ba44a795ed774ecd3a71a)
+
 #### [v1.0.4](https://github.com/Contrast-Security-OSS/actionbot/compare/v1.0.3...v1.0.4)
 
+> 1 May 2025
+
 - fix: policyUrl getContents was using context owner and repo [`71e65a3`](https://github.com/Contrast-Security-OSS/actionbot/commit/71e65a36efa30aff6fc8c7e53abdb462131bf2f3)
+- chore: update changelog [`12fd334`](https://github.com/Contrast-Security-OSS/actionbot/commit/12fd334cbdc30bfd78602236adc3680e0ea28bc2)
 
 #### [v1.0.3](https://github.com/Contrast-Security-OSS/actionbot/compare/v1.0.0...v1.0.3)
 

lib/index.js

@@ -38997,9 +38997,11 @@ function run(context) {
             allFiles.forEach((file) => {
                 let filePath = path_1.default.parse(file);
                 console.log("filePath : " + filePath);
+                const dirLower = filePath.dir.toLowerCase();
                 if ((filePath.ext.toLowerCase() == ".yaml" ||
                     filePath.ext.toLowerCase() == ".yml") &&
-                    filePath.dir.toLowerCase() == ".github/workflows") {
+                    dirLower.startsWith(".github/workflows") ||
+                    dirLower.startsWith(".github/actions")) {
                     workflowFilePaths.push(file);
                 }
             });

package.json

@@ -1,6 +1,6 @@
 {
   "name": "actionbot",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "private": true,
   "description": "Github Action Policy Checker as a Github Action",
   "main": "lib/index.js",

src/main.ts

@@ -141,10 +141,12 @@ async function run(context: typeof github.context): Promise<void> {
       let filePath = path.parse(file);
 
       console.log("filePath : " + filePath);
+      const dirLower = filePath.dir.toLowerCase();
       if (
-        (filePath.ext.toLowerCase() == ".yaml" ||
+        ((filePath.ext.toLowerCase() == ".yaml" ||
           filePath.ext.toLowerCase() == ".yml") &&
-        filePath.dir.toLowerCase() == ".github/workflows"
+          dirLower.startsWith(".github/workflows")) ||
+        dirLower.startsWith(".github/actions")
       ) {
         workflowFilePaths.push(file);
       }