feat(configaudit): add support for pnpm, yarn and bun#134
Open
swarit-stepsecurity wants to merge 6 commits into
Open
feat(configaudit): add support for pnpm, yarn and bun#134swarit-stepsecurity wants to merge 6 commits into
swarit-stepsecurity wants to merge 6 commits into
Conversation
Move ownerInfo, defaultInGitRepo, sha256Hex, and the git-tracked exec glue into a single meta.go shared by both npmrc and pip detectors. Drops the pipOwnerInfo / pipStatOwner / pipDefaultInGitRepo duplicates and the two pip-only stat shims. No behavior change.
Adds PnpmDetector that walks the same .npmrc scopes as npm (global/user/ project — pnpm has no builtin) plus captures the pnpm-specific effective view via `pnpm config list --json` and a pnpm-specific env-var snapshot. Wired through scan, telemetry, --pnpmrc focused CLI, and pretty/verbose output. Feature-gated behind FeaturePnpmConfigAudit, default OFF.
Adds BunDetector that walks user (~/.bunfig.toml), user-xdg (~/.config/.bunfig.toml), and project bunfig.toml files; parses TOML into ordered sections via go-toml/v2 with credentials in [install.scopes.*] redacted. Also surfaces any .npmrc bun would read as an auth side-channel. No effective view — bun has no `config list`. Wired through scan, telemetry, --bunfig CLI, and pretty/verbose output. Feature-gated behind FeatureBunConfigAudit, default OFF.
Adds YarnDetector that covers both v1 (.yarnrc, quasi-INI) and v2+ (.yarnrc.yml, YAML) via gopkg.in/yaml.v3. Berry nested maps under npmScopes / npmRegistries flatten to dotted keys so a single YarnEntry slice carries both flavors. Flavor mismatches (v1 binary with berry file or vice versa) are surfaced in the verbose view. Auth keys redacted across both flavors; .npmrc files yarn reads for auth surface in a side-channel slot. Wired through scan, telemetry, --yarnrc CLI, and pretty/verbose output. Feature-gated behind FeatureYarnConfigAudit, default OFF.
Tightens doc comments across the new pnpm/bun/yarn detectors and the shared meta helpers per repo convention. Fixes a misleading comment on BunDetector.discoverAuthSideChannel that claimed to disable the npm subprocess probe (it only filters the returned scopes; the npm calls still happen — now documented as overlapping work). Adds parsers_extra_test.go covering yarn classic edge cases (bare keys, unclosed quotes, tab separator), berry YAML scalars / empty input, bun TOML scalar types + array values, and full auth-key suffix matrices for all three flavors. configaudit coverage 78.9% → 79.5%.
Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>
There was a problem hiding this comment.
Pull request overview
Adds new Node ecosystem configuration audits for pnpm, bun, and yarn across community scan output, enterprise telemetry payloads, and dedicated --*-only verbose CLI modes.
Changes:
- Extend scan + telemetry payload schemas to include pnpm/bun/yarn audit results.
- Add detectors/parsers + verbose renderers for pnpm (
.npmrc+ effective view), bun (bunfig.toml+ npmrc auth side-channel), and yarn (classic + berry configs + npmrc auth side-channel). - Add CLI flags (
--pnpmrc,--bunfig,--yarnrc) and feature gates for the new audits.
Reviewed changes
Copilot reviewed 28 out of 29 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/telemetry/telemetry.go | Adds pnpm/bun/yarn audit fields to the telemetry payload and runs the new detectors in telemetry mode. |
| internal/scan/scanner.go | Runs pnpm/bun/yarn audits behind feature gates and attaches them to the community scan result. |
| internal/output/yarn_verbose.go | New verbose renderer for yarn config audits (classic + berry) including mismatch signaling and auth side-channel display. |
| internal/output/pretty.go | Adds compact summary sections for pnpm/bun/yarn audits in pretty output. |
| internal/output/pnpm_verbose.go | New verbose renderer for pnpm config audit including effective config view. |
| internal/output/bun_verbose.go | New verbose renderer for bun config audit including bunfig sections and npmrc auth side-channel. |
| internal/model/model.go | Adds new model types for pnpm/bun/yarn audits and related file/entry structures. |
| internal/featuregate/featuregate.go | Introduces feature gates for pnpm/bun/yarn audits (disabled by default). |
| internal/featuregate/featuregate_test.go | Updates feature gate tests to include the new feature constants. |
| internal/detector/configaudit/yarn.go | New yarn detector: discovers classic/berry files, captures yarn version/flavor, and surfaces npmrc auth side-channel. |
| internal/detector/configaudit/yarn_test.go | Unit tests for yarn detector behavior (both flavors, mismatch, malformed YAML, flavor parsing). |
| internal/detector/configaudit/yarn_classic.go | Yarn v1 .yarnrc parser with auth detection + redaction behavior. |
| internal/detector/configaudit/yarn_berry.go | Yarn berry .yarnrc.yml YAML parser with flattening + auth detection + redaction behavior. |
| internal/detector/configaudit/pnpm.go | New pnpm detector: npmrc discovery + pnpm config list --json effective view + env snapshot. |
| internal/detector/configaudit/pnpm_test.go | Unit tests for pnpm detector discovery, redaction/env-ref behavior, and env snapshot behavior. |
| internal/detector/configaudit/pipconfig.go | Refactors pip config detector to reuse shared owner/git helpers. |
| internal/detector/configaudit/pipconfig_test.go | Updates pip config tests for the shared ownerInfo hook. |
| internal/detector/configaudit/pipconfig_stat_windows.go | Removes pip-specific Windows owner stat shim (replaced by shared statOwner). |
| internal/detector/configaudit/pipconfig_stat_unix.go | Removes pip-specific Unix owner stat shim (replaced by shared statOwner). |
| internal/detector/configaudit/parsers_extra_test.go | Adds edge-case coverage for yarn parsers and bunfig parser + auth-key helpers. |
| internal/detector/configaudit/npmrc.go | Refactors npmrc detector to reuse shared owner/git/sha helpers. |
| internal/detector/configaudit/meta.go | New shared helpers (ownerInfo, gitTrackedViaExec, defaultInGitRepo, sha256Hex). |
| internal/detector/configaudit/bunfig.go | New bun detector: bunfig discovery, parsing, env snapshot, and npmrc auth side-channel capture. |
| internal/detector/configaudit/bunfig_test.go | Unit tests for bun detector discovery, TOML parsing tolerance, and side-channel npmrc behavior. |
| internal/detector/configaudit/bunfig_parse.go | Bunfig TOML parser producing ordered sections + redaction classification. |
| internal/cli/cli.go | Adds new CLI flags and mutual-exclusion handling; updates help text. |
| go.sum | Adds checksums for new YAML dependency chain. |
| go.mod | Adds YAML dependency (currently marked indirect). |
| cmd/stepsecurity-dev-machine-guard/main.go | Adds --pnpmrc/--bunfig/--yarnrc “only” execution paths and verbose/JSON output wiring. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+16
to
+19
| require ( | ||
| github.com/tidwall/match v1.1.1 // indirect | ||
| gopkg.in/yaml.v3 v3.0.1 // indirect | ||
| ) |
Comment on lines
+450
to
+452
| --pnpmrc Run ONLY the pnpm config audit (verbose pretty view; --json supported) | ||
| --bunfig Run ONLY the bun config audit (verbose pretty view; --json supported) | ||
| --yarnrc Run ONLY the yarn config audit covering both v1 (.yarnrc) and v2+ (.yarnrc.yml) |
Comment on lines
348
to
+352
| NPMRCAudit: &npmrcAudit, | ||
| PipAudit: &pipAudit, | ||
| PnpmAudit: &pnpmAudit, | ||
| BunAudit: &bunAudit, | ||
| YarnAudit: &yarnAudit, |
Comment on lines
+488
to
+495
| func runPnpmRCOnly(exec executor.Executor, cfg *cli.Config) error { | ||
| ctx := context.Background() | ||
| dev := device.Gather(ctx, exec) | ||
| loggedInUser, _ := exec.LoggedInUser() | ||
|
|
||
| searchDirs := resolveScanSearchDirs(exec, cfg.SearchDirs) | ||
| audit := configaudit.NewPnpmDetector(exec).Detect(ctx, searchDirs, loggedInUser) | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Type of change
Testing
./stepsecurity-dev-machine-guard --verbose./stepsecurity-dev-machine-guard --json | python3 -m json.toolmake lintmake testRelated Issues