Skip to content

test(scripts): add Pester tests for security validation scripts#218

Merged
WilliamBerryiii merged 6 commits intomainfrom
test/issue-199-pester-security-tests
Jan 21, 2026
Merged

test(scripts): add Pester tests for security validation scripts#218
WilliamBerryiii merged 6 commits intomainfrom
test/issue-199-pester-security-tests

Conversation

@WilliamBerryiii
Copy link
Copy Markdown
Member

@WilliamBerryiii WilliamBerryiii commented Jan 20, 2026

Description

This PR adds comprehensive Pester test coverage for the three security validation scripts in scripts/security/, completing the test suite for security tooling.

Coverage summary:

Script Tests Functions Covered
Test-DependencyPinning.ps1 66 Test-SHAPinning, Test-ShellDownloadSecurity, Get-DependencyViolation, Export-ComplianceReport
Test-SHAStaleness.ps1 54 Test-GitHubToken, Invoke-GitHubAPIWithRetry, Write-SecurityLog, Compare-ToolVersion
Update-ActionSHAPinning.ps1 46 Get-ActionReference, Get-SHAForAction, Update-WorkflowFile

Total: 166 tests covering parameter validation, boundary conditions, error handling, and mock-based scenarios.

Supporting fixtures added:

  • Fixtures/Security/ - JSON fixtures for checksum validation testing
  • Fixtures/Workflows/ - YAML workflow files for pinning validation testing

Related Issue(s)

Closes #199

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that causes existing functionality to change)
  • Documentation update
  • Script/automation
  • Configuration change

Testing

Test execution results:

Pester v5.7.1
Tests completed in 2.76s
Tests Passed: 166, Failed: 0, Skipped: 0

Validation commands:

# Run all Pester tests
npm run test:pester

# Run security tests only
Invoke-Pester -Path scripts/tests/security/*.Tests.ps1 -Output Detailed

# Lint validation
npm run lint:ps

All 21 PowerShell files pass PSScriptAnalyzer with no warnings or errors.

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own changes
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

Security Considerations

  • This change does not expose sensitive information
  • This change does not introduce new dependencies with known vulnerabilities
  • Security-related changes have been reviewed by appropriate team members

No production code is modified. All changes are test infrastructure only.

Additional Notes

Minor documentation updates included:

  • Normalized "Copilot" → "GitHub Copilot" across 11 documentation files for consistency
  • Fixed applyTo quoting in uv-projects.instructions.md
  • Cleaned up .cspell.json (removed unused words, adjusted ignore patterns)

@WilliamBerryiii
test(scripts): add Pester tests for security scripts
1c9634d 
- add Test-DependencyPinning.Tests.ps1 for SHA and download security

- add Test-SHAStaleness.Tests.ps1 for token and staleness detection

- add Update-ActionSHAPinning.Tests.ps1 for workflow updates

- add workflow and security fixtures for test isolation

🧪 - Generated by Copilot
@WilliamBerryiii
test(scripts): add Pester tests for security scripts
0a0fd17 
- add Test-DependencyPinning.Tests.ps1 for SHA and download security
- add Test-SHAStaleness.Tests.ps1 for token and staleness detection
- add Update-ActionSHAPinning.Tests.ps1 for workflow updates
- add workflow and security fixtures for test isolation

🧪 - Generated by Copilot
@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner January 20, 2026 17:41
Copilot AI review requested due to automatic review settings January 20, 2026 17:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 20, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds comprehensive Pester test coverage for three security validation scripts in the scripts/security/ directory. The tests validate SHA pinning enforcement, staleness checking, and GitHub Actions SHA update functionality.

Changes:

  • Added 166 Pester tests across three test files covering security validation scripts
  • Created YAML and JSON test fixtures to support workflow and checksum validation testing
  • Added shell script fixture for testing insecure download detection

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
scripts/tests/security/Update-ActionSHAPinning.Tests.ps1 46 tests for Get-ActionReference, Get-SHAForAction, and Update-WorkflowFile functions
scripts/tests/security/Test-SHAStaleness.Tests.ps1 54 tests for GitHub token validation, API retry logic, and version comparison
scripts/tests/security/Test-DependencyPinning.Tests.ps1 66 tests for SHA pinning validation, shell download security, and compliance reporting
scripts/tests/Fixtures/Workflows/unpinned-workflow.yml Test fixture with unpinned GitHub Actions for validation testing
scripts/tests/Fixtures/Workflows/shell-downloads.yml Test fixture demonstrating secure and insecure download patterns
scripts/tests/Fixtures/Workflows/pinned-workflow.yml Test fixture with properly SHA-pinned GitHub Actions
scripts/tests/Fixtures/Workflows/mixed-pinning-workflow.yml Test fixture with both pinned and unpinned actions
scripts/tests/Fixtures/Security/valid-checksums.json Test fixture with current tool version and checksums
scripts/tests/Fixtures/Security/outdated-checksums.json Test fixture with outdated tool version for staleness testing
scripts/tests/Fixtures/Security/insecure-download.sh Bash script fixture demonstrating downloads without checksum verification

@WilliamBerryiii
fix(scripts): address code review comments for Pester security tests
4ad1c2a 
- add shebang to insecure-download.sh fixture for proper shell script detection
- use TestDrive:/ paths for cross-platform temp file handling in tests
- extract script-level variables via AST to avoid main block execution
- filter class methods/constructors from function extraction to prevent duplicates
- refactor tautological test to validate actual function behavior

🔧 - Generated by Copilot
@WilliamBerryiii
fix(scripts): resolve PSScriptAnalyzer empty catch block warnings
1ce3e6f 
🔧 - Generated by Copilot
Copilot AI review requested due to automatic review settings January 20, 2026 18:37
Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

@WilliamBerryiii WilliamBerryiii merged commit 3a11b26 into main Jan 21, 2026
15 checks passed
@WilliamBerryiii WilliamBerryiii deleted the test/issue-199-pester-security-tests branch January 21, 2026 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@katriendg katriendg katriendg approved these changes

@auyidi1 auyidi1 Awaiting requested review from auyidi1

@agreaves-ms agreaves-ms Awaiting requested review from agreaves-ms

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Issue]: Add Pester tests for security scripts (3 scripts)

3 participants

@WilliamBerryiii @katriendg