add small test suite to twistlock action

[jbolda]

Motivation

We want to be more confident in our Twistlock vuln resolution algorithm and comment. This adds a small test suite to begin to improve the situation.

[github-actions]

Vulnerabilities

Below are the list of dependencies with security vulnerabilities grouped by severity levels. Click to expand.

---

HIGH (2)

glob-parent@3.1.0 ⚠️ -390 days overdue

Current Ver.	Status	Severity	Grace Period
3.1.0	fixed in 5.1.2	7	⚠️ -390 days overdue

Description	This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Source	Link
Yarn Why	yarn why v1.22.19 [1/4] Why do we have the module "glob-parent"...? [2/4] Initialising dependency graph... [3/4] Finding dependency... [4/4] Calculating file sizes... info => Found "[email protected]" info Has been hoisted to "glob-parent" info Reasons this module exists - "workspace-aggregator-3fc7c150-1f96-4f60-b7ed-619ed6e283f0" depends on it - Hoisted from "_project_#eslint#glob-parent" - Hoisted from "_project_#lerna#@lerna#add#@lerna#command#@lerna#project#glob-parent" info => Found "fast-glob#[email protected]" info This module exists because "_project_#lerna#@lerna#create#globby#fast-glob" depends on it. Done in 4.38s.
Current Version Instance	/home/runner/work/actions/actions/start-and-check/package.json /home/runner/work/actions/actions/twistlock/package.json /home/runner/work/actions/actions/package.json
All Instances	3.1.0 at /home/runner/work/actions/actions/start-and-check/package.json 3.1.0 at /home/runner/work/actions/actions/twistlock/package.json 3.1.0 at /home/runner/work/actions/actions/package.json

unset-value@1.0.0 ⚠️ -131 days overdue

Current Ver.	Status	Severity	Grace Period
1.0.0	fixed in 2.0.1	8	⚠️ -131 days overdue

Description	unset-value package versions before 2.0.1 are vulnerable to Prototype Pollution. unset() function in index.js files allows for access to object prototype properties. An attacker can exploit this to override the behavior of object prototypes, resulting in a possible Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.
Source	Link
Yarn Why	yarn why v1.22.19 [1/4] Why do we have the module "unset-value"...? [2/4] Initialising dependency graph... [3/4] Finding dependency... [4/4] Calculating file sizes... info => Found "[email protected]" info Reasons this module exists - "_project_#lerna#@lerna#create#globby#fast-glob#micromatch#snapdragon#base#cache-base" depends on it - Hoisted from "_project_#lerna#@lerna#create#globby#fast-glob#micromatch#snapdragon#base#cache-base#unset-value" Done in 4.39s.
Current Version Instance	/home/runner/work/actions/actions/start-and-check/package.json /home/runner/work/actions/actions/twistlock/package.json /home/runner/work/actions/actions/package.json
All Instances	1.0.0 at /home/runner/work/actions/actions/start-and-check/package.json 1.0.0 at /home/runner/work/actions/actions/twistlock/package.json 1.0.0 at /home/runner/work/actions/actions/package.json

---

The following dependencies are excluded from the github comment because they could not be found within the repository/monorepo: shelljs, shelljs, csv-parse, codecov, codecov, grunt, grunt, grunt, marked, marked, marked, underscore.

Generated by resideo/actions/twistlock.
Please create an issue in the repository if you have any feedback.