BST-18082 Add tests for composition and npm-audit scanners

.github/workflows/scan-test.yml

@@ -15,85 +15,6 @@ permissions:
   id-token: write  # Required for OIDC
 
 jobs:
-  azure-devops-pipelines:
-    name: Azure DevOps Pipelines
-    runs-on: ubuntu-latest
-    # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
-    if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Azure Login (OIDC)
-        uses: azure/login@v2
-        with:
-          client-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_CLIENT_ID }}
-          tenant-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_TENANT_ID }}
-          allow-no-subscriptions: true
-      - name: Get Azure DevOps Token
-        id: azure-token
-        run: |
-          token=$(az account get-access-token \
-            --resource 499b84ac-1321-427f-aa17-267ca6975798 \
-            --query accessToken -o tsv)
-          echo "token=$token" >> $GITHUB_OUTPUT
-          echo "::add-mask::$token"
-      - name: Checkout scanner registry
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Need full history to detect changes
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
-      - name: Run Tests
-        uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00
-        with:
-          provider: azure-devops
-          provider-config: |
-            {
-              "token": "${{ steps.azure-token.outputs.token }}",
-              "organization": "BoostSecurity",
-              "project": "cicd-tools",
-              "pipeline_id": 1
-            }
-          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
-          base-ref: "${{ github.base_ref }}"
-          fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
-  bitbucket-action:
-    name: Bitbucket Pipelines
-    runs-on: ubuntu-latest
-    # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
-    if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Generate Bitbucket OAuth Token
-        id: bitbucket-token
-        run: |
-          response=$(curl -s -X POST \
-            "https://bitbucket.org/site/oauth2/access_token" \
-            -u "${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_ID }}:${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_SECRET }}" \
-            -d "grant_type=client_credentials")
-
-          token=$(echo "$response" | jq -r '.access_token')
-          echo "token=$token" >> $GITHUB_OUTPUT
-          echo "::add-mask::$token"
-      - name: Checkout scanner registry
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Need full history to detect changes
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
-      - name: Run Tests
-        uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00
-        with:
-          provider: bitbucket
-          provider-config: |
-            {
-              "token": "${{ steps.bitbucket-token.outputs.token }}",
-              "workspace": "boostsecurityio",
-              "repo_slug": "scan-test-runner-bitbucket-pipelines"
-            }
-          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
-          base-ref: "${{ github.base_ref }}"
-          fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
-
   github-action:
     name: Github Actions
     runs-on: ubuntu-latest
@@ -124,34 +45,8 @@ jobs:
               "token": "${{ steps.github-token.outputs.token }}",
               "owner": "boostsecurityio",
               "repo": "scan-test-runner-gitbub-actions",
-              "workflow_id": "test-scanner.yml"
-            }
-          registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
-          base-ref: "${{ github.base_ref }}"
-          fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
-
-  gitlab-ci:
-    name: Gitlab-CI
-    runs-on: ubuntu-latest
-    # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
-    if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Checkout scanner registry
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Need full history to detect changes
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
-      - name: Run Tests
-        uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00
-        with:
-          provider: gitlab-ci
-          provider-config: |
-            {
-              "trigger_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_TRIGGER_TOKEN }}",
-              "api_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_READ_TOKEN }}",
-              "project_id": "boostsecurityio/scan-test-runner-gitlab-ci"
+              "workflow_id": "test-scanner.yml",
+              "ref": "BST-17994-fix-main-branch-detection"
             }
           registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
           base-ref: "${{ github.base_ref }}"

scanners/boostsecurityio/composition/tests.yaml

@@ -0,0 +1,7 @@
+version: "1.0"
+tests:
+  - name: "hounddog-test-healthcare"
+    type: "source-code"
+    source:
+      url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git"
+      ref: "main"

scanners/boostsecurityio/npm-audit/tests.yaml

@@ -0,0 +1,7 @@
+version: "1.0"
+tests:
+  - name: "docusaurus"
+    type: "source-code"
+    source:
+      url: "https://github.com/facebook/docusaurus.git"
+      ref: "v3.2.1"