refactor(scripts): consolidate duplicate logging into shared SecurityHelpers module (#655)

WilliamBerryiii · web-flow · commit 627a87791c9f · 2026-02-19T12:18:18.000-08:00
## Summary Consolidates duplicate logging functions into the shared `SecurityHelpers.psm1` module, eliminating code duplication across security scripts. Closes #321 ## Changes ### `SecurityHelpers.psm1` - Import `CIHelpers.psm1` for CI annotation support - Add `-CIAnnotation` switch parameter to `Write-SecurityLog` for opt-in CI annotation forwarding (Warning/Error levels) - Change Info color from White to Cyan to match script conventions ### `Test-DependencyPinning.ps1` - Import `SecurityHelpers.psm1` - Remove local `Write-PinningLog` function (32 lines) - Replace all ~25 `Write-PinningLog` call sites with `Write-SecurityLog -CIAnnotation` ### `Test-SHAStaleness.ps1` - Import `SecurityHelpers.psm1` - Remove local `Write-SecurityLog` function (33 lines) - Add `$PSDefaultParameterValues` to route `OutputFormat` and `LogPath` parameters transparently ### Test files - Update `Test-DependencyPinning.Tests.ps1` mocks and context names from `Write-PinningLog` to `Write-SecurityLog` - Add 4 CI annotation forwarding tests to `SecurityHelpers.Tests.ps1` ## Validation - **Tests**: 900 passed, 0 failed, 0 skipped - **Lint**: 52 files analyzed, 0 issues --- ♻️ - Generated by Copilot
diff --git a/scripts/security/Modules/SecurityHelpers.psm1 b/scripts/security/Modules/SecurityHelpers.psm1
@@ -9,6 +9,9 @@
 
 #Requires -Version 7.0
 
+# Omit -Force so the standalone CIHelpers export is not shadowed by a nested re-import.
+Import-Module (Join-Path $PSScriptRoot '../../lib/Modules/CIHelpers.psm1')
+
 function Write-SecurityLog {
     <#
     .SYNOPSIS
@@ -33,8 +36,14 @@ function Write-SecurityLog {
     .EXAMPLE
         Write-SecurityLog -Message "Scanning workflows" -Level Info
 
+    .PARAMETER CIAnnotation
+        When set, forwards Warning and Error messages as CI annotations via Write-CIAnnotation.
+
     .EXAMPLE
         Write-SecurityLog -Message "Stale SHA detected" -Level Warning -LogPath "./logs/security.log"
+
+    .EXAMPLE
+        Write-SecurityLog -Message "Not pinned" -Level Warning -CIAnnotation
     #>
     [CmdletBinding()]
     param(
@@ -50,7 +59,10 @@ function Write-SecurityLog {
         [string]$LogPath,
 
         [Parameter()]
-        [string]$OutputFormat = 'console'
+        [string]$OutputFormat = 'console',
+
+        [Parameter()]
+        [switch]$CIAnnotation
     )
 
     # Handle blank line requests
@@ -67,7 +79,7 @@ function Write-SecurityLog {
     # Console output with colors
     if ($OutputFormat -eq 'console') {
         $color = switch ($Level) {
-            'Info' { 'White' }
+            'Info' { 'Cyan' }
             'Warning' { 'Yellow' }
             'Error' { 'Red' }
             'Success' { 'Green' }
@@ -77,6 +89,11 @@ function Write-SecurityLog {
         Write-Host $logEntry -ForegroundColor $color
     }
 
+    # Forward warnings and errors as CI annotations
+    if ($CIAnnotation -and ($Level -eq 'Warning' -or $Level -eq 'Error')) {
+        Write-CIAnnotation -Message $Message -Level $Level
+    }
+
     # File logging if path provided
     if ($LogPath) {
         try {
diff --git a/scripts/security/Test-DependencyPinning.ps1 b/scripts/security/Test-DependencyPinning.ps1
@@ -123,6 +123,7 @@ $ErrorActionPreference = 'Stop'
 
 # Import CIHelpers for workflow command escaping
 Import-Module (Join-Path $PSScriptRoot '../lib/Modules/CIHelpers.psm1') -Force
+Import-Module (Join-Path $PSScriptRoot 'Modules/SecurityHelpers.psm1') -Force
 
 # Define dependency patterns for different ecosystems
 $DependencyPatterns = @{
@@ -307,35 +308,6 @@ function Get-NpmDependencyViolations {
     return $violations
 }
 
-function Write-PinningLog {
-    [CmdletBinding()]
-    param(
-        [Parameter(Mandatory = $true)]
-        [string]$Message,
-
-        [Parameter(Mandatory = $false)]
-        [ValidateSet('Info', 'Warning', 'Error', 'Success')]
-        [string]$Level = 'Info'
-    )
-
-    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
-    $color = switch ($Level) {
-        'Info'    { 'Cyan' }
-        'Warning' { 'Yellow' }
-        'Error'   { 'Red' }
-        'Success' { 'Green' }
-    }
-    Write-Host "[$timestamp] [$Level] $Message" -ForegroundColor $color
-
-    # Surface warnings and errors as CI annotations so they appear in the Actions/ADO UI
-    if ($Level -eq 'Warning') {
-        Write-CIAnnotation -Message $Message -Level Warning
-    }
-    elseif ($Level -eq 'Error') {
-        Write-CIAnnotation -Message $Message -Level Error
-    }
-}
-
 function Get-FilesToScan {
     <#
     .SYNOPSIS
@@ -383,7 +355,7 @@ function Get-FilesToScan {
                     }
                 }
                 catch {
-                    Write-PinningLog "Error scanning for $type files with pattern $pattern`: $($_.Exception.Message)" -Level Warning
+                    Write-SecurityLog -CIAnnotation "Error scanning for $type files with pattern $pattern`: $($_.Exception.Message)" -Level Warning
                 }
             }
         }
@@ -510,7 +482,7 @@ function Get-DependencyViolation {
         }
     }
     catch {
-        Write-PinningLog "Error scanning file $filePath`: $($_.Exception.Message)" -Level Warning
+        Write-SecurityLog -CIAnnotation "Error scanning file $filePath`: $($_.Exception.Message)" -Level Warning
     }
 
     return $violations
@@ -561,7 +533,7 @@ function Get-RemediationSuggestion {
         }
     }
     catch {
-        Write-PinningLog "Could not generate automatic remediation for $($Violation.Name): $($_.Exception.Message)" -Level Warning
+        Write-SecurityLog -CIAnnotation "Could not generate automatic remediation for $($Violation.Name): $($_.Exception.Message)" -Level Warning
     }
 
     return "Manually research and pin to immutable reference"
@@ -757,7 +729,7 @@ function Export-ComplianceReport {
         }
     }
 
-    Write-PinningLog "Compliance report exported to: $OutputPath" -Level Success
+    Write-SecurityLog -CIAnnotation "Compliance report exported to: $OutputPath" -Level Success
 }
 
 function Export-CICDArtifact {
@@ -771,10 +743,10 @@ function Export-CICDArtifact {
         [string]$ReportPath
     )
 
-    Write-PinningLog "Preparing compliance artifacts for CI/CD systems..." -Level Info
+    Write-SecurityLog -CIAnnotation "Preparing compliance artifacts for CI/CD systems..." -Level Info
 
     $platform = Get-CIPlatform
-    Write-PinningLog "Detected $platform environment - setting up artifacts" -Level Info
+    Write-SecurityLog -CIAnnotation "Detected $platform environment - setting up artifacts" -Level Info
 
     # Set CI outputs (works for both GitHub Actions and Azure DevOps)
     Set-CIOutput -Name 'dependency-report' -Value $ReportPath -IsOutput
@@ -805,7 +777,7 @@ $(if ($Report.UnpinnedDependencies -gt 0) { "⚠️ **Action Required:** $($Repo
         Copy-Item -Path $ReportPath -Destination $artifactDir -Force
     }
 
-    Write-PinningLog "Compliance artifacts prepared for CI/CD consumption" -Level Success
+    Write-SecurityLog -CIAnnotation "Compliance artifacts prepared for CI/CD consumption" -Level Success
 }
 
 function Invoke-DependencyPinningAnalysis {
@@ -844,26 +816,26 @@ function Invoke-DependencyPinningAnalysis {
         [switch]$Remediate
     )
 
-    Write-PinningLog "Starting dependency pinning compliance analysis..." -Level Info
-    Write-PinningLog "PowerShell Version: $($PSVersionTable.PSVersion)" -Level Info
-    Write-PinningLog "Platform: $($PSVersionTable.Platform)" -Level Info
+    Write-SecurityLog -CIAnnotation "Starting dependency pinning compliance analysis..." -Level Info
+    Write-SecurityLog -CIAnnotation "PowerShell Version: $($PSVersionTable.PSVersion)" -Level Info
+    Write-SecurityLog -CIAnnotation "Platform: $($PSVersionTable.Platform)" -Level Info
 
     # Parse include types and exclude paths
     $typesToCheck = $IncludeTypes.Split(',') | ForEach-Object { $_.Trim() }
     $excludePatterns = if ($ExcludePaths) { $ExcludePaths.Split(',') | ForEach-Object { $_.Trim() } } else { @() }
 
-    Write-PinningLog "Scanning path: $Path" -Level Info
-    Write-PinningLog "Include types: $($typesToCheck -join ', ')" -Level Info
-    if ($excludePatterns) { Write-PinningLog "Exclude patterns: $($excludePatterns -join ', ')" -Level Info }
+    Write-SecurityLog -CIAnnotation "Scanning path: $Path" -Level Info
+    Write-SecurityLog -CIAnnotation "Include types: $($typesToCheck -join ', ')" -Level Info
+    if ($excludePatterns) { Write-SecurityLog -CIAnnotation "Exclude patterns: $($excludePatterns -join ', ')" -Level Info }
 
     # Discover files to scan
     $filesToScan = @(Get-FilesToScan -ScanPath $Path -Types $typesToCheck -ExcludePatterns $excludePatterns -Recursive:$Recursive)
-    Write-PinningLog "Found $(@($filesToScan).Count) files to scan" -Level Info
+    Write-SecurityLog -CIAnnotation "Found $(@($filesToScan).Count) files to scan" -Level Info
 
     # Scan for violations
     $allViolations = @()
     foreach ($fileInfo in $filesToScan) {
-        Write-PinningLog "Scanning: $($fileInfo.RelativePath)" -Level Info
+        Write-SecurityLog -CIAnnotation "Scanning: $($fileInfo.RelativePath)" -Level Info
         $violations = @(Get-DependencyViolation -FileInfo $fileInfo)
 
         # Add remediation suggestions
@@ -874,7 +846,7 @@ function Invoke-DependencyPinningAnalysis {
         $allViolations += $violations
     }
 
-    Write-PinningLog "Found $(@($allViolations).Count) dependency pinning violations" -Level Info
+    Write-SecurityLog -CIAnnotation "Found $(@($allViolations).Count) dependency pinning violations" -Level Info
 
     # Emit per-violation CI annotations and console output
     if ($allViolations.Count -gt 0) {
@@ -921,32 +893,32 @@ function Invoke-DependencyPinningAnalysis {
     Export-CICDArtifact -Report $report -ReportPath $OutputPath
 
     # Display summary
-    Write-PinningLog "Compliance Analysis Complete!" -Level Success
-    Write-PinningLog "Compliance Score: $($report.ComplianceScore)%" -Level Info
-    Write-PinningLog "Total Dependencies: $($report.TotalDependencies)" -Level Info
-    Write-PinningLog "Unpinned Dependencies: $($report.UnpinnedDependencies)" -Level Info
+    Write-SecurityLog -CIAnnotation "Compliance Analysis Complete!" -Level Success
+    Write-SecurityLog -CIAnnotation "Compliance Score: $($report.ComplianceScore)%" -Level Info
+    Write-SecurityLog -CIAnnotation "Total Dependencies: $($report.TotalDependencies)" -Level Info
+    Write-SecurityLog -CIAnnotation "Unpinned Dependencies: $($report.UnpinnedDependencies)" -Level Info
 
     if ($report.UnpinnedDependencies -gt 0) {
-        Write-PinningLog "$($report.UnpinnedDependencies) dependencies require SHA pinning for security compliance" -Level Warning
+        Write-SecurityLog -CIAnnotation "$($report.UnpinnedDependencies) dependencies require SHA pinning for security compliance" -Level Warning
 
         # Check threshold compliance
         if ($report.ComplianceScore -lt $Threshold) {
-            Write-PinningLog "Compliance score $($report.ComplianceScore)% is below threshold $Threshold%" -Level Error
+            Write-SecurityLog -CIAnnotation "Compliance score $($report.ComplianceScore)% is below threshold $Threshold%" -Level Error
 
             if ($FailOnUnpinned) {
-                Write-PinningLog "Failing build due to compliance threshold violation (-FailOnUnpinned enabled)" -Level Error
+                Write-SecurityLog -CIAnnotation "Failing build due to compliance threshold violation (-FailOnUnpinned enabled)" -Level Error
                 throw "Compliance score $($report.ComplianceScore)% is below threshold $Threshold% (-FailOnUnpinned enabled)"
             }
             else {
-                Write-PinningLog "Threshold violation detected but continuing (soft-fail mode)" -Level Warning
+                Write-SecurityLog -CIAnnotation "Threshold violation detected but continuing (soft-fail mode)" -Level Warning
             }
         }
         else {
-            Write-PinningLog "Compliance score $($report.ComplianceScore)% meets threshold $Threshold%" -Level Info
+            Write-SecurityLog -CIAnnotation "Compliance score $($report.ComplianceScore)% meets threshold $Threshold%" -Level Info
         }
     }
     else {
-        Write-PinningLog "All dependencies are properly pinned! ✅ (100% compliance, exceeds $Threshold% threshold)" -Level Success
+        Write-SecurityLog -CIAnnotation "All dependencies are properly pinned! ✅ (100% compliance, exceeds $Threshold% threshold)" -Level Success
     }
 }
 
diff --git a/scripts/security/Test-SHAStaleness.ps1 b/scripts/security/Test-SHAStaleness.ps1
@@ -77,46 +77,15 @@ $ErrorActionPreference = 'Stop'
 
 # Import CIHelpers for workflow command escaping
 Import-Module (Join-Path $PSScriptRoot '../lib/Modules/CIHelpers.psm1') -Force
+Import-Module (Join-Path $PSScriptRoot 'Modules/SecurityHelpers.psm1') -Force
+
+# Route Write-SecurityLog output through script-scoped format and log path
+$PSDefaultParameterValues['Write-SecurityLog:OutputFormat'] = $OutputFormat
+$PSDefaultParameterValues['Write-SecurityLog:LogPath'] = $LogPath
 
 # Script-scope collection of stale dependencies (used by multiple functions)
 $script:StaleDependencies = @()
 
-function Write-SecurityLog {
-    param(
-        [Parameter(Mandatory = $true)]
-        [string]$Message,
-
-        [Parameter(Mandatory = $false)]
-        [ValidateSet("Info", "Warning", "Error", "Success")]
-        [string]$Level = "Info"
-    )
-
-    if ([string]::IsNullOrWhiteSpace($Message)) {
-        $Message = "Empty log message"
-    }
-
-    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
-    $logEntry = "[$timestamp] [$Level] $Message"
-
-    # Console output with colors (only in console mode)
-    if ($OutputFormat -eq "console") {
-        switch ($Level) {
-            "Info" { Write-Host $logEntry -ForegroundColor Cyan }
-            "Warning" { Write-Host $logEntry -ForegroundColor Yellow }
-            "Error" { Write-Host $logEntry -ForegroundColor Red }
-            "Success" { Write-Host $logEntry -ForegroundColor Green }
-        }
-    }
-
-    # File logging
-    try {
-        Add-Content -Path $LogPath -Value $logEntry -ErrorAction SilentlyContinue
-    }
-    catch {
-        Write-Error "Failed to write to log file: $($_.Exception.Message)" -ErrorAction SilentlyContinue
-    }
-}
-
 function Test-GitHubToken {
     param(
         [Parameter(Mandatory = $false)]
diff --git a/scripts/tests/security/SecurityHelpers.Tests.ps1 b/scripts/tests/security/SecurityHelpers.Tests.ps1
@@ -103,6 +103,33 @@ Describe 'Write-SecurityLog' -Tag 'Unit' {
             }
         }
     }
+
+    Context 'CI annotation forwarding' {
+        BeforeAll {
+            Mock Write-CIAnnotation {} -ModuleName SecurityHelpers
+            Mock Write-Host {} -ModuleName SecurityHelpers
+        }
+
+        It 'Forwards Warning messages as CI annotations when -CIAnnotation is set' {
+            Write-SecurityLog -Message 'Test warning' -Level Warning -CIAnnotation
+            Should -Invoke Write-CIAnnotation -ModuleName SecurityHelpers -ParameterFilter { $Level -eq 'Warning' -and $Message -eq 'Test warning' } -Times 1 -Exactly
+        }
+
+        It 'Forwards Error messages as CI annotations when -CIAnnotation is set' {
+            Write-SecurityLog -Message 'Test error' -Level Error -CIAnnotation
+            Should -Invoke Write-CIAnnotation -ModuleName SecurityHelpers -ParameterFilter { $Level -eq 'Error' -and $Message -eq 'Test error' } -Times 1 -Exactly
+        }
+
+        It 'Does not forward Info messages as CI annotations' {
+            Write-SecurityLog -Message 'Test info' -Level Info -CIAnnotation
+            Should -Invoke Write-CIAnnotation -ModuleName SecurityHelpers -Times 0
+        }
+
+        It 'Does not forward any messages when -CIAnnotation is not set' {
+            Write-SecurityLog -Message 'No annotation' -Level Warning
+            Should -Invoke Write-CIAnnotation -ModuleName SecurityHelpers -Times 0
+        }
+    }
 }
 
 Describe 'New-SecurityIssue' -Tag 'Unit' {
diff --git a/scripts/tests/security/Test-DependencyPinning.Tests.ps1 b/scripts/tests/security/Test-DependencyPinning.Tests.ps1
diff --git a/scripts/tests/security/Test-SHAStaleness.Tests.ps1 b/scripts/tests/security/Test-SHAStaleness.Tests.ps1
