feat(scripts): add dependency pinning compliance scanning#169
Merged
WilliamBerryiii merged 2 commits intomainfrom Feb 13, 2026
Merged
feat(scripts): add dependency pinning compliance scanning#169WilliamBerryiii merged 2 commits intomainfrom
WilliamBerryiii merged 2 commits intomainfrom
Conversation
- add scanner, security modules, and tool-checksums database - add Pester test infrastructure with fixtures and mock module - add dependency-pinning-scan and pester-tests reusable workflows - wire new workflows into pr-validation and main orchestrators 🔒 - Generated by Copilot
nguyena2
approved these changes
Feb 12, 2026
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive dependency pinning compliance scanning infrastructure to detect unpinned GitHub Actions, npm packages, pip requirements, and shell download commands. The implementation includes a PowerShell-based scanner with SHA pinning validation, multi-format reporting (JSON, SARIF, CSV, Markdown), GitHub Actions CI/CD workflow integration, and 121 Pester unit tests achieving broad code coverage.
Changes:
- Security scanning script
Test-DependencyPinning.ps1with support for GitHub Actions, npm, pip, and shell download validation - Shared security modules (
SecurityClasses.psm1,SecurityHelpers.psm1) providing typed classes, logging, GitHub API integration with retry/backoff, and report generation - Three GitHub Actions workflows for automated scanning, Pester testing, and integration with existing CI pipelines
- Comprehensive test suite with 121 unit tests, mock infrastructure, and 16 fixture files
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/security/Test-DependencyPinning.ps1 |
Main dependency scanner with SHA validation, npm/pip/shell analysis, and compliance reporting |
scripts/security/Modules/SecurityClasses.psm1 |
Typed PowerShell classes for violations and compliance reports |
scripts/security/Modules/SecurityHelpers.psm1 |
Shared utilities for logging, GitHub API calls, and report generation |
scripts/security/tool-checksums.json |
Checksum registry for actionlint and gitleaks binaries |
scripts/tests/security/Test-DependencyPinning.Tests.ps1 |
712-line test suite with 80+ unit tests for scanner functions |
scripts/tests/security/SecurityHelpers.Tests.ps1 |
708-line test suite for helper module functions |
scripts/tests/pester.config.ps1 |
Pester 5.x configuration with code coverage support |
scripts/tests/Mocks/GitMocks.psm1 |
Reusable Git CLI mocking infrastructure for tests |
scripts/tests/Fixtures/ |
16 fixture files for workflow, npm, and security test scenarios |
.github/workflows/dependency-pinning-scan.yml |
Reusable workflow for SHA pinning validation with SARIF upload |
.github/workflows/pester-tests.yml |
PowerShell test execution workflow with coverage collection |
.github/workflows/main.yml |
Integration of new scanning and testing jobs |
.github/workflows/pr-validation.yml |
PR validation integration for dependency scanning and tests |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Add dependency pinning compliance scanning infrastructure migrated from microsoft/hve-core. This introduces a PowerShell-based scanner that detects unpinned GitHub Actions, npm packages, pip requirements, and shell download commands across the repository. The scanner produces compliance reports in JSON, SARIF, CSV, Markdown, and table formats, integrates with GitHub Actions CI/CD pipelines, and includes comprehensive Pester test coverage.
Key additions:
Test-DependencyPinning.ps1main scanner with SHA pinning validation, npm dependency analysis, shell download security checks, and multi-format compliance reportingSecurityClasses.psm1andSecurityHelpers.psm1shared modules providing typed classes, structured logging, GitHub API integration with retry/backoff, and security report generationtool-checksums.jsonchecksum registry for actionlint and gitleaks binariesdependency-pinning-scan.yml(scheduled + manual),pester-tests.yml(CI test runner), plus updates tomain.ymlandpr-validation.ymlTest-DependencyPinning.Tests.ps1andSecurityHelpers.Tests.ps1withGitMocks.psm1test infrastructure and 16 fixture filesCloses #58
Type of Change
Component(s) Affected
scripts/security/- Dependency pinning scanner and shared modulesscripts/tests/- Pester test suite, fixtures, and mocks.github/workflows/- CI/CD pipeline workflowsTesting Performed
Checklist