Timo Behrendt
5e1031a9ef
All checks were successful
CD / Release (push) Successful in 1m49s
Reviewed-on: #7 Co-authored-by: Timo Behrendt <t.behrendt@t00n.de> Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
TAS Upload SARIF
Reusable GitHub Action that uploads a SARIF report to TAS (Tea Advanced Security) and fails the job if the API responds with allowed: false (e.g. new findings above your policy).
Inputs
| Input | Required | Description |
|---|---|---|
tas-base-url |
Yes | Base URL of the TAS API (e.g. https://tas.example.com) |
sarif-file |
Yes | Path to the SARIF report file (JSON) |
owner |
No | Repository owner (default: github.repository_owner) |
repo |
No | Repository name (default: github.event.repository.name) |
branch |
No | Branch name (default: github.ref_name) |
Usage
- name: Upload SARIF to TAS and gate
uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
with:
tas-base-url: "https://tas.example.com"
sarif-file: "results.sarif"
With explicit owner/repo/branch (e.g. for monorepos or custom refs):
- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
with:
tas-base-url: ${{ vars.TAS_BASE_URL }}
sarif-file: "scan-output.sarif"
owner: ${{ github.repository_owner}}
repo: ${{ github.event.repository.name }}
branch: ${{ github.head_ref }}
Behavior
- POSTs the SARIF file to
{tas-base-url}/repos/{owner}/{repo}/branches/{branch}/reports. - On HTTP non-200, the step fails and prints the response body.
- On success, reads the JSON response:
- If
allowedistrue, the step succeeds. - If
allowedisfalse, the step fails and printsreasonand the full response (e.g.new_critical,new_high,new_findings).
- If
Requirements
- GitHub-hosted runners:
curlandjqare available by default. - Self-hosted runners: ensure
curlandjqare installed.