diff --git a/nyx-scan/action.yml b/nyx-scan/action.yml index 610bbaa..843beff 100644 --- a/nyx-scan/action.yml +++ b/nyx-scan/action.yml @@ -1,5 +1,23 @@ name: NYX Security Scan description: Runs NYX SAST scanner and posts findings as PR comment +inputs: + forgejo_push_token: + description: Token with write:issue scope + required: true + repository: + description: Repository in owner/name format + required: true + pr_number: + description: PR number to comment on + required: true + sha: + description: Commit SHA to scan + required: true + fail_on: + description: Severity threshold (LOW, MEDIUM, HIGH, CRITICAL) + required: false + default: HIGH + runs: using: composite steps: @@ -7,7 +25,7 @@ runs: shell: bash run: | git clone --depth=1 --branch master \ - "https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \ + "https://oauth2:${{ inputs.forgejo_push_token }}@bitfreedom.net/code/apunkt/nyx.git" \ .nyx-src - name: Install Rust @@ -26,7 +44,7 @@ runs: id: nyx shell: bash run: | - .nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1 + .nyx-src/target/release/nyx scan --format sarif --fail-on ${{ inputs.fail_on }} > nyx-results.sarif 2>&1 continue-on-error: true - name: Post findings as PR comment @@ -56,12 +74,12 @@ runs: ") curl -sf -X POST \ - -H "Authorization: token ${{ inputs.token }}" \ + -H "Authorization: token ${{ inputs.forgejo_push_token }}" \ -H "Content-Type: application/json" \ - "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ + "https://bitfreedom.net/code/api/v1/repos/${{ inputs.repository }}/issues/${{ inputs.pr_number }}/comments" \ -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}" - - name: Fail if HIGH or above findings found + - name: Fail if findings found if: steps.nyx.outcome == 'failure' shell: bash run: exit 1 \ No newline at end of file