From 618e1259c15b30e79f628f6c8c04b8b249db0e86 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Fri, 5 Dec 2025 13:35:50 -0500
Subject: [PATCH 1/4] BST-18082 Add tests for composition and npm-audit
 scanners
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Migrated test targets from boost-sandbox module-tests repositories
to the new test harness.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 scanners/boostsecurityio/composition/tests.yaml | 12 ++++++++++++
 scanners/boostsecurityio/npm-audit/tests.yaml   |  7 +++++++
 2 files changed, 19 insertions(+)
 create mode 100644 scanners/boostsecurityio/composition/tests.yaml
 create mode 100644 scanners/boostsecurityio/npm-audit/tests.yaml

diff --git a/scanners/boostsecurityio/composition/tests.yaml b/scanners/boostsecurityio/composition/tests.yaml
new file mode 100644
index 00000000..21073279
--- /dev/null
+++ b/scanners/boostsecurityio/composition/tests.yaml
@@ -0,0 +1,12 @@
+version: "1.0"
+tests:
+  - name: "hounddog-test-healthcare"
+    type: "source-code"
+    source:
+      url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git"
+      ref: "main"
+  - name: "sones"
+    type: "source-code"
+    source:
+      url: "https://github.com/sones/sones.git"
+      ref: "master"
diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml
new file mode 100644
index 00000000..ba1408e4
--- /dev/null
+++ b/scanners/boostsecurityio/npm-audit/tests.yaml
@@ -0,0 +1,7 @@
+version: "1.0"
+tests:
+  - name: "pnpm"
+    type: "source-code"
+    source:
+      url: "https://github.com/pnpm/pnpm.git"
+      ref: "main"

From f85b074f6285c49a109ebe36d43a26487043eeb2 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Thu, 11 Dec 2025 14:20:38 -0500
Subject: [PATCH 2/4] FIXUP use a proper repo using NPM, use a fixed branch of
 scan runner to fix main scan only scanners

---
 .github/workflows/scan-test.yml               | 3 ++-
 scanners/boostsecurityio/npm-audit/tests.yaml | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scan-test.yml b/.github/workflows/scan-test.yml
index 7dbeb245..99d1a5ba 100644
--- a/.github/workflows/scan-test.yml
+++ b/.github/workflows/scan-test.yml
@@ -124,7 +124,8 @@ jobs:
               "token": "${{ steps.github-token.outputs.token }}",
               "owner": "boostsecurityio",
               "repo": "scan-test-runner-gitbub-actions",
-              "workflow_id": "test-scanner.yml"
+              "workflow_id": "test-scanner.yml",
+              "ref": "BST-17994-fix-main-branch-detection"
             }
           registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
           base-ref: "${{ github.base_ref }}"
diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml
index ba1408e4..9dfbff04 100644
--- a/scanners/boostsecurityio/npm-audit/tests.yaml
+++ b/scanners/boostsecurityio/npm-audit/tests.yaml
@@ -1,7 +1,7 @@
 version: "1.0"
 tests:
-  - name: "pnpm"
+  - name: "docusaurus"
     type: "source-code"
     source:
-      url: "https://github.com/pnpm/pnpm.git"
-      ref: "main"
+      url: "https://github.com/facebook/docusaurus.git"
+      ref: "v3.2.1"

From 9825c5f01cf2a7f65ef3f3125965e0514b27dbe0 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Thu, 11 Dec 2025 14:24:32 -0500
Subject: [PATCH 3/4] FIXUP trigger only github actions for debug

---
 scanners/boostsecurityio/composition/tests.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/scanners/boostsecurityio/composition/tests.yaml b/scanners/boostsecurityio/composition/tests.yaml
index 21073279..fca4a333 100644
--- a/scanners/boostsecurityio/composition/tests.yaml
+++ b/scanners/boostsecurityio/composition/tests.yaml
@@ -5,8 +5,3 @@ tests:
     source:
       url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git"
       ref: "main"
-  - name: "sones"
-    type: "source-code"
-    source:
-      url: "https://github.com/sones/sones.git"
-      ref: "master"

From 2d0035a479195b41637d774f9722ecb633632cf2 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Thu, 11 Dec 2025 14:25:51 -0500
Subject: [PATCH 4/4] FIXUP rebase touchup

---
 .github/workflows/scan-test.yml | 106 --------------------------------
 1 file changed, 106 deletions(-)

diff --git a/.github/workflows/scan-test.yml b/.github/workflows/scan-test.yml
index 99d1a5ba..79f0b7ba 100644
--- a/.github/workflows/scan-test.yml
+++ b/.github/workflows/scan-test.yml
@@ -15,85 +15,6 @@ permissions:
   id-token: write  # Required for OIDC
 
 jobs:
-  azure-devops-pipelines:
-    name: Azure DevOps Pipelines
-    runs-on: ubuntu-latest
-    # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
-    if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Azure Login (OIDC)
-        uses: azure/login@v2
-        with:
-          client-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_CLIENT_ID }}
-          tenant-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_TENANT_ID }}
-          allow-no-subscriptions: true
-      - name: Get Azure DevOps Token
-        id: azure-token
-        run: |
-          token=$(az account get-access-token \
-            --resource 499b84ac-1321-427f-aa17-267ca6975798 \
-            --query accessToken -o tsv)
-          echo "token=$token" >> $GITHUB_OUTPUT
-          echo "::add-mask::$token"
-      - name: Checkout scanner registry
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Need full history to detect changes
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
-      - name: Run Tests
-        uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00
-        with:
-          provider: azure-devops
-          provider-config: |
-            {
-              "token": "${{ steps.azure-token.outputs.token }}",
-              "organization": "BoostSecurity",
-              "project": "cicd-tools",
-              "pipeline_id": 1
-            }
-          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
-          base-ref: "${{ github.base_ref }}"
-          fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
-  bitbucket-action:
-    name: Bitbucket Pipelines
-    runs-on: ubuntu-latest
-    # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
-    if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Generate Bitbucket OAuth Token
-        id: bitbucket-token
-        run: |
-          response=$(curl -s -X POST \
-            "https://bitbucket.org/site/oauth2/access_token" \
-            -u "${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_ID }}:${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_SECRET }}" \
-            -d "grant_type=client_credentials")
-          
-          token=$(echo "$response" | jq -r '.access_token')
-          echo "token=$token" >> $GITHUB_OUTPUT
-          echo "::add-mask::$token"
-      - name: Checkout scanner registry
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Need full history to detect changes
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
-      - name: Run Tests
-        uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00
-        with:
-          provider: bitbucket
-          provider-config: |
-            {
-              "token": "${{ steps.bitbucket-token.outputs.token }}",
-              "workspace": "boostsecurityio",
-              "repo_slug": "scan-test-runner-bitbucket-pipelines"
-            }
-          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
-          base-ref: "${{ github.base_ref }}"
-          fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
-
   github-action:
     name: Github Actions
     runs-on: ubuntu-latest
@@ -130,30 +51,3 @@ jobs:
           registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
           base-ref: "${{ github.base_ref }}"
           fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
-
-  gitlab-ci:
-    name: Gitlab-CI
-    runs-on: ubuntu-latest
-    # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
-    if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Checkout scanner registry
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Need full history to detect changes
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
-      - name: Run Tests
-        uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00
-        with:
-          provider: gitlab-ci
-          provider-config: |
-            {
-              "trigger_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_TRIGGER_TOKEN }}",
-              "api_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_READ_TOKEN }}",
-              "project_id": "boostsecurityio/scan-test-runner-gitlab-ci"
-            }
-          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
-          base-ref: "${{ github.base_ref }}"
-          fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"