From ac6c41b91066beef2c2e1011da9311544e826d67 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Wed, 17 Dec 2025 14:56:46 +0000
Subject: [PATCH] Extract zstd files too

---
 lib/analyze-action-post.js      | 20 +++++++++++++++++++-
 lib/init-action-post.js         | 20 +++++++++++++++++++-
 lib/upload-sarif-action-post.js | 20 +++++++++++++++++++-
 src/artifact-scanner.ts         | 22 ++++++++++++++++++++++
 4 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 9e6a4be98..274e59f07 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -127938,6 +127938,24 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       await exec.exec("tar", ["-xzf", archivePath, "-C", tempExtractDir], {
         silent: true
       });
+    } else if (fileName.endsWith(".tar.zst")) {
+      logger.debug(`Extracting tar.zst file: ${archivePath}`);
+      await exec.exec(
+        "tar",
+        ["--zstd", "-xf", archivePath, "-C", tempExtractDir],
+        {
+          silent: true
+        }
+      );
+    } else if (fileName.endsWith(".zst")) {
+      logger.debug(`Extracting zst file: ${archivePath}`);
+      const outputFile = path5.join(
+        tempExtractDir,
+        path5.basename(archivePath, ".zst")
+      );
+      await exec.exec("zstd", ["-d", archivePath, "-o", outputFile], {
+        silent: true
+      });
     } else if (fileName.endsWith(".gz")) {
       logger.debug(`Extracting gz file: ${archivePath}`);
       const outputFile = path5.join(
@@ -127980,7 +127998,7 @@ async function scanFile(fullPath, relativePath, extractDir, logger, depth = 0) {
     findings: []
   };
   const fileName = path5.basename(fullPath).toLowerCase();
-  const isArchive = fileName.endsWith(".zip") || fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz") || fileName.endsWith(".gz");
+  const isArchive = fileName.endsWith(".zip") || fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz") || fileName.endsWith(".tar.zst") || fileName.endsWith(".zst") || fileName.endsWith(".gz");
   if (isArchive) {
     const archiveResult = await scanArchiveFile(
       fullPath,
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 79bf42c2e..0b32ef9b9 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -132580,6 +132580,24 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       await exec.exec("tar", ["-xzf", archivePath, "-C", tempExtractDir], {
         silent: true
       });
+    } else if (fileName.endsWith(".tar.zst")) {
+      logger.debug(`Extracting tar.zst file: ${archivePath}`);
+      await exec.exec(
+        "tar",
+        ["--zstd", "-xf", archivePath, "-C", tempExtractDir],
+        {
+          silent: true
+        }
+      );
+    } else if (fileName.endsWith(".zst")) {
+      logger.debug(`Extracting zst file: ${archivePath}`);
+      const outputFile = path11.join(
+        tempExtractDir,
+        path11.basename(archivePath, ".zst")
+      );
+      await exec.exec("zstd", ["-d", archivePath, "-o", outputFile], {
+        silent: true
+      });
     } else if (fileName.endsWith(".gz")) {
       logger.debug(`Extracting gz file: ${archivePath}`);
       const outputFile = path11.join(
@@ -132622,7 +132640,7 @@ async function scanFile(fullPath, relativePath, extractDir, logger, depth = 0) {
     findings: []
   };
   const fileName = path11.basename(fullPath).toLowerCase();
-  const isArchive = fileName.endsWith(".zip") || fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz") || fileName.endsWith(".gz");
+  const isArchive = fileName.endsWith(".zip") || fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz") || fileName.endsWith(".tar.zst") || fileName.endsWith(".zst") || fileName.endsWith(".gz");
   if (isArchive) {
     const archiveResult = await scanArchiveFile(
       fullPath,
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index bb6d02ecd..4dda01901 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -126873,6 +126873,24 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       await exec.exec("tar", ["-xzf", archivePath, "-C", tempExtractDir], {
         silent: true
       });
+    } else if (fileName.endsWith(".tar.zst")) {
+      logger.debug(`Extracting tar.zst file: ${archivePath}`);
+      await exec.exec(
+        "tar",
+        ["--zstd", "-xf", archivePath, "-C", tempExtractDir],
+        {
+          silent: true
+        }
+      );
+    } else if (fileName.endsWith(".zst")) {
+      logger.debug(`Extracting zst file: ${archivePath}`);
+      const outputFile = path.join(
+        tempExtractDir,
+        path.basename(archivePath, ".zst")
+      );
+      await exec.exec("zstd", ["-d", archivePath, "-o", outputFile], {
+        silent: true
+      });
     } else if (fileName.endsWith(".gz")) {
       logger.debug(`Extracting gz file: ${archivePath}`);
       const outputFile = path.join(
@@ -126915,7 +126933,7 @@ async function scanFile(fullPath, relativePath, extractDir, logger, depth = 0) {
     findings: []
   };
   const fileName = path.basename(fullPath).toLowerCase();
-  const isArchive = fileName.endsWith(".zip") || fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz") || fileName.endsWith(".gz");
+  const isArchive = fileName.endsWith(".zip") || fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz") || fileName.endsWith(".tar.zst") || fileName.endsWith(".zst") || fileName.endsWith(".gz");
   if (isArchive) {
     const archiveResult = await scanArchiveFile(
       fullPath,
diff --git a/src/artifact-scanner.ts b/src/artifact-scanner.ts
index a666c75ef..d04445bf4 100644
--- a/src/artifact-scanner.ts
+++ b/src/artifact-scanner.ts
@@ -127,6 +127,26 @@ async function scanArchiveFile(
       await exec.exec("tar", ["-xzf", archivePath, "-C", tempExtractDir], {
         silent: true,
       });
+    } else if (fileName.endsWith(".tar.zst")) {
+      // Extract tar.zst files
+      logger.debug(`Extracting tar.zst file: ${archivePath}`);
+      await exec.exec(
+        "tar",
+        ["--zstd", "-xf", archivePath, "-C", tempExtractDir],
+        {
+          silent: true,
+        },
+      );
+    } else if (fileName.endsWith(".zst")) {
+      // Extract .zst files (single file compression)
+      logger.debug(`Extracting zst file: ${archivePath}`);
+      const outputFile = path.join(
+        tempExtractDir,
+        path.basename(archivePath, ".zst"),
+      );
+      await exec.exec("zstd", ["-d", archivePath, "-o", outputFile], {
+        silent: true,
+      });
     } else if (fileName.endsWith(".gz")) {
       // Extract .gz files (single file compression)
       logger.debug(`Extracting gz file: ${archivePath}`);
@@ -199,6 +219,8 @@ async function scanFile(
     fileName.endsWith(".zip") ||
     fileName.endsWith(".tar.gz") ||
     fileName.endsWith(".tgz") ||
+    fileName.endsWith(".tar.zst") ||
+    fileName.endsWith(".zst") ||
     fileName.endsWith(".gz");
 
   if (isArchive) {