Separates auxiliary checks into separate methods

README.md

@@ -1,8 +1,6 @@
 # ghast
 
-GHAST (GitHub Actions Static Analysis Tool) is a tool to analyze the security posture of your GitHub Actions.
-
-![ghast-stdout](/images/ghast-stdout.png)
+GHAST (GitHub Actions Static Analysis Tool) is a tool to analyze the security posture of your GitHub Actions and its surronding environment for common security vulnerabilities or missing security configuration.
 
 ### Installation
 

action.yml

@@ -1,5 +1,5 @@
 name: "ghast-scanner"
-description: "Scan your GitHub actions folder for common security vulnerabilities"
+description: "Scan your GitHub actions and environment for common security vulnerabilities"
 author: "bin3xish477"
 branding:
   icon: "shield"

analyzer/analyzer.py

@@ -35,8 +35,12 @@ def __init__(
             "_check_for_create_or_approve_pull_request": {"level": "FAIL"},
             "_check_for_remote_script": {"level": "WARN"},
         }
+        self.auxiliary_checks = [
+            "_check_for_codeowners_file",
+        ]
         self.action = {}
         self.jobs = {}
+
         self._run_aux_checks()
 
     def _print_failed_check_msg(self, check: str, level: str):
@@ -311,24 +315,35 @@ def __print_msg(job: str, step: dict):
                                 passed = False
         return passed
 
-    def get_checks(self) -> list:
-        """Returns list containing available checks.
+    # ==================================================================
+    # ======================== Auxiliary Checks ========================
+    # ==================================================================
 
-        Returns:
-            list: list() of available checks.
-        """
-        return [*self.checks.keys()]
+    def _check_for_codeowners_file(self) -> bool:
+        if not Path(".github/workflows/CODEOWNERS").exists():
+            print(
+                f"{Colors.LIGHT_BLUE}AUXI{Colors.END} missing CODEOWNERS file"
+                "which can provide additional protections for your workflow files"
+            )
+        else:
+            if self.verbose:
+                print(f"{Colors.LIGHT_BLUE}AUXI{Colors.END} found CODEOWNERS file")
 
     def _run_aux_checks(self) -> None:
         """Runs auxiliary checks which are checks for security-related
         configurations/properties/mechanisms that contribute to more secure
         GitHub Actions workflows.
         """
-        if not Path(".github/workflows/CODEOWNERS").exists():
-            print(
-                f"{Colors.LIGHT_BLUE}AUXI{Colors.END} missing CODEOWNERS file"
-                "which can provide additional protections for your workflow files"
-            )
+        for check in self.auxiliary_checks:
+            Analyzer.__dict__[check](self)
+
+    def get_checks(self) -> list:
+        """Returns list containing available checks.
+
+        Returns:
+            list: list() of available checks.
+        """
+        return [*self.checks.keys()]
 
     def run_checks(self, action: dict) -> bool:
         """Run checks against a parsed Action YAML file as dict.
@@ -357,5 +372,4 @@ def run_checks(self, action: dict) -> bool:
                         passed_all_checks = False
             for check in fail_checks:
                 self._print_failed_check_msg(check, self.checks[check]["level"])
-
         return passed_all_checks

main.py

@@ -96,7 +96,9 @@ def _main():
                         f"Scanning {Colors.UNDERLINE}{dir_}{Colors.END} directory..."
                     )
                 for action in dir_.iterdir():
-                    print(f"File: {Colors.BOLD}{str(action).rsplit(sep, maxsplit=1)[-1]}{Colors.END}")
+                    print(
+                        f"FILE => {Colors.BOLD}{Colors.UNDERLINE}{str(action).rsplit(sep, maxsplit=1)[-1]}{Colors.END}"
+                    )
                     if action.is_file and action.suffix in (".yml", ".yaml"):
                         with action.open("r") as action_file:
                             action_dict = safe_load(action_file)