From 2bc508bafc1319467d106f0d8a433bbcd9fb109b Mon Sep 17 00:00:00 2001 From: alpha-nerd Date: Wed, 13 May 2026 19:18:32 +0200 Subject: [PATCH] nyx-scan/action.yml aktualisiert --- nyx-scan/action.yml | 96 ++++++++++++++++++++++++++++++--------------- 1 file changed, 65 insertions(+), 31 deletions(-) diff --git a/nyx-scan/action.yml b/nyx-scan/action.yml index be07ade..289323f 100644 --- a/nyx-scan/action.yml +++ b/nyx-scan/action.yml @@ -40,42 +40,76 @@ runs: cd .nyx-src cargo build --release - - name: Debug triage - shell: bash - run: | - echo "=== working dir ===" - pwd - echo "=== triage file ===" - cat .nyx/triage.json || echo "NOT FOUND" - echo "=== nyx config ===" - cat nyx.conf || echo "no nyx.conf" - - - name: Debug nyx version - shell: bash - run: .nyx-src/target/release/nyx --version - - - name: Debug fingerprints - if: always() - shell: bash - run: | - .nyx-src/target/release/nyx scan --format json --index off 2>/dev/null | python3 -c " - import json, sys - data = json.load(sys.stdin) - findings = data if isinstance(data, list) else data.get('findings', []) - if findings: - print('=== first finding keys ===') - print(list(findings[0].keys())) - print('=== first finding ===') - print(json.dumps(findings[0], indent=2)) - " - - name: Run NYX scan id: nyx shell: bash run: | - .nyx-src/target/release/nyx scan --format sarif --fail-on ${{ inputs.fail_on }} > nyx-results.sarif 2>&1 - continue-on-error: true + .nyx-src/target/release/nyx scan --format json > nyx-results-raw.json 2>&1 + # Apply suppression rules from triage.json + python3 -c " + import json + + with open('nyx-results-raw.json') as f: + findings = json.load(f) + + if isinstance(findings, dict): + findings = findings.get('findings', []) + + # Load suppression rules + try: + with open('.nyx/triage.json') as f: + triage = json.load(f) + rules = triage.get('suppression_rules', []) + except: + rules = [] + + def is_suppressed(f): + rule_id = f.get('id', '') + for r in rules: + by = r.get('by', '') + value = r.get('value', '') + if by == 'rule' and rule_id == value: + return True + if by == 'file' and f.get('path', '').endswith(value): + return True + if by == 'rule_in_file': + parts = value.split(':', 1) + if len(parts) == 2 and rule_id == parts[0] and f.get('path','').endswith(parts[1]): + return True + return False + + filtered = [f for f in findings if not is_suppressed(f)] + print(f'Suppressed {len(findings) - len(filtered)} of {len(findings)} findings', flush=True) + + # Convert to minimal SARIF + results = [] + for f in filtered: + results.append({ + 'level': 'error' if f.get('severity','').lower() in ['high','critical'] else 'warning', + 'message': {'text': f.get('message','')}, + 'ruleId': f.get('id',''), + 'locations': [{'physicalLocation': { + 'artifactLocation': {'uri': f.get('path','').replace('/workspace/nomyo-ai/nomyo-router/','')}, + 'region': {'startLine': f.get('line',0), 'startColumn': f.get('col',0)} + }}] + }) + + sarif = { + 'version': '2.1.0', + '\$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json', + 'runs': [{'results': results, 'tool': {'driver': {'name': 'nyx', 'version': '0.7.0', 'rules': []}}}] + } + + with open('nyx-results.sarif', 'w') as f: + json.dump(sarif, f, indent=2) + + # Fail if any HIGH/CRITICAL remain + high = [f for f in filtered if f.get('severity','').lower() in ['${{ inputs.fail_on }}'.lower(), 'critical']] + exit(1 if high else 0) + " + continue-on-error: true + - name: Post findings as PR comment if: steps.nyx.outcome == 'failure' shell: bash