Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Pronto runs analysis quickly by checking only the relevant changes. Created to be used on GitHub pull requests, but also works locally and integrates with GitLab and Bitbucket. Perfect if you want to find out quickly if a branch introduces changes that conform to your styleguide, are DRY, don't introduce security holes and more.
This README might be ahead of the latest release. Find the README for v0.9.2 here.
Pronto's installation is standard for a Ruby gem:
$ gem install pronto
You'll also want to install some runners to go along with the main gem:
$ gem install pronto-rubocop
$ gem install pronto-flay
If you'd rather install Pronto using bundler
, you don't need to require it,
unless you're gonna run it from Ruby (via Rake task, for example):
gem 'pronto'
gem 'pronto-rubocop', require: false
gem 'pronto-flay', require: false
Pronto runs the checks on a diff between the current HEAD and the provided commit-ish (default is master).
Navigate to the repository you want to run Pronto on, and:
git checkout feature/branch
# Analyze diff of committed changes on current branch and master:
pronto run
# Analyze changes in git staging area
pronto run --staged
# Analyze diff of uncommitted changes and master:
pronto run --unstaged
# Analyze *all* changes since the *initial* commit (may take some time):
pronto run --commit=$(git log --pretty=format:%H | tail -1)
Just run pronto
without any arguments to see what Pronto is capable of.
Available Options
Command flag | Description |
---|---|
--exit-code | Exits with non-zero code if there were any warnings/errors. |
-c/--commit | Commit for the diff. |
--staged | Analyze changes in git staging area |
--unstaged | Analyze changes made, but not in git staging area |
-r/--runner | Run only the passed runners. |
-f/--formatters | Pick output formatters. |
You can run Pronto as a step of your CI builds and get the results as comments
on GitHub commits using GithubFormatter
or GithubPullRequestFormatter
.
Add Pronto runners you want to use to your Gemfile:
Set the PRONTO_GITHUB_ACCESS_TOKEN environment variable or value in .pronto.yml
to
OAuth token that has access to the repository.
Then just run it:
$ PRONTO_GITHUB_ACCESS_TOKEN=token pronto run -f github -c origin/master
If you want comments to appear on pull request diff, instead of commit:
$ PRONTO_GITHUB_ACCESS_TOKEN=token pronto run -f github_pr -c origin/master
If you want review to appear on pull request diff, instead of separate comments:
$ PRONTO_GITHUB_ACCESS_TOKEN=token pronto run -f github_pr_review -c origin/master
All the N pending comments will be now separated into X number of PR reviews. The number of the PR reviews will be controlled by an additional environment variable or with the help of a config setting. This way, by a single pronto run, all the comments will be published to the PR, but divided into small reviews in order to avoid the rate limit of the providers.
X = N / {PRONTO_WARNINGS_PER_REVIEW || warnings_per_review || 30})
Note: In case no environment variable or config setting is specified in .pronto.yml
,
a default value of 30
will be used.
$ PRONTO_WARNINGS_PER_REVIEW=30 PRONTO_GITHUB_ACCESS_TOKEN=token pronto run -f github_pr_review -c origin/master
Use GithubStatusFormatter
to submit commit status:
$ PRONTO_GITHUB_ACCESS_TOKEN=token pronto run -f github_status -c origin/master
If you want to show a one single status for all runners, instead of status per runner:
$ PRONTO_GITHUB_ACCESS_TOKEN=token pronto run -f github_combined_status -c origin/master
It's possible to combine multiple formatters. To get both pull request comments and commit status summary use:
$ PRONTO_GITHUB_ACCESS_TOKEN=token PRONTO_PULL_REQUEST_ID=id pronto run -f github_status github_pr -c origin/master
As an alternative, you can also set up a rake task:
Pronto::GemNames.new.to_a.each { |gem_name| require "pronto/#{gem_name}" }
formatter = Pronto::Formatter::GithubFormatter.new # also possible: GithubPullRequestFormatter, GithubPullRequestReviewFormatter
status_formatter = Pronto::Formatter::GithubStatusFormatter.new
formatters = [formatter, status_formatter]
Pronto.run('origin/master', '.', formatters)
You can also run Pronto as a GitHub action.
Here's an example .github/workflows/pronto.yml
workflow file using the github_status
and github_pr
formatters and running on each GitHub PR, with pronto-rubocop
as the runner:
name: Pronto
on: [pull_request]
jobs:
pronto:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- run: |
git fetch --no-tags --prune --depth=10 origin +refs/heads/*:refs/remotes/origin/*
- name: Setup Ruby
uses: ruby/setup-ruby@v1
- name: Setup pronto
run: gem install pronto pronto-rubocop
- name: Run Pronto
run: pronto run -f github_status github_pr -c origin/${{ github.base_ref }}
env:
PRONTO_PULL_REQUEST_ID: ${{ github.event.pull_request.number }}
PRONTO_GITHUB_ACCESS_TOKEN: "${{ github.token }}"
check Wiki on GitHub Actions Integration for more info.
You can run Pronto as a step of your CI builds and get the results as comments
on GitLab commits using GitlabFormatter
.
note: this requires at least GitLab v7.5.0
Set the PRONTO_GITLAB_API_ENDPOINT
environment variable or value in .pronto.yml
to
your API endpoint URL. If you are using Gitlab.com's hosted service your
endpoint will be set by default.
Set the PRONTO_GITLAB_API_PRIVATE_TOKEN
environment variable or value in .pronto.yml
to your Gitlab private token which you can find in your account settings.
Then just run it:
$ PRONTO_GITLAB_API_PRIVATE_TOKEN=token pronto run -f gitlab -c origin/master
note: this requires at least Gitlab 11.6+
Merge request integration:
$ PRONTO_GITLAB_API_PRIVATE_TOKEN=token PRONTO_PULL_REQUEST_ID=id pronto run -f gitlab_mr -c origin/master
On GitLabCI, make sure to run Pronto in a merge request pipeline:
lint:
image: ruby
variables:
PRONTO_GITLAB_API_ENDPOINT: "https://gitlab.com/api/v4"
PRONTO_GITLAB_API_PRIVATE_TOKEN: token
only:
- merge_requests
script:
- bundle install
- bundle exec pronto run -f gitlab_mr -c origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
You can run Pronto as a step of your CI builds and get the results as comments
on Bitbucket commits using BitbucketFormatter
or BitbucketPullRequestFormatter
.
Add Pronto runners you want to use to your Gemfile:
Set the PRONTO_BITBUCKET_USERNAME and PRONTO_BITBUCKET_PASSWORD environment variables or values in .pronto.yml
.
Then just run it:
$ PRONTO_BITBUCKET_USERNAME=user PRONTO_BITBUCKET_PASSWORD=pass pronto run -f bitbucket -c origin/master
or, if you want comments to appear on pull request diff, instead of commit:
$ PRONTO_BITBUCKET_USERNAME=user PRONTO_BITBUCKET_PASSWORD=pass pronto run -f bitbucket_pr -c origin/master
The behavior of Pronto can be controlled via the .pronto.yml
configuration
file. It can either be placed in the working directory (*) or specified using
the environment variable PRONTO_CONFIG_FILE
.
(*) The working directory is where you run the command from, which is typically your project directory.
If this file cannot be found, then the default configuration in Pronto::ConfigFile::EMPTY applies.
The file has the following format:
all:
exclude:
- 'spec/**/*'
# exclude files for single runner
eslint:
exclude:
- 'app/assets/**/*'
github:
slug: prontolabs/pronto
access_token: B26354
api_endpoint: https://api.github.com/
web_endpoint: https://github.com/
gitlab:
slug: 1234567 # gitlab's project ID
api_private_token: 46751
api_endpoint: https://api.vinted.com/gitlab
bitbucket:
slug: prontolabs/pronto
username: user
password: pass
web_endpoint: https://bitbucket.org/
max_warnings: 150
warnings_per_review: 30
verbose: false
runners: [rubocop, eslint] # only listed runners will be executed
skip_runners: [reek] # all, except listed runners will be executed
All properties that can be specified via .pronto.yml
, can also be specified
via environment variables. Their names will be the upcased path to the property.
For example: PRONTO_GITHUB_SLUG
or PRONTO_GITLAB_API_PRIVATE_TOKEN
. Environment variables
will always take precedence over values in configuration file.
Property | Description |
---|---|
max_warnings | Limits the amount of warnings. Returns all warnings if option is skipped. |
runners | Runs only listed runners. Runs everything if option is skipped. |
skip_runners | All, except listed runners will be executed. Runs everything if option is skipped. |
verbose | Outputs more information when set to true . |
warnings_per_review | Limits the amount of warnings per review. Returns all warnings if option is skipped. |
Pronto allows you to configure the format of the messages that are produced. You can set a default format that will be used by all formatters, or you can configure a separate format per formatter, if you are using several.
To change the default format:
format: "%{runner} %{level} %{msg}"
To add the title of the Runner to the GitHub Pull Request formatter only:
github_pr:
format: "%{runner} - %{msg}"
The available values to be interpolated into the message are:
Key | Description |
---|---|
path | File path. |
line | Line number. |
level | Message level. |
msg | Message. |
commit_sha | SHA. |
runner | Runner name. |
The following values are available only to the text formatter:
Key | Description |
---|---|
color_level | Colorized message level. |
color_location | Colorized location. |
Pronto can run various tools and libraries, as long as there's a runner for it. Currently available:
Articles to help you to get started:
Make a Pull Request to add something you wrote or found useful.
Pronto's changelog is available here.
Copyright (c) 2013-2018 Mindaugas Mozūras. See LICENSE for further details.
FAQs
Unknown package
We found that pronto demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.