Skip to content

Commit

Permalink
✨ Allow skipping Sarif Upload (#13)
Browse files Browse the repository at this point in the history
* 🔧 Minor Renaming

* ✨ Added option to skip upload

* 📝 Documented new feature

Also extended example descriptions a bit

* 📝 Used collapsed sections

* 🔧 Explicit installing all dev tools
  • Loading branch information
Templum authored Nov 6, 2022
1 parent 40992ab commit c75372f
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 10 deletions.
8 changes: 8 additions & 0 deletions .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,15 @@ RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/

# [Optional] Uncomment the next lines to use go get to install anything else you need
USER vscode

# Installing govulncheck && tools used by VSCode Go Extension+
RUN go install golang.org/x/vuln/cmd/govulncheck@latest
RUN go install github.com/cweill/gotests/gotests@latest
RUN go install github.com/fatih/gomodifytags@latest
RUN go install github.com/go-delve/delve/cmd/dlv@latest
RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
RUN go install golang.org/x/tools/gopls@latest


# [Optional] Uncomment this line to install global node packages.
# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1
2 changes: 1 addition & 1 deletion .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"name": "Launch Action",
"type": "go",
"request": "launch",
"mode": "auto",
Expand Down
35 changes: 34 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@ For a full list of currently known limitations please head over to [here](https:

## Usage

### Example Workflow
### Example Workflows

<details>
<summary>
This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token.
</summary>

```yaml
name: My Workflow
Expand All @@ -37,6 +42,33 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-vuln: true
```
</details>
<details>
<summary>
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action
to upload the result directly as build artifact.
</summary>
```yaml
name: My Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
uses: Templum/govulncheck-action@<version>
with:
skip-upload: true
- name: Upload Sarif Report
uses: actions/upload-artifact@v3
with:
name: sarif-report
path: govulncheck-report.sarif
```
</details>
### Inputs
Expand All @@ -47,6 +79,7 @@ jobs:
| `package` _(optional)_ | The package you want to scan, by default will be `./...` |
| `github-token` _(optional)_ | Github Token to upload sarif report. **Needs** `write` permissions for `security_events` |
| `fail-on-vuln` _(optional)_ | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
| `skip-upload` _(optional)_ | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`|

> :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).

Expand Down
6 changes: 5 additions & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ inputs:
description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
default: false
required: false
skip-upload:
description: "This flag allows you to skip the sarif upload, it will be instead written to disk"
default: false
required: false

runs:
using: "composite"
Expand All @@ -30,7 +34,7 @@ runs:
run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
shell: bash
- id: run
run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
shell: bash

branding:
Expand Down
36 changes: 29 additions & 7 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ func main() {

logger.Debug().
Str("Package", os.Getenv("PACKAGE")).
Str("Skip Upload", os.Getenv("SKIP_UPLOAD")).
Str("Fail on Vulnerabilities", os.Getenv("STRICT")).
Msg("Action Inputs:")

Expand All @@ -61,13 +62,35 @@ func main() {
os.Exit(2)
}

err = github.UploadReport(reporter)
if err != nil {
logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error")
os.Exit(2)
}
if os.Getenv("SKIP_UPLOAD") == "true" {
logger.Info().Msg("Action is configured to skip upload instead will write to disk")

fileName := "govulncheck-report.sarif"
reportFile, err := os.Create(fileName)

if err != nil {
logger.Error().Err(err).Msg("Failed to create report file")
os.Exit(2)
}

defer reportFile.Close()

logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing")
err = reporter.Write(reportFile)
if err != nil {
logger.Error().Err(err).Msg("Writing report to file yielded error")
os.Exit(2)
}

logger.Info().Msgf("Successfully wrote sarif report to file %s", fileName)
} else {
err := github.UploadReport(reporter)
if err != nil {
logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error")
os.Exit(2)
}

logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing")
}

if os.Getenv("STRICT") == "true" {
logger.Debug().Msg("Action is running in strict mode")
Expand All @@ -77,5 +100,4 @@ func main() {
os.Exit(2)
}
}

}

0 comments on commit c75372f

Please sign in to comment.