-
Notifications
You must be signed in to change notification settings - Fork 94
Expand file tree
/
Copy pathaction.yml
More file actions
160 lines (148 loc) · 5.97 KB
/
Copy pathaction.yml
File metadata and controls
160 lines (148 loc) · 5.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: Sanctifier Security Analysis
description: Scan Soroban contracts for vulnerabilities
author: HyperSafeD
branding:
icon: shield
color: blue
inputs:
path:
description: Contract path to analyze
required: false
default: "."
version:
description: >-
sanctifier-cli version to install (e.g. 0.2.3). If omitted and the action
is used via a semver tag (e.g. HyperSafeD/Sanctifier@v0.2.3), the tag
version is used automatically.
required: false
default: ""
min-severity:
description: Minimum severity to report (critical|high|medium|low|info)
required: false
default: high
format:
description: Output format (text|json|sarif)
required: false
default: sarif
upload-sarif:
description: Upload SARIF to GitHub code scanning when format is sarif
required: false
default: "true"
sarif-output:
description: Path for generated SARIF report
required: false
default: sanctifier-results.sarif
debug:
description: Enable verbose debug logging for the action steps (safe-by-default; no secrets)
required: false
default: "false"
use-docker:
description: Run sanctifier via the ghcr.io/hypersafed/sanctifier Docker image instead of installing via cargo
required: false
default: "false"
outputs:
findings-count:
description: Total number of findings
value: ${{ steps.summarize.outputs.findings-count }}
runs:
using: composite
steps:
- name: Validate action inputs
shell: bash
run: |
python "${{ github.action_path }}/scripts/action_inputs.py" \
--path "${{ inputs.path }}" \
--min-severity "${{ inputs.min-severity }}" \
--format "${{ inputs.format }}" \
--upload-sarif "${{ inputs.upload-sarif }}" \
--sarif-output "${{ inputs.sarif-output }}" \
--debug "${{ inputs.debug }}" \
--output "$RUNNER_TEMP/sanctifier_action_inputs"
cat "$RUNNER_TEMP/sanctifier_action_inputs" >> "$GITHUB_ENV"
- name: Install Sanctifier CLI
if: ${{ inputs.use-docker != 'true' }}
shell: bash
run: |
python "${{ github.action_path }}/scripts/resolve_action_version.py" \
--action-ref "${{ github.action_ref }}" \
--requested "${{ inputs.version }}" \
--output "$RUNNER_TEMP/sanctifier_cli_version"
version="$(cat "$RUNNER_TEMP/sanctifier_cli_version" || true)"
if [ "${SANCTIFIER_ACTION_DEBUG:-false}" = "true" ]; then
echo "[sanctifier-action][debug] action_ref=${{ github.action_ref }} requested_version=${{ inputs.version }} resolved_version=${version:-latest}"
fi
if [ -n "$version" ]; then
echo "Installing sanctifier-cli==$version"
cargo install sanctifier-cli --locked --version "$version"
else
echo "Installing sanctifier-cli (latest)"
cargo install sanctifier-cli --locked
fi
- name: Analyze project (native)
if: ${{ inputs.use-docker != 'true' }}
shell: bash
run: |
if [ "${SANCTIFIER_ACTION_DEBUG:-false}" = "true" ]; then
echo "[sanctifier-action][debug] scan path=$SANCTIFIER_ACTION_PATH format=$SANCTIFIER_ACTION_FORMAT min_severity=$SANCTIFIER_ACTION_MIN_SEVERITY"
fi
if [ "$SANCTIFIER_ACTION_FORMAT" = "sarif" ]; then
mkdir -p "$(dirname "$SANCTIFIER_ACTION_SARIF_OUTPUT")"
sanctifier analyze "$SANCTIFIER_ACTION_PATH" \
--format sarif \
--min-severity "$SANCTIFIER_ACTION_MIN_SEVERITY" \
--exit-code > "$SANCTIFIER_ACTION_SARIF_OUTPUT"
else
sanctifier analyze "$SANCTIFIER_ACTION_PATH" \
--format "$SANCTIFIER_ACTION_FORMAT" \
--min-severity "$SANCTIFIER_ACTION_MIN_SEVERITY" \
--exit-code
fi
- name: Analyze project (Docker)
if: ${{ inputs.use-docker == 'true' }}
shell: bash
run: |
DOCKER_TAG="${{ inputs.version }}"
if [ -z "$DOCKER_TAG" ]; then
DOCKER_TAG="latest"
fi
SCAN_ABS_PATH="$(realpath "$SANCTIFIER_ACTION_PATH" 2>/dev/null || cd "$SANCTIFIER_ACTION_PATH" && pwd)"
IMAGE_OWNER=$(echo "${{ github.action_repository }}" | cut -d'/' -f1 | tr '[:upper:]' '[:lower:]')
IMAGE="ghcr.io/${IMAGE_OWNER}/sanctifier:${DOCKER_TAG}"
if [ "${SANCTIFIER_ACTION_DEBUG:-false}" = "true" ]; then
echo "[sanctifier-action][debug] scan path=$SCAN_ABS_PATH format=$SANCTIFIER_ACTION_FORMAT min_severity=$SANCTIFIER_ACTION_MIN_SEVERITY docker_image=$IMAGE"
fi
if [ "$SANCTIFIER_ACTION_FORMAT" = "sarif" ]; then
mkdir -p "$(dirname "$SANCTIFIER_ACTION_SARIF_OUTPUT")"
docker run --rm \
-v "${SCAN_ABS_PATH}:/workspace" \
"${IMAGE}" \
analyze /workspace \
--format sarif \
--min-severity "$SANCTIFIER_ACTION_MIN_SEVERITY" \
--exit-code > "$SANCTIFIER_ACTION_SARIF_OUTPUT"
else
docker run --rm \
-v "${SCAN_ABS_PATH}:/workspace" \
"${IMAGE}" \
analyze /workspace \
--format "$SANCTIFIER_ACTION_FORMAT" \
--min-severity "$SANCTIFIER_ACTION_MIN_SEVERITY" \
--exit-code
fi
- name: Summarize findings
id: summarize
shell: bash
run: |
python "${{ github.action_path }}/scripts/action_summary.py" \
--format "$SANCTIFIER_ACTION_FORMAT" \
--path "$SANCTIFIER_ACTION_PATH" \
--min-severity "$SANCTIFIER_ACTION_MIN_SEVERITY" \
--sarif-output "$SANCTIFIER_ACTION_SARIF_OUTPUT"
- name: Upload SARIF
if: >-
${{ env.SANCTIFIER_ACTION_FORMAT == 'sarif'
&& env.SANCTIFIER_ACTION_UPLOAD_SARIF == 'true'
&& !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}
uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
with:
sarif_file: ${{ env.SANCTIFIER_ACTION_SARIF_OUTPUT }}