.forgejo/workflows/nyxscanner.yml hinzugefügt #18
1 changed files with 40 additions and 10 deletions
|
|
@ -32,18 +32,48 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
cd .nyx-src
|
cd .nyx-src
|
||||||
cargo build --release
|
cargo build --release
|
||||||
cp target/release/nyx /usr/local/bin/nyx
|
|
||||||
|
|
||||||
- name: Run NYX scan
|
- name: Run NYX scan
|
||||||
|
id: nyx
|
||||||
run: |
|
run: |
|
||||||
.nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif || true
|
.nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1
|
||||||
|
continue-on-error: true
|
||||||
|
|
||||||
- name: Show findings
|
- name: Post findings as PR comment
|
||||||
run: cat nyx-results.sarif
|
|
||||||
|
|
||||||
- name: Upload SARIF results
|
|
||||||
if: always()
|
if: always()
|
||||||
uses: https://code.forgejo.org/actions/upload-artifact@v4
|
run: |
|
||||||
with:
|
FINDINGS=$(python3 -c "
|
||||||
name: nyx-sarif-report
|
import json, sys
|
||||||
path: nyx-results.sarif
|
|
||||||
|
with open('nyx-results.sarif') as f:
|
||||||
|
data = json.load(f)
|
||||||
|
|
||||||
|
results = data.get('runs', [{}])[0].get('results', [])
|
||||||
|
|
||||||
|
if not results:
|
||||||
|
body = '✅ NYX scan: no findings above threshold.'
|
||||||
|
else:
|
||||||
|
lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
|
||||||
|
for r in results:
|
||||||
|
level = r.get('level', '?')
|
||||||
|
msg = r.get('message', {}).get('text', '?')
|
||||||
|
rule = r.get('ruleId', '?')
|
||||||
|
loc = r.get('locations', [{}])[0].get('physicalLocation', {})
|
||||||
|
path = loc.get('artifactLocation', {}).get('uri', '?')
|
||||||
|
line = loc.get('region', {}).get('startLine', '?')
|
||||||
|
col = loc.get('region', {}).get('startColumn', '?')
|
||||||
|
lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
|
||||||
|
body = '\n'.join(lines)
|
||||||
|
|
||||||
|
print(body)
|
||||||
|
")
|
||||||
|
|
||||||
|
curl -s -X POST \
|
||||||
|
-H "Authorization: token ${{ github.token }}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
"https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
|
||||||
|
-d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
|
||||||
|
|
||||||
|
- name: Fail if HIGH or above findings found
|
||||||
|
if: steps.nyx.outcome == 'failure'
|
||||||
|
run: exit 1
|
||||||
Loading…
Add table
Add a link
Reference in a new issue