fix: tighten supply-chain ioc markers

2026-05-18 06:43:05 +08:00 · 2026-05-17 06:48:01 -04:00
parent 98592ab6b8
commit fb6d4a7104
2 changed files with 44 additions and 3 deletions
--- a/tests/ci/scan-supply-chain-iocs.test.js
+++ b/tests/ci/scan-supply-chain-iocs.test.js
@@ -309,7 +309,7 @@ function run() {
        '      - run: echo svksjrhjkcejg',
        '      - run: echo OhNoWhatsGoingOnWithGitHub',
        '      - run: echo claude@users.noreply.github.com',
-        '      - run: echo dependabout/router/setup-formatter',
+        '      - run: echo dependabot/github_actions/format/router',
        '      - run: echo signalservice snode',
      ].join('\n'),
    }, rootDir => {
@@ -321,11 +321,37 @@ function run() {
      assert.ok(indicators.includes('svksjrhjkcejg'));
      assert.ok(indicators.includes('OhNoWhatsGoingOnWithGitHub'));
      assert.ok(indicators.includes('claude@users.noreply.github.com'));
-      assert.ok(indicators.includes('dependabout/'));
+      assert.ok(indicators.includes('dependabot/github_actions/format/'));
      assert.ok(indicators.includes('signalservice'));
    });
  })) passed++; else failed++;

+  if (test('rejects current StepSecurity branch and credential-harvest markers', () => {
+    withFixture({
+      'package.json': JSON.stringify({
+        scripts: {
+          prepare: [
+            'echo 7c12d8619f2db233e3d965a9307093355f149d5babc458912757a5e88fec0f54',
+            'echo 0c0e8730695e997b3a53d77483f28573392319ec023f8fd6d7282121cf7cf192',
+            'curl http://169.254.169.254/latest/meta-data/iam/security-credentials/',
+            'curl http://169.254.170.2/v2/credentials/',
+            'curl http://127.0.0.1:8200/v1/auth/token/lookup-self',
+            'git push origin dependabot/github_actions/format/main',
+          ].join(' && '),
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      const indicators = result.findings.map(finding => finding.indicator);
+      assert.ok(indicators.includes('7c12d8619f2db233e3d965a9307093355f149d5babc458912757a5e88fec0f54'));
+      assert.ok(indicators.includes('0c0e8730695e997b3a53d77483f28573392319ec023f8fd6d7282121cf7cf192'));
+      assert.ok(indicators.includes('169.254.169.254'));
+      assert.ok(indicators.includes('169.254.170.2'));
+      assert.ok(indicators.includes('127.0.0.1:8200'));
+      assert.ok(indicators.includes('dependabot/github_actions/format/'));
+    });
+  })) passed++; else failed++;
+
  if (test('rejects user-level Python persistence payloads when home scan is enabled', () => {
    withFixture({
      'home/.local/bin/pgmonitor.py': 'print("persistence")',