Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| a2c4af54ae | |||
| 1d5ce5e8f4 | |||
| 38d311a43c | |||
| efb2257a09 | |||
| 418e1b34e9 | |||
| 4d8d18d4c4 | |||
| ac31a169e0 | |||
| 26ac67db47 | |||
| 5e1031a9ef | |||
| cd7a5213f7 | |||
| f62ea6cc43 |
@@ -4,6 +4,8 @@ on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- "tas-upload-sarif/**"
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
@@ -11,15 +13,16 @@ jobs:
|
||||
name: Release
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.2
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Increment tag
|
||||
id: tag
|
||||
uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@af46017d0af5fd6af4425f8e6961f14280a1acd1 # 0.1.26
|
||||
uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@41b7e04221df8a033bec841d40a097b76e5f67ff # 0.1.29
|
||||
with:
|
||||
token: ${{ secrets.GITEA_TOKEN }}
|
||||
prerelease: ${{ github.event_name == 'workflow_dispatch' }}
|
||||
- name: Push tag
|
||||
uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@1b8fe65eda1ea0a7586a5fd552ef8f4a639b154f # 0.1.3
|
||||
uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@3925c92fc33f3d2bc87d28d21ab691b7e6dd6cdf # 0.2.1
|
||||
with:
|
||||
tag: ${{ steps.tag.outputs.new-tag }}
|
||||
|
||||
22
README.md
22
README.md
@@ -7,24 +7,6 @@ Reusable GitHub Actions for [TAS (Tea Advanced Security)](https://github.com/go-
|
||||
### [tas-upload-sarif](tas-upload-sarif/)
|
||||
|
||||
Uploads a SARIF report from a file to TAS and **fails the job** if the API returns `allowed: false`.
|
||||
sarif-file: 'results.sarif'
|
||||
|
||||
**Example workflow** (e.g. after a security scan that produces SARIF):
|
||||
|
||||
```yaml
|
||||
jobs:
|
||||
scan:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# Run your scanner and produce SARIF (e.g. to results.sarif)
|
||||
# - run: ./run-scanner --output results.sarif
|
||||
|
||||
- name: Upload SARIF to TAS and gate
|
||||
uses: your-org/tas-actions/tas-upload-sarif@v1
|
||||
with:
|
||||
tas-base-url: 'https://tas.example.com'
|
||||
sarif-file: 'results.sarif'
|
||||
```
|
||||
|
||||
See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.
|
||||
See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.
|
||||
|
||||
@@ -25,10 +25,10 @@ Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Securit
|
||||
With explicit owner/repo/branch (e.g. for monorepos or custom refs):
|
||||
|
||||
```yaml
|
||||
- uses: [your-org/tas-actions/tas-upload-sarif@v1](https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1)
|
||||
- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
|
||||
with:
|
||||
tas-base-url: ${{ vars.TAS_BASE_URL }}
|
||||
sarif-file: 'scan-output.sarif'
|
||||
sarif-file: "scan-output.sarif"
|
||||
owner: ${{ github.repository_owner}}
|
||||
repo: ${{ github.event.repository.name }}
|
||||
branch: ${{ github.head_ref }}
|
||||
|
||||
@@ -1,23 +1,23 @@
|
||||
name: 'TAS Upload SARIF'
|
||||
description: 'Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false'
|
||||
name: "TAS Upload SARIF"
|
||||
description: "Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false"
|
||||
inputs:
|
||||
tas-base-url:
|
||||
description: 'Base URL of the TAS API (e.g. https://tas.example.com)'
|
||||
description: "Base URL of the TAS API (e.g. https://tas.example.com)"
|
||||
required: true
|
||||
sarif-file:
|
||||
description: 'Path to the SARIF report file (JSON)'
|
||||
description: "Path to the SARIF report file (JSON)"
|
||||
required: true
|
||||
owner:
|
||||
description: 'Repository owner (default: GitHub repository owner)'
|
||||
description: "Repository owner (default: GitHub repository owner)"
|
||||
required: false
|
||||
repo:
|
||||
description: 'Repository name (default: GitHub repository name)'
|
||||
description: "Repository name (default: GitHub repository name)"
|
||||
required: false
|
||||
branch:
|
||||
description: 'Branch name (default: current ref name, e.g. main)'
|
||||
description: "Branch name (default: current ref name, e.g. main)"
|
||||
required: false
|
||||
runs:
|
||||
using: 'composite'
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Upload SARIF to TAS and gate
|
||||
shell: bash
|
||||
@@ -29,7 +29,10 @@ runs:
|
||||
SARIF_FILE: ${{ inputs.sarif-file }}
|
||||
run: |
|
||||
BASE_URL="${BASE_URL%/}"
|
||||
URL="${BASE_URL}/repos/${OWNER}/${REPO}/branches/${BRANCH}/reports"
|
||||
OWNER_ENC=$(jq -rn --arg x "$OWNER" '$x | @uri')
|
||||
REPO_ENC=$(jq -rn --arg x "$REPO" '$x | @uri')
|
||||
BRANCH_ENC=$(jq -rn --arg x "$BRANCH" '$x | @uri')
|
||||
URL="${BASE_URL}/repos/${OWNER_ENC}/${REPO_ENC}/branches/${BRANCH_ENC}/reports"
|
||||
echo "Uploading SARIF to TAS: $URL"
|
||||
|
||||
if [[ ! -f "$SARIF_FILE" ]]; then
|
||||
|
||||
Reference in New Issue
Block a user