t.behrendt/tas-actions
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Releases Activity

feat: mvp (#1)
Some checks failed
CD / Release (push) Failing after 13s
Details

Browse Source 
Reviewed-on: #1
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
This commit was merged in pull request #1.
This commit is contained in:
Timo Behrendt
2026-02-11 19:54:00 +01:00
committed by t.behrendt
parent b4a17ff8b5
commit ac5d3b08ca
5 changed files with 171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
tas-upload-sarif/README.md Normal file
View File

@@ -0,0 +1,48 @@
# TAS Upload SARIF
Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Security)](https://github.com/go-gitea/gitea) and **fails the job** if the API responds with `allowed: false` (e.g. new findings above your policy).
## Inputs
| Input | Required | Description |
| -------------- | -------- | --------------------------------------------------------- |
| `tas-base-url` | Yes | Base URL of the TAS API (e.g. `https://tas.example.com`) |
| `sarif-file` | Yes | Path to the SARIF report file (JSON) |
| `owner` | No | Repository owner (default: `github.repository_owner`) |
| `repo` | No | Repository name (default: `github.event.repository.name`) |
| `branch` | No | Branch name (default: `github.ref_name`) |
## Usage
```yaml
- name: Upload SARIF to TAS and gate
uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
with:
tas-base-url: "https://tas.example.com"
sarif-file: "results.sarif"
```
With explicit owner/repo/branch (e.g. for monorepos or custom refs):
```yaml
- uses: [your-org/tas-actions/tas-upload-sarif@v1](https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1)
with:
tas-base-url: ${{ vars.TAS_BASE_URL }}
sarif-file: 'scan-output.sarif'
owner: ${{ github.repository_owner}}
repo: ${{ github.event.repository.name }}
branch: ${{ github.head_ref }}
```
## Behavior
1. **POST**s the SARIF file to `{tas-base-url}/repos/{owner}/{repo}/branches/{branch}/reports`.
2. On HTTP non-200, the step fails and prints the response body.
3. On success, reads the JSON response:
- If `allowed` is `true`, the step succeeds.
- If `allowed` is `false`, the step **fails** and prints `reason` and the full response (e.g. `new_critical`, `new_high`, `new_findings`).
## Requirements
- **GitHub-hosted runners**: `curl` and `jq` are available by default.
- **Self-hosted runners**: ensure `curl` and `jq` are installed.