114 lines
No EOL
3.6 KiB
YAML
114 lines
No EOL
3.6 KiB
YAML
name: NYX Security Scan
|
|
description: Runs NYX SAST scanner and posts findings as PR comment
|
|
inputs:
|
|
forgejo_push_token:
|
|
description: Token with write:issue scope
|
|
required: true
|
|
repository:
|
|
description: Repository in owner/name format
|
|
required: true
|
|
pr_number:
|
|
description: PR number to comment on
|
|
required: true
|
|
sha:
|
|
description: Commit SHA to scan
|
|
required: true
|
|
fail_on:
|
|
description: Severity threshold (LOW, MEDIUM, HIGH, CRITICAL)
|
|
required: false
|
|
default: HIGH
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Clone nyx from Forgejo mirror
|
|
shell: bash
|
|
run: |
|
|
git clone --depth=1 --branch v0.7.0 \
|
|
"https://oauth2:${{ inputs.forgejo_push_token }}@bitfreedom.net/code/apunkt/nyx.git" \
|
|
.nyx-src
|
|
|
|
- name: Install Rust
|
|
shell: bash
|
|
run: |
|
|
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
|
|
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
|
|
|
|
- name: Build nyx from source
|
|
shell: bash
|
|
run: |
|
|
cd .nyx-src
|
|
cargo build --release
|
|
|
|
- name: Debug triage
|
|
shell: bash
|
|
run: |
|
|
echo "=== working dir ==="
|
|
pwd
|
|
echo "=== triage file ==="
|
|
cat .nyx/triage.json || echo "NOT FOUND"
|
|
echo "=== nyx config ==="
|
|
cat nyx.conf || echo "no nyx.conf"
|
|
|
|
- name: Debug nyx version
|
|
shell: bash
|
|
run: .nyx-src/target/release/nyx --version
|
|
|
|
- name: Debug fingerprints
|
|
if: always()
|
|
shell: bash
|
|
run: |
|
|
.nyx-src/target/release/nyx scan --format json --index off 2>/dev/null | python3 -c "
|
|
import json, sys
|
|
data = json.load(sys.stdin)
|
|
findings = data if isinstance(data, list) else data.get('findings', [])
|
|
if findings:
|
|
print('=== first finding keys ===')
|
|
print(list(findings[0].keys()))
|
|
print('=== first finding ===')
|
|
print(json.dumps(findings[0], indent=2))
|
|
"
|
|
|
|
- name: Run NYX scan
|
|
id: nyx
|
|
shell: bash
|
|
run: |
|
|
.nyx-src/target/release/nyx scan --format sarif --fail-on ${{ inputs.fail_on }} > nyx-results.sarif 2>&1
|
|
continue-on-error: true
|
|
|
|
- name: Post findings as PR comment
|
|
if: steps.nyx.outcome == 'failure'
|
|
shell: bash
|
|
run: |
|
|
FINDINGS=$(python3 -c "
|
|
import json, sys
|
|
|
|
with open('nyx-results.sarif') as f:
|
|
data = json.load(f)
|
|
|
|
results = data.get('runs', [{}])[0].get('results', [])
|
|
|
|
lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
|
|
for r in results:
|
|
level = r.get('level', '?')
|
|
msg = r.get('message', {}).get('text', '?')
|
|
rule = r.get('ruleId', '?')
|
|
loc = r.get('locations', [{}])[0].get('physicalLocation', {})
|
|
path = loc.get('artifactLocation', {}).get('uri', '?')
|
|
line = loc.get('region', {}).get('startLine', '?')
|
|
col = loc.get('region', {}).get('startColumn', '?')
|
|
lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
|
|
|
|
print('\n'.join(lines))
|
|
")
|
|
|
|
curl -sf -X POST \
|
|
-H "Authorization: token ${{ inputs.forgejo_push_token }}" \
|
|
-H "Content-Type: application/json" \
|
|
"https://bitfreedom.net/code/api/v1/repos/${{ inputs.repository }}/issues/${{ inputs.pr_number }}/comments" \
|
|
-d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
|
|
|
|
- name: Fail if findings found
|
|
if: steps.nyx.outcome == 'failure'
|
|
shell: bash
|
|
run: exit 1 |