🐛 fix loading private key from inventory

providers/github/connection/connection.go

@@ -79,7 +79,7 @@ func connectionOptionsFromConfigOptions(conf *inventory.Config) (opts githubConn
 		switch cred.Type {
 
 		case vault.CredentialType_private_key:
-			if opts.AppPrivateKeyFile != "" {
+			if opts.AppPrivateKeyFile == "" {
 				opts.AppPrivateKey = cred.Secret
 			}
 

providers/github/connection/connection_test.go

@@ -5,6 +5,10 @@ package connection
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"os"
 	"testing"
 
@@ -20,7 +24,35 @@ func TestGithubNoConnection(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestGithubValidConnection(t *testing.T) {
+func TestGithubValidConnection_Private_Key(t *testing.T) {
+	// Generate a new RSA private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048) // 2048-bit key size
+	require.NoError(t, err)
+	privateKeyDER := x509.MarshalPKCS1PrivateKey(privateKey)
+	privateKeyPEM := &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: privateKeyDER,
+	}
+	pemData := pem.EncodeToMemory(privateKeyPEM)
+
+	_, err = NewGithubConnection(0, &inventory.Asset{
+		Connections: []*inventory.Config{{
+			Options: map[string]string{
+				OPTION_APP_ID:              "123",
+				OPTION_APP_INSTALLATION_ID: "890",
+			},
+			Credentials: []*vault.Credential{{
+				Type:   vault.CredentialType_private_key,
+				Secret: pemData,
+			},
+			},
+		},
+		},
+	})
+	require.NoError(t, err)
+}
+
+func TestGithubValidConnection_Password(t *testing.T) {
 	_, err := NewGithubConnection(0, &inventory.Asset{
 		Connections: []*inventory.Config{{
 			Credentials: []*vault.Credential{{

test/providers/github_test.go

@@ -0,0 +1,60 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package providers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.mondoo.com/cnquery/v11/test"
+)
+
+func TestGithubScanFlags(t *testing.T) {
+	once.Do(setup)
+
+	t.Run("github scan WITHOUT flags", func(t *testing.T) {
+		// NOTE this will fail but, it will load the flags and fail with the right message
+		r := test.NewCliTestRunner("./cnquery", "scan", "github", "repo", "foo")
+		err := r.Run()
+		require.NoError(t, err)
+		assert.Equal(t, 0, r.ExitCode())
+		assert.NotNil(t, r.Stdout())
+		assert.NotNil(t, r.Stderr())
+
+		assert.Contains(t, string(r.Stderr()),
+			"a valid GitHub authentication is required",
+		)
+	})
+	t.Run("github scan WITH flags but missing app auth key", func(t *testing.T) {
+		// NOTE this will fail but, it will load the flags and fail with the right message
+		r := test.NewCliTestRunner("./cnquery", "scan", "github", "repo", "foo",
+			"--app-id", "123", "--app-installation-id", "456",
+		)
+		err := r.Run()
+		require.NoError(t, err)
+		assert.Equal(t, 1, r.ExitCode())
+		assert.NotNil(t, r.Stdout())
+		assert.NotNil(t, r.Stderr())
+
+		assert.Contains(t, string(r.Stderr()),
+			"could not parse private key", // expected! it means we loaded the flags
+		)
+	})
+	t.Run("github scan WITH all required flags for app auth", func(t *testing.T) {
+		// NOTE this will fail but, it will load the flags and fail with the right message
+		r := test.NewCliTestRunner("./cnquery", "scan", "github", "repo", "foo",
+			"--app-id", "123", "--app-installation-id", "456", "--app-private-key", "private-key.pem",
+		)
+		err := r.Run()
+		require.NoError(t, err)
+		assert.Equal(t, 1, r.ExitCode())
+		assert.NotNil(t, r.Stdout())
+		assert.NotNil(t, r.Stderr())
+
+		assert.Contains(t, string(r.Stderr()),
+			"could not read private key", // expected! it means we loaded the flags
+		)
+	})
+}

test/providers/os_test.go

@@ -20,7 +20,7 @@ var once sync.Once
 
 // setup builds cnquery locally
 func setup() {
-	// build cnspec
+	// build cnquery
 	if err := exec.Command("go", "build", "../../apps/cnquery/cnquery.go").Run(); err != nil {
 		log.Fatalf("building cnquery: %v", err)
 	}