name: "TAS Upload SARIF" description: "Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false" inputs: tas-base-url: description: "Base URL of the TAS API (e.g. https://tas.example.com)" required: true sarif-file: description: "Path to the SARIF report file (JSON)" required: true owner: description: "Repository owner (default: GitHub repository owner)" required: false repo: description: "Repository name (default: GitHub repository name)" required: false branch: description: "Branch name (default: current ref name, e.g. main)" required: false runs: using: "composite" steps: - name: Upload SARIF to TAS and gate shell: bash env: OWNER: ${{ inputs.owner || github.repository_owner }} REPO: ${{ inputs.repo || github.event.repository.name }} BRANCH: ${{ inputs.branch || github.ref_name }} BASE_URL: ${{ inputs.tas-base-url }} SARIF_FILE: ${{ inputs.sarif-file }} run: | BASE_URL="${BASE_URL%/}" OWNER_ENC=$(jq -rn --arg x "$OWNER" '$x | @uri') REPO_ENC=$(jq -rn --arg x "$REPO" '$x | @uri') BRANCH_ENC=$(jq -rn --arg x "$BRANCH" '$x | @uri') URL="${BASE_URL}/repos/${OWNER_ENC}/${REPO_ENC}/branches/${BRANCH_ENC}/reports" echo "Uploading SARIF to TAS: $URL" if [[ ! -f "$SARIF_FILE" ]]; then echo "::error::SARIF file not found: $SARIF_FILE" exit 1 fi RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$URL" \ -H "Content-Type: application/json" \ -d @"$SARIF_FILE") HTTP_BODY=$(echo "$RESPONSE" | head -n -1) HTTP_CODE=$(echo "$RESPONSE" | tail -n 1) if [[ "$HTTP_CODE" != "200" ]]; then echo "::error::TAS API returned HTTP $HTTP_CODE" echo "$HTTP_BODY" | head -20 exit 1 fi ALLOWED=$(echo "$HTTP_BODY" | jq -r '.allowed') REASON=$(echo "$HTTP_BODY" | jq -r '.reason // empty') if [[ "$ALLOWED" != "true" ]]; then echo "::error::TAS gating failed (allowed: false). $REASON" echo "::error::new_critical/new_high/new_medium/new_low are in the API response." echo "$HTTP_BODY" | jq '.' exit 1 fi echo "TAS gating passed (allowed: true)." if [[ -n "$REASON" ]]; then echo "$REASON" fi