-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathaction.yml
56 lines (54 loc) · 2.72 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: "Golang Vulncheck"
description: "Performs vulnerability scan using govulncheck and afterwards uploads it as Sarif Report to Github"
author: "Templum"
inputs:
package:
description: "The package you want to scan, by default will be ./..."
required: false
default: "./..."
working-directory:
description: "The working directory, from where the scan should start, by default will be github.workspace"
required: false
default: ${{ github.workspace }}
go-version:
description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.21.4 is assumed"
required: false
default: "1.21.4"
vulncheck-version:
description: "Version of govulncheck that should be used, by default v1.1.3"
required: false
default: "v1.1.3"
github-token:
description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
default: ${{ github.token }}
required: false
fail-on-vuln:
description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
default: "false"
required: false
skip-upload:
description: "This flag allows you to skip the sarif upload, it will be instead written to disk"
default: "false"
required: false
runs:
using: "composite"
steps:
- id: determine-working-directory
run: |
source ${{ github.action_path }}/determine-wd.sh ${{ github.workspace }} ${{ inputs.working-directory }}
echo "DOCKER_WD=${DOCKER_WD}" >> "$GITHUB_ENV"
echo "GITHUBH_WD=${GITHUBH_WD}" >> "$GITHUB_ENV"
shell: bash
- id: config
run: echo "GOLANG_VERSION=${{ inputs.go-version }} VULNCHECK_VERSION=${{ inputs.vulncheck-version }}"
shell: bash
- id: build
run: docker build --build-arg GOLANG_VERSION="${{ inputs.go-version }}" --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION="${{ inputs.vulncheck-version }}" -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
shell: bash
- id: run
run: docker run --rm -v $(pwd):${{ env.DOCKER_WD }} --workdir ${{ env.DOCKER_WD }} -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e DEBUG=${DEBUG} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
shell: bash
working-directory: ${{ env.GITHUBH_WD }}
branding:
icon: "alert-octagon"
color: "red"