✨ Implemented Strict Mode Support

README.md

@@ -1,8 +1,8 @@
 # Golang Vulncheck
-Performs vulnerability scan using govulncheck and afterwards uploads it as [Sarif](https://sarifweb.azurewebsites.net/) Report to Github
 
 [![CI Flow](https://github.com/Templum/govulncheck-action/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/Templum/govulncheck-action/actions/workflows/ci.yml) [![Release Process](https://github.com/Templum/govulncheck-action/actions/workflows/release.yml/badge.svg)](https://github.com/Templum/govulncheck-action/actions/workflows/release.yml)
 
+This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an [Sarif](https://sarifweb.azurewebsites.net/) Report, which will be uploaded to Github using the [code-scanning API](https://docs.github.com/en/rest/code-scanning#upload-an-analysis-as-sarif-data). **Please note** this requires write-permission for `security_events`. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.
 
 ## :information_source: Limitations of govulncheck :information_source:
 
@@ -35,16 +35,18 @@ jobs:
           vulncheck-version: latest
           package: ./...
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          fail-on-vuln: true
 ```
 
 ### Inputs
 
-| Input                            | Description                                                                                       |
-|----------------------------------|---------------------------------------------------------------------------------------------------|
-| `go-version` _(optional)_        | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.19` |
-| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `latest`                                   |
-| `package` _(optional)_           | The package you want to scan, by default will be `./...`                                          |
-| `github-token` _(optional)_      | Github Token to upload sarif report. Needs *write* permissions for `security_events`              |
+| Input                            | Description                                                                                                    |
+|----------------------------------|----------------------------------------------------------------------------------------------------------------|
+| `go-version` _(optional)_        | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.19`              |
+| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `latest`                                                |
+| `package` _(optional)_           | The package you want to scan, by default will be `./...`                                                       |
+| `github-token` _(optional)_      | Github Token to upload sarif report. **Needs** `write` permissions for `security_events`                       |
+| `fail-on-vuln` _(optional)_      | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
 
 > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).
 

action.yml

@@ -18,6 +18,10 @@ inputs:
     description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
     default: ${{ github.token }}
     required: false
+  fail-on-vuln:
+    description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
+    default: false
+    required: false
 
 runs:
   using: "composite"
@@ -26,7 +30,7 @@ runs:
       run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
       shell: bash
     - id: run
-      run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
+      run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
       shell: bash
 
 branding:

main.go

@@ -41,6 +41,11 @@ func main() {
 		Str("Go-Arch", runtime.GOARCH).
 		Msg("GoEnvironment Details:")
 
+	logger.Debug().
+		Str("Package", os.Getenv("PACKAGE")).
+		Str("Fail on Vulnerabilities", os.Getenv("STRICT")).
+		Msg("Action Inputs:")
+
 	result, err := scanner.Scan()
 	if err != nil {
 		logger.Error().Err(err).Msg("Scanning yielded error")
@@ -63,4 +68,14 @@ func main() {
 	}
 
 	logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing")
+
+	if os.Getenv("STRICT") == "true" {
+		logger.Debug().Msg("Action is running in strict mode")
+
+		if len(vulnerableStacks) > 0 {
+			logger.Info().Msg("Encountered at least one vulnerability while running in strict mode, will mark outcome as failed")
+			os.Exit(2)
+		}
+	}
+
 }

pkg/vulncheck/runner.go

@@ -52,6 +52,7 @@ func (r *CmdScanner) Scan() (*vulncheck.Result, error) {
 	var result vulncheck.Result
 	err := json.Unmarshal(out, &result)
 	if err != nil {
+		r.log.Error().Err(err).Msg("parsing govulncheck output yielded error")
 		return nil, errors.New("scan failed to produce proper report")
 	}