.forgejo/workflows/nyxscanner.yml aktualisiert
All checks were successful
NYX Security Scan / nyx-scan (pull_request) Successful in 7m0s
All checks were successful
NYX Security Scan / nyx-scan (pull_request) Successful in 7m0s
This commit is contained in:
parent
af05a4772e
commit
aebbe832c2
1 changed files with 10 additions and 53 deletions
|
|
@ -17,59 +17,16 @@ jobs:
|
||||||
git fetch --depth=1 origin ${{ github.sha }}
|
git fetch --depth=1 origin ${{ github.sha }}
|
||||||
git checkout ${{ github.sha }}
|
git checkout ${{ github.sha }}
|
||||||
|
|
||||||
- name: Clone nyx from Forgejo mirror
|
- name: Fetch action source
|
||||||
run: |
|
run: |
|
||||||
git clone --depth=1 --branch master \
|
git clone --depth=1 --branch master \
|
||||||
"https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \
|
"https://oauth2:${{ github.token }}@bitfreedom.net/code/nomyo-ai/actions.git" \
|
||||||
.nyx-src
|
./.nyx-action
|
||||||
|
|
||||||
- name: Install Rust
|
- uses: ./.nyx-action/nyx-scan
|
||||||
run: |
|
with:
|
||||||
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
|
forgejo_push_token: ${{ secrets.FORGEJO_PUSH_TOKEN }}
|
||||||
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
|
repository: ${{ github.repository }}
|
||||||
|
pr_number: ${{ github.event.pull_request.number }}
|
||||||
- name: Build nyx from source
|
sha: ${{ github.sha }}
|
||||||
run: |
|
fail_on: HIGH
|
||||||
cd .nyx-src
|
|
||||||
cargo build --release
|
|
||||||
|
|
||||||
- name: Run NYX scan
|
|
||||||
id: nyx
|
|
||||||
run: |
|
|
||||||
.nyx-src/target/release/nyx scan --format sarif --fail-on LOW > nyx-results.sarif 2>&1
|
|
||||||
continue-on-error: true
|
|
||||||
|
|
||||||
- name: Post findings as PR comment
|
|
||||||
if: steps.nyx.outcome == 'failure'
|
|
||||||
run: |
|
|
||||||
FINDINGS=$(python3 -c "
|
|
||||||
import json, sys
|
|
||||||
|
|
||||||
with open('nyx-results.sarif') as f:
|
|
||||||
data = json.load(f)
|
|
||||||
|
|
||||||
results = data.get('runs', [{}])[0].get('results', [])
|
|
||||||
|
|
||||||
lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
|
|
||||||
for r in results:
|
|
||||||
level = r.get('level', '?')
|
|
||||||
msg = r.get('message', {}).get('text', '?')
|
|
||||||
rule = r.get('ruleId', '?')
|
|
||||||
loc = r.get('locations', [{}])[0].get('physicalLocation', {})
|
|
||||||
path = loc.get('artifactLocation', {}).get('uri', '?')
|
|
||||||
line = loc.get('region', {}).get('startLine', '?')
|
|
||||||
col = loc.get('region', {}).get('startColumn', '?')
|
|
||||||
lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
|
|
||||||
|
|
||||||
print('\n'.join(lines))
|
|
||||||
")
|
|
||||||
|
|
||||||
curl -sf -X POST \
|
|
||||||
-H "Authorization: token ${{ secrets.FORGEJO_PUSH_TOKEN }}" \
|
|
||||||
-H "Content-Type: application/json" \
|
|
||||||
"https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
|
|
||||||
-d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
|
|
||||||
|
|
||||||
- name: Fail if HIGH or above findings found
|
|
||||||
if: steps.nyx.outcome == 'failure'
|
|
||||||
run: exit 1
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue