feat: mvp (#1)

Reviewed-on: #1 Co-authored-by: Timo Behrendt <t.behrendt@t00n.de> Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
2026-02-11 19:54:00 +01:00
parent b4a17ff8b5
commit ac5d3b08ca
5 changed files with 171 additions and 0 deletions
--- a/tas-upload-sarif/action.yml
+++ b/tas-upload-sarif/action.yml
@@ -0,0 +1,66 @@
+name: 'TAS Upload SARIF'
+description: 'Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false'
+inputs:
+  tas-base-url:
+    description: 'Base URL of the TAS API (e.g. https://tas.example.com)'
+    required: true
+  sarif-file:
+    description: 'Path to the SARIF report file (JSON)'
+    required: true
+  owner:
+    description: 'Repository owner (default: GitHub repository owner)'
+    required: false
+  repo:
+    description: 'Repository name (default: GitHub repository name)'
+    required: false
+  branch:
+    description: 'Branch name (default: current ref name, e.g. main)'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    - name: Upload SARIF to TAS and gate
+      shell: bash
+      env:
+        OWNER: ${{ inputs.owner || github.repository_owner }}
+        REPO: ${{ inputs.repo || github.event.repository.name }}
+        BRANCH: ${{ inputs.branch || github.ref_name }}
+        BASE_URL: ${{ inputs.tas-base-url }}
+        SARIF_FILE: ${{ inputs.sarif-file }}
+      run: |
+        BASE_URL="${BASE_URL%/}"
+        URL="${BASE_URL}/repos/${OWNER}/${REPO}/branches/${BRANCH}/reports"
+        echo "Uploading SARIF to TAS: $URL"
+
+        if [[ ! -f "$SARIF_FILE" ]]; then
+          echo "::error::SARIF file not found: $SARIF_FILE"
+          exit 1
+        fi
+
+        RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$URL" \
+          -H "Content-Type: application/json" \
+          -d @"$SARIF_FILE")
+
+        HTTP_BODY=$(echo "$RESPONSE" | head -n -1)
+        HTTP_CODE=$(echo "$RESPONSE" | tail -n 1)
+
+        if [[ "$HTTP_CODE" != "200" ]]; then
+          echo "::error::TAS API returned HTTP $HTTP_CODE"
+          echo "$HTTP_BODY" | head -20
+          exit 1
+        fi
+
+        ALLOWED=$(echo "$HTTP_BODY" | jq -r '.allowed')
+        REASON=$(echo "$HTTP_BODY" | jq -r '.reason // empty')
+
+        if [[ "$ALLOWED" != "true" ]]; then
+          echo "::error::TAS gating failed (allowed: false). $REASON"
+          echo "::error::new_critical/new_high/new_medium/new_low are in the API response."
+          echo "$HTTP_BODY" | jq '.'
+          exit 1
+        fi
+
+        echo "TAS gating passed (allowed: true)."
+        if [[ -n "$REASON" ]]; then
+          echo "$REASON"
+        fi