nyx-scan/action.yml aktualisiert
This commit is contained in:
parent
990de45157
commit
989aac70c6
1 changed files with 23 additions and 5 deletions
|
|
@ -1,5 +1,23 @@
|
|||
name: NYX Security Scan
|
||||
description: Runs NYX SAST scanner and posts findings as PR comment
|
||||
inputs:
|
||||
forgejo_push_token:
|
||||
description: Token with write:issue scope
|
||||
required: true
|
||||
repository:
|
||||
description: Repository in owner/name format
|
||||
required: true
|
||||
pr_number:
|
||||
description: PR number to comment on
|
||||
required: true
|
||||
sha:
|
||||
description: Commit SHA to scan
|
||||
required: true
|
||||
fail_on:
|
||||
description: Severity threshold (LOW, MEDIUM, HIGH, CRITICAL)
|
||||
required: false
|
||||
default: HIGH
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
|
|
@ -7,7 +25,7 @@ runs:
|
|||
shell: bash
|
||||
run: |
|
||||
git clone --depth=1 --branch master \
|
||||
"https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \
|
||||
"https://oauth2:${{ inputs.forgejo_push_token }}@bitfreedom.net/code/apunkt/nyx.git" \
|
||||
.nyx-src
|
||||
|
||||
- name: Install Rust
|
||||
|
|
@ -26,7 +44,7 @@ runs:
|
|||
id: nyx
|
||||
shell: bash
|
||||
run: |
|
||||
.nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1
|
||||
.nyx-src/target/release/nyx scan --format sarif --fail-on ${{ inputs.fail_on }} > nyx-results.sarif 2>&1
|
||||
continue-on-error: true
|
||||
|
||||
- name: Post findings as PR comment
|
||||
|
|
@ -56,12 +74,12 @@ runs:
|
|||
")
|
||||
|
||||
curl -sf -X POST \
|
||||
-H "Authorization: token ${{ inputs.token }}" \
|
||||
-H "Authorization: token ${{ inputs.forgejo_push_token }}" \
|
||||
-H "Content-Type: application/json" \
|
||||
"https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
|
||||
"https://bitfreedom.net/code/api/v1/repos/${{ inputs.repository }}/issues/${{ inputs.pr_number }}/comments" \
|
||||
-d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
|
||||
|
||||
- name: Fail if HIGH or above findings found
|
||||
- name: Fail if findings found
|
||||
if: steps.nyx.outcome == 'failure'
|
||||
shell: bash
|
||||
run: exit 1
|
||||
Loading…
Add table
Add a link
Reference in a new issue