Merge branch 'main' into feat-add-reusable-workflow

Reviewed-on: #10
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>

.gitea/workflows/cd.yaml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+    paths:
+      - "tas-upload-sarif/**"
   workflow_dispatch:
 
 jobs:
@@ -11,7 +13,7 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Increment tag
@@ -19,6 +21,7 @@ jobs:
         uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@af46017d0af5fd6af4425f8e6961f14280a1acd1 # 0.1.26
         with:
           token: ${{ secrets.GITEA_TOKEN }}
+          prerelease: ${{ github.event_name == 'workflow_dispatch' }}
       - name: Push tag
         uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@1b8fe65eda1ea0a7586a5fd552ef8f4a639b154f # 0.1.3
         with:

.gitea/workflows/run-tas.yaml

@@ -0,0 +1,143 @@
+name: Run TAS
+
+on:
+  workflow_call:
+    inputs:
+      scan-config:
+        description: "Scan the configuration files"
+        required: false
+        default: false
+        type: boolean
+      image-scan-files:
+        description: "List of files to scan for images"
+        required: false
+        default: ""
+        type: string
+      pre-pull-images:
+        description: "Pre-pull the images"
+        required: false
+        default: false
+        type: boolean
+      trivy-server:
+        description: "Trivy server to use"
+        required: false
+        default: "https://trivy.gitea.t00n.de"
+        type: string
+      tas-base-url:
+        description: "TAS base URL"
+        required: false
+        default: "https://tas.gitea.t00n.de"
+        type: string
+      repository-name:
+        description: "Repository name"
+        required: true
+        type: string
+      branch-name:
+        description: "Branch name"
+        required: true
+        type: string
+      repository-owner:
+        description: "Repository owner"
+        required: true
+        type: string
+
+jobs:
+  config-scan:
+    runs-on: ubuntu-latest
+    if: inputs.scan-config == true
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0
+      - run: |
+          trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - uses: https://github.com/christopherHX/gitea-upload-artifact@v4
+        with:
+          name: config-sarif
+          path: config-sarif.json
+
+  image-scan:
+    runs-on: ubuntu-latest
+    if: inputs.image-scan-files != ""
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0
+      - name: Get Images From Files
+        id: get-images
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.0
+        with:
+          files: ${{ inputs.image-scan-files }}
+      - name: Pull images
+        if: inputs.pre-pull-images == true
+        run: |
+          set -e
+          images='${{ steps.get-images.outputs.images }}'
+          for img in $(echo "$images" | jq -r '.[]'); do
+            docker pull "$img"
+          done
+      - name: Scan images
+        id: scan
+        run: |
+          set -e
+          images='${{ steps.get-images.outputs.images }}'
+          count=$(echo "$images" | jq 'length')
+          if [ "$count" -eq 0 ]; then
+            echo "No images found"
+            exit 1
+          fi
+          i=0
+          for img in $(echo "$images" | jq -r '.[]'); do
+            trivy image --cache-dir "$TRIVY_CACHE_DIR" --server ${{ inputs.trivy-server }} --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img"
+            i=$((i + 1))
+          done
+          {
+            echo "files<<EOF"
+            for j in $(seq 0 $((i - 1))); do echo "  - sarif-image-${j}.json"; done
+            echo "EOF"
+          } >> $GITHUB_OUTPUT
+          echo "count=$i" >> $GITHUB_OUTPUT
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - name: Merge image SARIF files
+        if: steps.scan.outputs.count != '0'
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea
+        with:
+          files: ${{ steps.scan.outputs.files }}
+          output-file: image-sarif.json
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: image-sarif
+          path: image-sarif.json
+
+  merge-and-upload:
+    runs-on: ubuntu-latest
+    needs: [config-scan, image-scan]
+    if: inputs.scan-config == true || inputs.image-scan-files != ""
+    steps:
+      - name: Download config SARIF
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: config-sarif
+          path: config-sarif-artifact
+      - name: Download image SARIF
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: image-sarif
+          path: image-sarif-artifact
+      - name: Merge SARIF files
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea
+        with:
+          files: |
+            - config-sarif-artifact/config-sarif.json
+            - image-sarif-artifact/image-sarif.json
+          output-file: sarif.json
+      - uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@0.0.2
+        with:
+          tas-base-url: ${{ inputs.tas-base-url }}
+          sarif-file: sarif.json
+          owner: ${{ inputs.repository-owner }}
+          repo: ${{ inputs.repository-name }}
+          branch: ${{ inputs.branch-name }}

README.md

@@ -7,24 +7,6 @@ Reusable GitHub Actions for [TAS (Tea Advanced Security)](https://github.com/go-
 ### [tas-upload-sarif](tas-upload-sarif/)
 
 Uploads a SARIF report from a file to TAS and **fails the job** if the API returns `allowed: false`.
+sarif-file: 'results.sarif'
 
-**Example workflow** (e.g. after a security scan that produces SARIF):
-
-```yaml
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      # Run your scanner and produce SARIF (e.g. to results.sarif)
-      # - run: ./run-scanner --output results.sarif
-
-      - name: Upload SARIF to TAS and gate
-        uses: your-org/tas-actions/tas-upload-sarif@v1
-        with:
-          tas-base-url: 'https://tas.example.com'
-          sarif-file: 'results.sarif'
-```
-
-See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.
+See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.

tas-upload-sarif/README.md

@@ -25,10 +25,10 @@ Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Securit
 With explicit owner/repo/branch (e.g. for monorepos or custom refs):
 
 ```yaml
-- uses: [your-org/tas-actions/tas-upload-sarif@v1](https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1)
+- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
   with:
     tas-base-url: ${{ vars.TAS_BASE_URL }}
-    sarif-file: 'scan-output.sarif'
+    sarif-file: "scan-output.sarif"
     owner: ${{ github.repository_owner}}
     repo: ${{ github.event.repository.name }}
     branch: ${{ github.head_ref }}

tas-upload-sarif/action.yml

@@ -1,23 +1,23 @@
-name: 'TAS Upload SARIF'
-description: 'Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false'
+name: "TAS Upload SARIF"
+description: "Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false"
 inputs:
   tas-base-url:
-    description: 'Base URL of the TAS API (e.g. https://tas.example.com)'
+    description: "Base URL of the TAS API (e.g. https://tas.example.com)"
     required: true
   sarif-file:
-    description: 'Path to the SARIF report file (JSON)'
+    description: "Path to the SARIF report file (JSON)"
     required: true
   owner:
-    description: 'Repository owner (default: GitHub repository owner)'
+    description: "Repository owner (default: GitHub repository owner)"
     required: false
   repo:
-    description: 'Repository name (default: GitHub repository name)'
+    description: "Repository name (default: GitHub repository name)"
     required: false
   branch:
-    description: 'Branch name (default: current ref name, e.g. main)'
+    description: "Branch name (default: current ref name, e.g. main)"
     required: false
 runs:
-  using: 'composite'
+  using: "composite"
   steps:
     - name: Upload SARIF to TAS and gate
       shell: bash
@@ -29,7 +29,10 @@ runs:
         SARIF_FILE: ${{ inputs.sarif-file }}
       run: |
         BASE_URL="${BASE_URL%/}"
-        URL="${BASE_URL}/repos/${OWNER}/${REPO}/branches/${BRANCH}/reports"
+        OWNER_ENC=$(jq -rn --arg x "$OWNER" '$x | @uri')
+        REPO_ENC=$(jq -rn --arg x "$REPO" '$x | @uri')
+        BRANCH_ENC=$(jq -rn --arg x "$BRANCH" '$x | @uri')
+        URL="${BASE_URL}/repos/${OWNER_ENC}/${REPO_ENC}/branches/${BRANCH_ENC}/reports"
         echo "Uploading SARIF to TAS: $URL"
 
         if [[ ! -f "$SARIF_FILE" ]]; then