Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .editorconfig
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,5 @@ indent_style = space
insert_final_newline = true
trim_trailing_whitespace = true

[*.yml]
indent_style = space
[*.{yml,yaml}]
indent_size = 2
18 changes: 13 additions & 5 deletions .github/actions/safe-chain/action.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,26 @@
name: Install and verify safe-chain
description: Installs safe-chain and verifies it is working correctly
description: Installs safe-chain (checksum-verified) and verifies it is working correctly

runs:
using: composite
steps:
- name: Install safe-chain
shell: bash
run: curl --fail --silent --show-error --retry 3 --location "https://github.com/AikidoSec/safe-chain/releases/download/${SAFECHAIN_VERSION}/install-safe-chain.sh" | sh -s -- --ci
run: |
SCRIPT="$(mktemp -d)/install-safe-chain.sh"
curl --fail --silent --show-error --retry 3 --location --output "$SCRIPT" \
"https://github.com/AikidoSec/safe-chain/releases/download/${SAFECHAIN_VERSION}/install-safe-chain.sh"
echo "${SAFECHAIN_SHA256} ${SCRIPT}" | sha256sum --check --quiet
sh "$SCRIPT" --ci
rm -f "$SCRIPT"
env:
SAFECHAIN_VERSION: 1.5.11
SAFECHAIN_VERSION: 1.5.12
SAFECHAIN_SHA256: e40995d546160bf18788dbfc6e9a4a765152abeca92014adf85102cf6b13d890
# https://github.com/AikidoSec/safe-chain/releases

- name: Test safe-chain
shell: bash
# this must fail if safe-chain is working
run: |
run: | # zizmor: ignore[adhoc-packages]
npm safe-chain-verify
! npm install safe-chain-test
! npm install --no-save safe-chain-test
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
53 changes: 44 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: CI

on:
push:
branches:
- main
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -23,14 +26,43 @@ jobs:
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
# https://github.com/step-security/harden-runner/releases
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
ghcr.io:443
pkg-containers.githubusercontent.com:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
release-assets.githubusercontent.com:443
*.actions.githubusercontent.com:443
*.blob.core.windows.net:443
nodejs.org:443
registry.npmjs.org:443
malware-list.aikido.dev:443
api.snyk.io:443
downloads.snyk.io:443
api.osv.dev:443
services.nvd.nist.gov:443
cli.codecov.io:443
api.codecov.io:443
ingest.codecov.io:443
storage.googleapis.com:443
keybase.io:443

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
# https://github.com/actions/checkout/releases
with:
persist-credentials: false

- name: Dependency review
if: github.event_name == 'pull_request'
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
# https://github.com/actions/dependency-review-action/releases

- name: Run zizmor
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
# https://github.com/zizmorcore/zizmor-action/releases
Expand All @@ -39,6 +71,13 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Set up editorconfig-checker
uses: editorconfig-checker/action-editorconfig-checker@840e866d93b8e032123c23bac69dece044d4d84c # v2.2.0
# https://github.com/editorconfig-checker/action-editorconfig-checker/releases

- name: Run editorconfig-checker
run: editorconfig-checker

- name: Run actionlint
uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 # v1.7.12
# https://hub.docker.com/r/rhysd/actionlint/tags
Expand All @@ -65,19 +104,13 @@ jobs:
run: npm ci --ignore-scripts

- name: Run Snyk to check for vulnerabilities
# fork PRs have no access to secrets, so skip the steps that need them
if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
uses: snyk/actions/node@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
# https://github.com/snyk/actions/releases
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Check line endings
uses: fernandrone/linelint@7907a5dca0c28ea7dd05c6d8d8cacded713aca11 # 0.0.6
# https://github.com/fernandrone/linelint/releases

- name: Check EOL
uses: AODocs/check-eol@88fd9052e8ea211254a4de371011026603a329dc # v1.1
# https://github.com/AODocs/check-eol/releases

- name: Lint
run: npm run eslint

Expand All @@ -91,6 +124,7 @@ jobs:
run: ./node_modules/.bin/c8 report --reporter=lcov

- name: Upload coverage to Codecov
if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
# https://github.com/codecov/codecov-action/releases
with:
Expand All @@ -100,6 +134,7 @@ jobs:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

- name: Upload Test results to Codecov
if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
# https://github.com/codecov/codecov-action/releases
with:
Expand Down
53 changes: 43 additions & 10 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,26 +25,39 @@ jobs:
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
# https://github.com/step-security/harden-runner/releases
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
release-assets.githubusercontent.com:443
malware-list.aikido.dev:443
nodejs.org:443
registry.npmjs.org:443

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
# https://github.com/actions/checkout/releases
with:
persist-credentials: false

- name: Install and verify safe-chain
uses: ./.github/actions/safe-chain

- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
# https://github.com/actions/setup-node/releases
with:
node-version: "lts/*"
cache: npm

# safe-chain must be installed after setup-node so its shims wrap
# the npm that the following steps actually use
- name: Install and verify safe-chain
uses: ./.github/actions/safe-chain

- name: Install dependencies
run: npm ci
run: npm ci --ignore-scripts

- name: Lint
run: npm run eslint
Expand All @@ -68,7 +81,22 @@ jobs:
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
# https://github.com/step-security/harden-runner/releases
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
release-assets.githubusercontent.com:443
uploads.github.com:443
malware-list.aikido.dev:443
nodejs.org:443
registry.npmjs.org:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -86,8 +114,13 @@ jobs:
cache: npm
registry-url: "https://registry.npmjs.org"

# safe-chain must be installed after setup-node so its shims wrap
# the npm that the following steps actually use
- name: Install and verify safe-chain
uses: ./.github/actions/safe-chain

- name: Install dependencies
run: npm ci
run: npm ci --ignore-scripts

- name: Configure git
run: |
Expand All @@ -101,12 +134,12 @@ jobs:
VERSION=$(node -p "require('./package.json').version")
echo "version=v${VERSION}" >> "$GITHUB_OUTPUT"

- name: Push version bump
run: git push --follow-tags

- name: Publish to npm
run: npm publish --provenance --access public

- name: Push version bump
run: git push --follow-tags

- name: Create GitHub release
# zizmor: ignore[template-injection] VERSION is passed as env var, not interpolated into shell
run: |
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,13 @@ jobs:
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
# https://github.com/step-security/harden-runner/releases
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
cli.codecov.io:443

- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand Down
10 changes: 0 additions & 10 deletions .linelint.yml

This file was deleted.

10 changes: 0 additions & 10 deletions .npmignore

This file was deleted.

11 changes: 11 additions & 0 deletions .npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# npm security best practices
# Source: https://github.com/lirantal/npm-security-best-practices

# SECURITY: do not run any lifecycle scripts (postinstall) etc
ignore-scripts=true

# SECURITY: reject git-source dependencies (git+ssh:// etc)
allow-git=none

# SECURITY: block packages newer than X days
min-release-age=3
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,23 @@ Node command line interface to check if an image file has EXIF data. It can be u

`npm install -g has-exif-cli`

Requires Node.js 22.12.0 or newer.

## Execute

`has-exif-cli /path/to/FILE.JPG`

### Options

- `--xmp` also fail if XMP metadata is found
- `--iptc` also fail if IPTC metadata is found

### Exit codes

- `0` no metadata found
- `1` EXIF (or, with the flags above, XMP/IPTC) metadata found
- `2` a file could not be checked (unreadable, missing or unsupported format)

## How to use in continuous integration automation like Scrutinizer, travis etc
To make sure your checked in jpg, webp and other image files dont have EXIF data included in them:

Expand Down
18 changes: 18 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Security Policy

## Supported Versions

Only the latest published version is supported with security updates.

## Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, use one of these channels:

- **GitHub private vulnerability reporting** (preferred):
[Report a vulnerability](https://github.com/gemal/node-has-exif-cli/security/advisories/new)
- **Email**: henrik@gemal.dk

Please include a description of the issue, steps to reproduce, and the
affected version. You can expect an initial response within a week.
10 changes: 6 additions & 4 deletions eslint.config.mjs → eslint.config.js
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
import js from '@eslint/js'
import globals from 'globals'
'use strict';

export default [
const js = require('@eslint/js');
const globals = require('globals');

module.exports = [
js.configs.recommended,
{
languageOptions: {
Expand Down Expand Up @@ -36,4 +38,4 @@
'indent': ['error', 4],
},
},
]
];

Check warning on line 41 in eslint.config.js

View check run for this annotation

codefactor.io / CodeFactor

eslint.config.js#L41

Newline required at end of file but not found. (eol-last)
Loading