Update dependencies, add lint and unit-tests

.github/workflows/test-secrets-action-sarif.yaml

@@ -24,4 +24,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # ratchet:github/codeql-action/upload-sarif@v3
         if: ${{ always() && steps.orcasecurity_secrets_scan.outputs.exit_code != 1 }}
         with:
-          sarif_file: results/secrets.sarif
+          sarif_file: results/secrets.sarif

.github/workflows/test-secrets-action.yaml

@@ -17,4 +17,4 @@ jobs:
         with:
           api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
           project_key: "default"
-          console_output: "table"
+          console_output: "table"

.github/workflows/unit-tests.yml

@@ -0,0 +1,23 @@
+name: Unit Tests
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run lint
+        run: npm run lint
+
+      - name: Run tests
+        run: npm test

.gitignore

@@ -1,3 +1,5 @@
 # IDE
 .idea
-node_modules
+node_modules
+
+dist/

README.md

@@ -5,25 +5,24 @@ for [Orca Shift Left Security](https://orca.security/solutions/shift-left-securi
 
 #### More info can be found in the official Orca Shift Left Security<a href="https://docs.orcasecurity.io/v1/docs/shift-left-security"> documentation</a>
 
-
-
 ### Table of Contents
-  - [Table of Contents](#table-of-contents)
-  - [Usage](#usage)
-    - [Workflow](#workflow)
-    - [Inputs](#inputs)
-  - [Checks](#checks)
-  - [Annotations](#annotations)
-  - [Scan Summary](#scan-summary)
-  - [Upload SARIF report](#upload-sarif-report)
 
+- [Table of Contents](#table-of-contents)
+- [Usage](#usage)
+  - [Workflow](#workflow)
+  - [Inputs](#inputs)
+- [Checks](#checks)
+- [Annotations](#annotations)
+- [Scan Summary](#scan-summary)
+- [Upload SARIF report](#upload-sarif-report)
 
 ## Usage
 
 ### Workflow
 
 ```yaml
-name: Sample Orca Secrets Scan Workflow
+name:
+  Sample Orca Secrets Scan Workflow
   # Trigger the workflow on push and pull requests
 on: [push, pull_request]
 jobs:
@@ -37,7 +36,7 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0       
+          fetch-depth: 0
 
       - name: Run Orca Secrets Scan
         uses: orcasecurity/shiftleft-secrets-action@v1
@@ -46,16 +45,13 @@ jobs:
           project_key: ${{ env.PROJECT_KEY }}
 ```
 
-
 > [!NOTE]
 > Utilizing **fetch-depth=0** is essential for a valid git history scan.
 
-
-
 ### Inputs
 
 | Variable                    | Example Value &nbsp; | Description &nbsp;                                                                | Type    | Required | Default     |
-|-----------------------------|----------------------|-----------------------------------------------------------------------------------|---------|----------|-------------|
+| --------------------------- | -------------------- | --------------------------------------------------------------------------------- | ------- | -------- | ----------- |
 | api_token                   |                      | Orca API Token used for Authentication                                            | String  | Yes      | N/A         |
 | project_key                 | my-project-key       | Project Key name                                                                  | String  | Yes      | N/A         |
 | path                        | sub-dir              | Path to scan                                                                      | String  | No       | .           |
@@ -71,38 +67,42 @@ jobs:
 | exceptions_filepath         | n/a                  | exceptions YAML filepath. (File should be mounted)                                | String  | No       | false       |
 | num_cpu                     | 10                   | Number of logical CPUs to be used for secret scanning (default 10)                | Integer | No       | 10          |
 | show_failed_issues_only     | n/a                  | show only failed issues                                                           | Boolean | No       | false       |
-| from-commit                 | n/a                  | the commit to search *from*                                                       | String  | No       | N/A         |
-| to-commit                   | n/a                  | the commit to search *to*                                                         | String  | No       | N/A         |
+| from-commit                 | n/a                  | the commit to search _from_                                                       | String  | No       | N/A         |
+| to-commit                   | n/a                  | the commit to search _to_                                                         | String  | No       | N/A         |
 | disable-git-scan            | true                 | flag that indicates that the CLI will not scan git history for secrets            | Boolean | No       | false       |
 | ignore-git-history-baseline | true                 | forces a full history scan                                                        | Boolean | No       | false       |
 | debug                       | true                 | Debug mode                                                                        | Boolean | No       | false       |
 | log_path                    | results/             | The directory path to specify where the logs should be written to on debug mode.  | String  | No       | working dir |
 | disable-active-verification | true                 | Disable active verification of secrets                                            | Boolean | No       | false       |
 
 ## Checks
+
 Upon adding the action, two new checks will become visible on pull requests:
 
 ![](/assets/checks_preview.png)
 
-* For the push event, the scanning process will target and analyze only the most recent push.
-* Conversely, for the pull_request event, the scanning will encompass every commit that forms part of the pull request, diligently searching for any potential secrets.
-
+- For the push event, the scanning process will target and analyze only the most recent push.
+- Conversely, for the pull_request event, the scanning will encompass every commit that forms part of the pull request, diligently searching for any potential secrets.
 
 ## Annotations
+
 After scanning, the action will add the results as annotations in a pull request:
 
 ![](/assets/secret_annotation_preview.png)
->  **NOTE:**  Annotations can be disabled by setting the "show_annotation" input to "false"
 
+> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"
 
 ## Scan Summary
+
 Every action will provide a clear scan summary output, and by clicking the 'View in code' link, you will be directed to the precise location of the secret.
 
 ![](/assets/secrets_summary_preview.png)
 
 ## Upload SARIF report
+
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Orca Shift Left Security as a scanning tool
-> **NOTE:**  Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
+
+> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
 
 Configuration:
 
@@ -124,14 +124,10 @@ jobs:
         id: orcasecurity_secrets_scan
         uses: orcasecurity/shiftleft-secrets-action@v1
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          format:
-            "sarif"
-          output:
-            "results/"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          format: "sarif"
+          output: "results/"
           console_output: "table"
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@v3
@@ -143,7 +139,5 @@ jobs:
 The results list can be found on the security tab of your GitHub project and should look like the following image
 ![](/assets/code_scanning_list.png)
 
-
-An entry should describe the error and in which line it occurred 
+An entry should describe the error and in which line it occurred
 ![](/assets/code_scanning_entry.png)
-

action.yaml

@@ -31,6 +31,9 @@ inputs:
     description: "Suppress error reporting to the monitoring platform"
     required: false
     default: "false"
+  max_secret:
+    description: "Maximum secrets that can be found, when reaching this number secret scan will stop"
+    required: false
   num_cpu:
     description: "Number of logical CPUs to be used for secret scanning (default 10)"
     required: false
@@ -41,6 +44,7 @@ inputs:
   disable_git_scan:
     description: "Disable Git scan"
     required: false
+    default: "false"
   ignore_git_history_baseline:
     description: "Run full history scan"
     required: false

entrypoint.sh

@@ -31,22 +31,13 @@ function set_global_flags() {
   if [ "${INPUT_SILENT}" == "true" ]; then
     GLOBAL_FLAGS+=(--silent)
   fi
-  if [ "${INPUT_CONFIG}" ]; then
-    GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
-  fi
-  if [ "${INPUT_BASELINE_CONTEXT_KEY}" ]; then
-    GLOBAL_FLAGS+=(--baseline-context-key "${INPUT_BASELINE_CONTEXT_KEY}")
-  fi
-  if [ "${INPUT_DISABLE_BASELINE}" == "true" ]; then
-    GLOBAL_FLAGS+=(--disable-baseline)
-  fi
   if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
     GLOBAL_FLAGS+=(--disable-err-report)
   fi
-  if [ "${INPUT_SYNC_BASELINE}" ]; then
-    GLOBAL_FLAGS+=(--sync-baseline "${INPUT_SYNC_BASELINE}")
+  if [ "${INPUT_CONFIG}" ]; then
+    GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
   fi
-  if [ "${INPUT_DEBUG}" == "true" ]; then
+  if [ "${INPUT_DEBUG}" = "true" ]; then
     GLOBAL_FLAGS+=(--debug)
   fi
   if [ "${INPUT_DISABLE_ACTIVE_VERIFICATION}" == "true" ]; then
@@ -89,15 +80,33 @@ function set_secrets_scan_flags() {
   if [ "${INPUT_PATH}" ]; then
     SCAN_FLAGS+=(--path "${INPUT_PATH}")
   fi
+  if [ "${INPUT_MAX_SECRET}" ]; then
+    SCAN_FLAGS+=(--max-secret "${INPUT_MAX_SECRET}")
+  fi
+  if [ "${INPUT_NUM_CPU}" ]; then
+    SCAN_FLAGS+=(--num-cpu "${INPUT_NUM_CPU}")
+  fi
+  if [ "${INPUT_DISABLE_GIT_SCAN}" = "true" ]; then
+    SCAN_FLAGS+=(--disable-git-scan)
+  fi
+  if [ "${INPUT_IGNORE_GIT_HISTORY_BASELINE}" = "true" ]; then
+    SCAN_FLAGS+=(--ignore-git-history-baseline)
+  fi
+  if [ "${INPUT_FROM_COMMIT}" ]; then
+    SCAN_FLAGS+=(--from-commit "${INPUT_FROM_COMMIT}")
+  fi
+  if [ "${INPUT_TO_COMMIT}" ]; then
+    SCAN_FLAGS+=(--to-commit "${INPUT_TO_COMMIT}")
+  fi
   if [ "${INPUT_EXCEPTIONS_FILEPATH}" ]; then
     SCAN_FLAGS+=(--exceptions-filepath "${INPUT_EXCEPTIONS_FILEPATH}")
   fi
+  if [ "${INPUT_TIMEOUT}" ]; then
+    SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")
+  fi
   if [ "${INPUT_SHOW_FAILED_ISSUES_ONLY}" = "true" ]; then
     SCAN_FLAGS+=(--show-failed-issues-only)
   fi
-  if [ "${INPUT_NUM_CPU}" ]; then
-    SCAN_FLAGS+=(--num-cpu "${INPUT_NUM_CPU}")
-  fi
   if [ "${FORMATS_FOR_JSON}" ]; then
     SCAN_FLAGS+=(--format "${FORMATS_FOR_JSON}")
   fi
@@ -107,22 +116,6 @@ function set_secrets_scan_flags() {
   if [ "${CONSOLE_OUTPUT_FOR_JSON}" ]; then
     SCAN_FLAGS+=(--console-output="${CONSOLE_OUTPUT_FOR_JSON}")
   fi
-  if [ "${INPUT_FROM_COMMIT}" ]; then
-    SCAN_FLAGS+=(--from-commit="${INPUT_FROM_COMMIT}")
-  fi
-  if [ "${INPUT_TO_COMMIT}" ]; then
-    SCAN_FLAGS+=(--to-commit="${INPUT_TO_COMMIT}")
-  fi
-  if [ "${INPUT_IGNORE_GIT_HISTORY_BASELINE}" ]; then
-    SCAN_FLAGS+=(--ignore-git-history-baseline="${INPUT_IGNORE_GIT_HISTORY_BASELINE}")
-  fi
-  if [ "${INPUT_DISABLE_GIT_SCAN}" ]; then
-    SCAN_FLAGS+=(--disable-git-scan="${INPUT_DISABLE_GIT_SCAN}")
-  fi
-  if [ "${MAX_SECRETS}" ]; then
-    SCAN_FLAGS+=(--max-secret="${MAX_SECRETS}")
-  fi
-  SCAN_FLAGS+=(--debug)
 }
 
 function set_env_vars() {
@@ -140,7 +133,7 @@ function validate_flags() {
 }
 
 annotate() {
-  if [ "${INPUT_SHOW_ANNOTATIONS}" == "false" ]; then
+  if [ "${INPUT_SHOW_ANNOTATIONS}" = "false" ]; then
     exit "${ORCA_EXIT_CODE}"
   fi
   mkdir -p "/app/${OUTPUT_FOR_JSON}"

eslint.config.js

@@ -0,0 +1,50 @@
+const js = require("@eslint/js");
+
+module.exports = [
+  {
+    // Global ignores
+    ignores: ["dist/**"],
+  },
+  {
+    // Base configuration
+    files: ["**/*.{js}"],
+    settings: {
+      "import/resolver": {
+        typescript: {},
+      },
+    },
+    rules: {
+      ...js.configs.recommended.rules,
+
+      // Spacing and formatting rules
+      "space-before-blocks": "error",
+      "keyword-spacing": "error",
+      "no-trailing-spaces": "error",
+      curly: "error",
+      quotes: ["error", "single"],
+      "object-curly-spacing": ["error", "always"],
+      "no-multi-spaces": "error",
+      "semi-spacing": "error",
+
+      // Code style rules
+      "prefer-const": ["error", { destructuring: "all" }],
+      "max-classes-per-file": ["error", 10],
+      "max-len": ["error", 200],
+
+      // Import rules
+      "import/no-unresolved": [
+        "error",
+        { commonjs: true, caseSensitive: true },
+      ],
+      "import/extensions": ["error", "ignorePackages", { js: "never" }],
+    },
+  },
+  {
+    // Test files override
+    files: ["**/test/**"],
+    rules: {
+      "import/no-unresolved": "off",
+      "import/extensions": "off",
+    },
+  },
+];