Skip to content

Commit

Permalink
🐛 👽 Updated action to work with latest json format (#32)
Browse files Browse the repository at this point in the history
* 👽 Adjusted code to handle new json report format

* 🍱 Updated static sample data

* 🔥 Removed unused sample data

* 👽 Adjusted to work with new json format

* 💥 Specified a specific govulncheck version instead of latest

* 🗃️ ✅ Using Report from playground
  • Loading branch information
Templum authored Mar 21, 2023
1 parent 3a015a8 commit af8ff86
Show file tree
Hide file tree
Showing 12 changed files with 715 additions and 5,125 deletions.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,12 +158,14 @@ jobs:
| Input | Description |
|----------------------------------|----------------------------------------------------------------------------------------------------------------|
| `go-version` _(optional)_ | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.19` |
| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `latest` |
| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `v0.0.0-20230320232729-bfc1eaef17a4` |
| `package` _(optional)_ | The package you want to scan, by default will be `./...` |
| `github-token` _(optional)_ | Github Token to upload sarif report. **Needs** `write` permissions for `security_events` |
| `fail-on-vuln` _(optional)_ | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
| `skip-upload` _(optional)_ | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`|

> :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).

> :warning: New versions of govulncheck might introduce new report formats, breaking this action. Hence the default version is always the last known working version.

> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
4 changes: 2 additions & 2 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ inputs:
required: false
default: "1.19"
vulncheck-version:
description: "Version of govulncheck that should be used, by default latest"
description: "Version of govulncheck that should be used, by default v0.0.0-20230320232729-bfc1eaef17a4"
required: false
default: "latest"
default: "v0.0.0-20230320232729-bfc1eaef17a4"
github-token:
description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
default: ${{ github.token }}
Expand Down
Loading

0 comments on commit af8ff86

Please sign in to comment.