nyx-scan/action.yml aktualisiert

nyx-scan/action.yml

@@ -40,42 +40,76 @@ runs:
         cd .nyx-src
         cargo build --release
     
-    - name: Debug triage
-      shell: bash
-      run: |
-        echo "=== working dir ==="
-        pwd
-        echo "=== triage file ==="
-        cat .nyx/triage.json || echo "NOT FOUND"
-        echo "=== nyx config ==="
-        cat nyx.conf || echo "no nyx.conf"
-
-    - name: Debug nyx version
-      shell: bash
-      run: .nyx-src/target/release/nyx --version
-
-    - name: Debug fingerprints
-      if: always()
-      shell: bash
-      run: |
-        .nyx-src/target/release/nyx scan --format json --index off 2>/dev/null | python3 -c "
-        import json, sys
-        data = json.load(sys.stdin)
-        findings = data if isinstance(data, list) else data.get('findings', [])
-        if findings:
-            print('=== first finding keys ===')
-            print(list(findings[0].keys()))
-            print('=== first finding ===')
-            print(json.dumps(findings[0], indent=2))
-        "
-
     - name: Run NYX scan
       id: nyx
       shell: bash
       run: |
-        .nyx-src/target/release/nyx scan --format sarif --fail-on ${{ inputs.fail_on }} > nyx-results.sarif 2>&1
-      continue-on-error: true
+        .nyx-src/target/release/nyx scan --format json > nyx-results-raw.json 2>&1
 
+        # Apply suppression rules from triage.json
+        python3 -c "
+        import json
+
+        with open('nyx-results-raw.json') as f:
+            findings = json.load(f)
+
+        if isinstance(findings, dict):
+            findings = findings.get('findings', [])
+
+        # Load suppression rules
+        try:
+            with open('.nyx/triage.json') as f:
+                triage = json.load(f)
+            rules = triage.get('suppression_rules', [])
+        except:
+            rules = []
+
+        def is_suppressed(f):
+            rule_id = f.get('id', '')
+            for r in rules:
+                by = r.get('by', '')
+                value = r.get('value', '')
+                if by == 'rule' and rule_id == value:
+                    return True
+                if by == 'file' and f.get('path', '').endswith(value):
+                    return True
+                if by == 'rule_in_file':
+                    parts = value.split(':', 1)
+                    if len(parts) == 2 and rule_id == parts[0] and f.get('path','').endswith(parts[1]):
+                        return True
+            return False
+
+        filtered = [f for f in findings if not is_suppressed(f)]
+        print(f'Suppressed {len(findings) - len(filtered)} of {len(findings)} findings', flush=True)
+
+        # Convert to minimal SARIF
+        results = []
+        for f in filtered:
+            results.append({
+                'level': 'error' if f.get('severity','').lower() in ['high','critical'] else 'warning',
+                'message': {'text': f.get('message','')},
+                'ruleId': f.get('id',''),
+                'locations': [{'physicalLocation': {
+                    'artifactLocation': {'uri': f.get('path','').replace('/workspace/nomyo-ai/nomyo-router/','')},
+                    'region': {'startLine': f.get('line',0), 'startColumn': f.get('col',0)}
+                }}]
+            })
+
+        sarif = {
+            'version': '2.1.0',
+            '\$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+            'runs': [{'results': results, 'tool': {'driver': {'name': 'nyx', 'version': '0.7.0', 'rules': []}}}]
+        }
+
+        with open('nyx-results.sarif', 'w') as f:
+            json.dump(sarif, f, indent=2)
+
+        # Fail if any HIGH/CRITICAL remain
+        high = [f for f in filtered if f.get('severity','').lower() in ['${{ inputs.fail_on }}'.lower(), 'critical']]
+        exit(1 if high else 0)
+        "
+      continue-on-error: true
+      
     - name: Post findings as PR comment
       if: steps.nyx.outcome == 'failure'
       shell: bash