SkyMoney/api/tests/software-supply-chain-failures.test.ts

import { describe, expect, it } from "vitest";
import { readFileSync } from "node:fs";
import { resolve } from "node:path";

describe("A03 Software Supply Chain Failures", () => {
  it("enforces deploy workflow dependency-audit gate for api and web", () => {
    const repoRoot = resolve(__dirname, "..", "..");
    const deployWorkflow = readFileSync(
      resolve(repoRoot, ".gitea/workflows/deploy.yml"),
      "utf8"
    );

    expect(deployWorkflow).toContain("name: Supply chain checks (production dependencies)");
    expect(deployWorkflow).toContain("cd api");
    expect(deployWorkflow).toContain("cd ../web");

    const npmCiMatches = deployWorkflow.match(/\bnpm ci\b/g) ?? [];
    expect(npmCiMatches.length).toBeGreaterThanOrEqual(2);

    const auditMatches =
      deployWorkflow.match(/npm audit --omit=dev --audit-level=high/g) ?? [];
    expect(auditMatches.length).toBeGreaterThanOrEqual(2);
  });

  it("pins checkout action to an explicit version tag", () => {
    const repoRoot = resolve(__dirname, "..", "..");
    const deployWorkflow = readFileSync(
      resolve(repoRoot, ".gitea/workflows/deploy.yml"),
      "utf8"
    );

    expect(deployWorkflow).toMatch(/uses:\s*actions\/checkout@v\d+\.\d+\.\d+/);
  });

  it("guards DB-backed security tests from targeting production database", () => {
    const repoRoot = resolve(__dirname, "..", "..");
    const securityWorkflow = readFileSync(
      resolve(repoRoot, ".gitea/workflows/security.yml"),
      "utf8"
    );

    expect(securityWorkflow).toContain("name: Guard TEST_DATABASE_URL target");
    expect(securityWorkflow).toContain("bash ./scripts/validate-test-db-target.sh");
    expect(securityWorkflow).toContain("TEST_DATABASE_URL: ${{ secrets.TEST_DATABASE_URL }}");
  });
});