boostsecurityio
diff --git a/‎analyze/analyze.go‎
Lines changed: 114 additions & 0 deletions b/‎analyze/analyze.go‎
Lines changed: 114 additions & 0 deletions
diff --git a/‎analyze/analyze_test.go‎
Lines changed: 190 additions & 0 deletions b/‎analyze/analyze_test.go‎
Lines changed: 190 additions & 0 deletions
@@ -3,7 +3,9 @@ package analyze
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -478,6 +480,118 @@ func (a *Analyzer) AnalyzeLocalRepo(ctx context.Context, repoPath string) (*mode
 	return scannedPackage, nil
 }
 
+func (a *Analyzer) AnalyzeManifest(ctx context.Context, manifestReader io.Reader, manifestType string) (*models.PackageInsights, error) {
+	provider := "manifest"
+	providerVersion := "unknown"
+
+	pkgSupplyClient := pkgsupply.NewStaticClient()
+	inventory := scanner.NewInventory(a.Opa, pkgSupplyClient, provider, providerVersion)
+
+	log.Debug().Msg("Starting manifest analysis")
+
+	manifestData, err := io.ReadAll(manifestReader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read manifest: %w", err)
+	}
+
+	if manifestType == "" {
+		return nil, errors.New("invalid manifest type")
+	}
+
+	filename := a.getManifestFilename(manifestType)
+
+	pkg := a.createManifestPackageInsights(manifestType)
+
+	inventoryScanner := scanner.InventoryScannerMem{
+		Files: map[string][]byte{
+			filename: manifestData,
+		},
+		Parsers: []scanner.MemParser{
+			scanner.NewGithubActionWorkflowParser(),
+			scanner.NewGithubActionsMetadataParser(),
+			scanner.NewGitlabCiParser(),
+			scanner.NewAzurePipelinesParser(),
+			scanner.NewPipelineAsCodeTektonParser(),
+		},
+	}
+
+	scannedPackage, err := inventory.ScanPackageScanner(ctx, *pkg, &inventoryScanner)
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan manifest: %w", err)
+	}
+
+	err = a.finalizeAnalysis(ctx, []*models.PackageInsights{scannedPackage})
+	if err != nil {
+		return nil, err
+	}
+
+	return scannedPackage, nil
+}
+
+func (a *Analyzer) getManifestFilename(manifestType string) string {
+	switch manifestType {
+	case "github-actions":
+		return ".github/workflows/manifest.yml"
+	case "gitlab-ci":
+		return ".gitlab-ci.yml"
+	case "azure-pipelines":
+		return "azure-pipelines.yml"
+	case "tekton":
+		return ".tekton/manifest.yml"
+	default:
+		return ".github/workflows/manifest.yml"
+	}
+}
+
+func (a *Analyzer) createManifestPackageInsights(manifestType string) *models.PackageInsights {
+	var purlString string
+	switch manifestType {
+	case "github-actions":
+		purlString = "pkg:generic/github-actions-workflow"
+	case "gitlab-ci":
+		purlString = "pkg:generic/gitlab-ci-config"
+	case "azure-pipelines":
+		purlString = "pkg:generic/azure-pipelines-config"
+	case "tekton":
+		purlString = "pkg:generic/tekton-pipeline"
+	default:
+		purlString = "pkg:generic/ci-workflow"
+	}
+
+	purl, _ := models.NewPurl(purlString)
+
+	pkg := &models.PackageInsights{
+		LastCommitedAt:     time.Now().Format(time.RFC3339),
+		Purl:               purl.String(),
+		SourceScmType:      "manifest",
+		SourceGitRepo:      "workflow/" + manifestType,
+		SourceGitRef:       "HEAD",
+		SourceGitCommitSha: "unknown",
+		OrgID:              0,
+		RepoID:             0,
+		RepoSize:           0,
+		DefaultBranch:      "main",
+		IsFork:             false,
+		IsEmpty:            false,
+		ForksCount:         0,
+		StarsCount:         0,
+		IsTemplate:         false,
+		HasIssues:          false,
+		OpenIssuesCount:    0,
+		HasWiki:            false,
+		HasDiscussions:     false,
+		PrimaryLanguage:    "YAML",
+		License:            "",
+	}
+
+	err := pkg.NormalizePurl()
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to normalize purl for manifest")
+	}
+
+	return pkg
+}
+
 type Formatter interface {
 	Format(ctx context.Context, packages []*models.PackageInsights) error
 	FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociation map[string][]*models.RepoInfo) error
 
@@ -0,0 +1,190 @@
+package analyze
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/boostsecurityio/poutine/formatters/noop"
+	"github.com/boostsecurityio/poutine/models"
+	"github.com/boostsecurityio/poutine/opa"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// newTestOpa creates an OPA client for testing
+func newTestOpa(ctx context.Context) (*opa.Opa, error) {
+	config := models.DefaultConfig()
+	opaClient, err := opa.NewOpa(ctx, config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create opa client: %w", err)
+	}
+	return opaClient, nil
+}
+
+func TestAnalyzeManifestDirectly(t *testing.T) {
+	ctx := context.Background()
+
+	tests := []struct {
+		name           string
+		content        string
+		manifestType   string
+		expectedType   string
+		validateResult func(t *testing.T, insights *models.PackageInsights)
+	}{
+		{
+			name: "valid github actions workflow",
+			content: `name: Test Workflow
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tests
+        run: echo "Running tests"`,
+			manifestType: "github-actions",
+			expectedType: "github-actions",
+			validateResult: func(t *testing.T, insights *models.PackageInsights) {
+				assert.Equal(t, "manifest", insights.SourceScmType)
+				assert.Contains(t, insights.Purl, "pkg:generic/github-actions-workflow")
+				assert.Equal(t, "YAML", insights.PrimaryLanguage)
+				assert.Len(t, insights.GithubActionsWorkflows, 1, "Should detect GitHub Actions workflow")
+			},
+		},
+		{
+			name: "valid gitlab ci config",
+			content: `stages:
+  - build
+  - test
+
+variables:
+  DOCKER_DRIVER: overlay2
+
+build_job:
+  stage: build
+  script:
+    - echo "Building application"
+
+test_job:
+  stage: test
+  script:
+    - echo "Running tests"`,
+			manifestType: "gitlab-ci",
+			expectedType: "gitlab-ci",
+			validateResult: func(t *testing.T, insights *models.PackageInsights) {
+				assert.Equal(t, "manifest", insights.SourceScmType)
+				assert.Contains(t, insights.Purl, "pkg:generic/gitlab-ci-config")
+				assert.Len(t, insights.GitlabciConfigs, 1, "Should detect GitLab CI config")
+			},
+		},
+		{
+			name: "vulnerable github actions workflow",
+			content: `name: Vulnerable Workflow
+on: pull_request_target
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+      - name: Vulnerable command
+        run: |
+          curl -fsSL https://example.com/script.sh | bash
+          echo "${{ github.event.pull_request.title }}" | bash`,
+			manifestType: "github-actions",
+			expectedType: "github-actions",
+			validateResult: func(t *testing.T, insights *models.PackageInsights) {
+				assert.Contains(t, insights.Purl, "pkg:generic/github-actions-workflow")
+				assert.Len(t, insights.GithubActionsWorkflows, 1, "Should detect workflow")
+
+				workflow := insights.GithubActionsWorkflows[0]
+				assert.Equal(t, "Vulnerable Workflow", workflow.Name)
+
+				assert.Len(t, insights.FindingsResults.Findings, 3, "May have security findings for vulnerable workflow")
+			},
+		},
+		{
+			name: "azure pipelines config",
+			content: `trigger:
+  - main
+
+pool:
+  vmImage: ubuntu-latest
+
+steps:
+  - task: UseDotNet@2
+    displayName: 'Install .NET'
+    inputs:
+      version: '6.0.x'
+
+  - script: dotnet build
+    displayName: 'Build application'`,
+			manifestType: "azure-pipelines",
+			expectedType: "azure-pipelines",
+			validateResult: func(t *testing.T, insights *models.PackageInsights) {
+				assert.Contains(t, insights.Purl, "pkg:generic/azure-pipelines-config")
+				assert.Len(t, insights.AzurePipelines, 1, "Should detect Azure Pipeline")
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			opaClient, err := newTestOpa(ctx)
+			require.NoError(t, err, "Failed to create OPA client")
+
+			formatter := &noop.Format{}
+			analyzer := NewAnalyzer(nil, nil, formatter, models.DefaultConfig(), opaClient)
+
+			manifestReader := strings.NewReader(tt.content)
+			result, err := analyzer.AnalyzeManifest(ctx, manifestReader, tt.manifestType)
+
+			require.NoError(t, err, "AnalyzeManifest should not return an error")
+			require.NotNil(t, result, "Result should not be nil")
+
+			if tt.validateResult != nil {
+				tt.validateResult(t, result)
+			}
+		})
+	}
+}
+
+func TestAnalyzeManifestErrorHandling(t *testing.T) {
+	ctx := context.Background()
+
+	opaClient, err := newTestOpa(ctx)
+	require.NoError(t, err)
+
+	formatter := &noop.Format{}
+	analyzer := NewAnalyzer(nil, nil, formatter, models.DefaultConfig(), opaClient)
+
+	t.Run("empty content", func(t *testing.T) {
+		manifestReader := strings.NewReader("")
+		result, err := analyzer.AnalyzeManifest(ctx, manifestReader, "github-actions")
+
+		require.NoError(t, err)
+		require.NotNil(t, result)
+		assert.Equal(t, "manifest", result.SourceScmType)
+	})
+
+	t.Run("invalid yaml", func(t *testing.T) {
+		invalidYaml := `name: Test
+on: push
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Unclosed quote
+        run: echo "test"`
+
+		manifestReader := strings.NewReader(invalidYaml)
+		result, err := analyzer.AnalyzeManifest(ctx, manifestReader, "github-actions")
+
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+}