.forgejo/workflows/nyxscanner.yml aktualisiert
All checks were successful
NYX Security Scan / nyx-scan (pull_request) Successful in 6m38s
All checks were successful
NYX Security Scan / nyx-scan (pull_request) Successful in 6m38s
This commit is contained in:
parent
efd30207e2
commit
6e2cab6143
1 changed files with 15 additions and 22 deletions
|
|
@ -7,9 +7,6 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
nyx-scan:
|
nyx-scan:
|
||||||
runs-on: docker-amd64
|
runs-on: docker-amd64
|
||||||
permissions:
|
|
||||||
issues: write
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout PR
|
- name: Checkout PR
|
||||||
|
|
@ -43,7 +40,7 @@ jobs:
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
|
|
||||||
- name: Post findings as PR comment
|
- name: Post findings as PR comment
|
||||||
if: always()
|
if: steps.nyx.outcome == 'failure'
|
||||||
run: |
|
run: |
|
||||||
FINDINGS=$(python3 -c "
|
FINDINGS=$(python3 -c "
|
||||||
import json, sys
|
import json, sys
|
||||||
|
|
@ -53,28 +50,24 @@ jobs:
|
||||||
|
|
||||||
results = data.get('runs', [{}])[0].get('results', [])
|
results = data.get('runs', [{}])[0].get('results', [])
|
||||||
|
|
||||||
if not results:
|
lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
|
||||||
body = '✅ NYX scan: no findings above threshold.'
|
for r in results:
|
||||||
else:
|
level = r.get('level', '?')
|
||||||
lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
|
msg = r.get('message', {}).get('text', '?')
|
||||||
for r in results:
|
rule = r.get('ruleId', '?')
|
||||||
level = r.get('level', '?')
|
loc = r.get('locations', [{}])[0].get('physicalLocation', {})
|
||||||
msg = r.get('message', {}).get('text', '?')
|
path = loc.get('artifactLocation', {}).get('uri', '?')
|
||||||
rule = r.get('ruleId', '?')
|
line = loc.get('region', {}).get('startLine', '?')
|
||||||
loc = r.get('locations', [{}])[0].get('physicalLocation', {})
|
col = loc.get('region', {}).get('startColumn', '?')
|
||||||
path = loc.get('artifactLocation', {}).get('uri', '?')
|
lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
|
||||||
line = loc.get('region', {}).get('startLine', '?')
|
|
||||||
col = loc.get('region', {}).get('startColumn', '?')
|
|
||||||
lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
|
|
||||||
body = '\n'.join(lines)
|
|
||||||
|
|
||||||
print(body)
|
print('\n'.join(lines))
|
||||||
")
|
")
|
||||||
|
|
||||||
curl -s -X POST \
|
curl -sf -X POST \
|
||||||
-H "Authorization: token ${{ github.token }}" \
|
-H "Authorization: token ${{ secrets.FORGEJO_PUSH_TOKEN }}" \
|
||||||
-H "Content-Type: application/json" \
|
-H "Content-Type: application/json" \
|
||||||
"https://bitfreedom.net/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
|
"https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
|
||||||
-d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
|
-d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
|
||||||
|
|
||||||
- name: Fail if HIGH or above findings found
|
- name: Fail if HIGH or above findings found
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue