From c293de95e09f6688631b18ba26309930a4e87abc Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Fri, 5 Dec 2025 13:35:50 -0500
Subject: [PATCH 1/6] BST-18082 Add tests for composition and npm-audit
 scanners
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Migrated test targets from boost-sandbox module-tests repositories
to the new test harness.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 scanners/boostsecurityio/composition/tests.yaml | 5 +++++
 scanners/boostsecurityio/npm-audit/tests.yaml   | 7 +++++++
 2 files changed, 12 insertions(+)
 create mode 100644 scanners/boostsecurityio/npm-audit/tests.yaml

diff --git a/scanners/boostsecurityio/composition/tests.yaml b/scanners/boostsecurityio/composition/tests.yaml
index fca4a333..21073279 100644
--- a/scanners/boostsecurityio/composition/tests.yaml
+++ b/scanners/boostsecurityio/composition/tests.yaml
@@ -5,3 +5,8 @@ tests:
     source:
       url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git"
       ref: "main"
+  - name: "sones"
+    type: "source-code"
+    source:
+      url: "https://github.com/sones/sones.git"
+      ref: "master"
diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml
new file mode 100644
index 00000000..ba1408e4
--- /dev/null
+++ b/scanners/boostsecurityio/npm-audit/tests.yaml
@@ -0,0 +1,7 @@
+version: "1.0"
+tests:
+  - name: "pnpm"
+    type: "source-code"
+    source:
+      url: "https://github.com/pnpm/pnpm.git"
+      ref: "main"

From 4f73f2cfbe710ea5baa0c274854d5d289f7b3c97 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Thu, 11 Dec 2025 14:20:38 -0500
Subject: [PATCH 2/6] FIXUP use a proper repo using NPM, use a fixed branch of
 scan runner to fix main scan only scanners

---
 .github/workflows/scan-test.yml               | 3 ++-
 scanners/boostsecurityio/npm-audit/tests.yaml | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scan-test.yml b/.github/workflows/scan-test.yml
index b0827820..8a132db5 100644
--- a/.github/workflows/scan-test.yml
+++ b/.github/workflows/scan-test.yml
@@ -124,7 +124,8 @@ jobs:
               "token": "${{ steps.github-token.outputs.token }}",
               "owner": "boostsecurityio",
               "repo": "scan-test-runner-gitbub-actions",
-              "workflow_id": "test-scanner.yml"
+              "workflow_id": "test-scanner.yml",
+              "ref": "BST-17994-fix-main-branch-detection"
             }
           registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
           base-ref: "${{ github.base_ref }}"
diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml
index ba1408e4..9dfbff04 100644
--- a/scanners/boostsecurityio/npm-audit/tests.yaml
+++ b/scanners/boostsecurityio/npm-audit/tests.yaml
@@ -1,7 +1,7 @@
 version: "1.0"
 tests:
-  - name: "pnpm"
+  - name: "docusaurus"
     type: "source-code"
     source:
-      url: "https://github.com/pnpm/pnpm.git"
-      ref: "main"
+      url: "https://github.com/facebook/docusaurus.git"
+      ref: "v3.2.1"

From faefad5247bbe093a63ef8fd7a92d18449a61fb6 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Thu, 11 Dec 2025 14:24:32 -0500
Subject: [PATCH 3/6] FIXUP trigger only github actions for debug

---
 scanners/boostsecurityio/composition/tests.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/scanners/boostsecurityio/composition/tests.yaml b/scanners/boostsecurityio/composition/tests.yaml
index 21073279..fca4a333 100644
--- a/scanners/boostsecurityio/composition/tests.yaml
+++ b/scanners/boostsecurityio/composition/tests.yaml
@@ -5,8 +5,3 @@ tests:
     source:
       url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git"
       ref: "main"
-  - name: "sones"
-    type: "source-code"
-    source:
-      url: "https://github.com/sones/sones.git"
-      ref: "master"

From 19da009405042dfcd2aec229ff844f33baabd6fa Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Wed, 7 Jan 2026 13:12:41 -0500
Subject: [PATCH 4/6] FIXUP rebase

---
 .github/workflows/scan-test.yml                 | 3 +--
 scanners/boostsecurityio/composition/tests.yaml | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scan-test.yml b/.github/workflows/scan-test.yml
index 8a132db5..b0827820 100644
--- a/.github/workflows/scan-test.yml
+++ b/.github/workflows/scan-test.yml
@@ -124,8 +124,7 @@ jobs:
               "token": "${{ steps.github-token.outputs.token }}",
               "owner": "boostsecurityio",
               "repo": "scan-test-runner-gitbub-actions",
-              "workflow_id": "test-scanner.yml",
-              "ref": "BST-17994-fix-main-branch-detection"
+              "workflow_id": "test-scanner.yml"
             }
           registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}"
           base-ref: "${{ github.base_ref }}"
diff --git a/scanners/boostsecurityio/composition/tests.yaml b/scanners/boostsecurityio/composition/tests.yaml
index fca4a333..21073279 100644
--- a/scanners/boostsecurityio/composition/tests.yaml
+++ b/scanners/boostsecurityio/composition/tests.yaml
@@ -5,3 +5,8 @@ tests:
     source:
       url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git"
       ref: "main"
+  - name: "sones"
+    type: "source-code"
+    source:
+      url: "https://github.com/sones/sones.git"
+      ref: "master"

From b421e40d0f43128d632349ae794935f08e423eeb Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Wed, 7 Jan 2026 13:21:46 -0500
Subject: [PATCH 5/6] Try main

---
 scanners/boostsecurityio/npm-audit/tests.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml
index 9dfbff04..2ccf2adb 100644
--- a/scanners/boostsecurityio/npm-audit/tests.yaml
+++ b/scanners/boostsecurityio/npm-audit/tests.yaml
@@ -4,4 +4,4 @@ tests:
     type: "source-code"
     source:
       url: "https://github.com/facebook/docusaurus.git"
-      ref: "v3.2.1"
+      ref: "main"

From 6a50071be2bf736408f4a6ea93ed9b2fdad6ed58 Mon Sep 17 00:00:00 2001
From: Martin Roy <martin@boostsecurity.io>
Date: Wed, 7 Jan 2026 13:28:46 -0500
Subject: [PATCH 6/6] Remove npm-audit, can't work at the moment:
 https://boostsecurity.atlassian.net/browse/BST-18293

---
 scanners/boostsecurityio/npm-audit/tests.yaml | 7 -------
 1 file changed, 7 deletions(-)
 delete mode 100644 scanners/boostsecurityio/npm-audit/tests.yaml

diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml
deleted file mode 100644
index 2ccf2adb..00000000
--- a/scanners/boostsecurityio/npm-audit/tests.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-version: "1.0"
-tests:
-  - name: "docusaurus"
-    type: "source-code"
-    source:
-      url: "https://github.com/facebook/docusaurus.git"
-      ref: "main"