Files

CD / Release (push) Successful in 12s

Details

Reviewed-on: #4
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>

2026-02-11 19:58:08 +01:00

2.0 KiB

Raw Permalink Blame History

TAS Upload SARIF

Reusable GitHub Action that uploads a SARIF report to TAS (Tea Advanced Security) and fails the job if the API responds with allowed: false (e.g. new findings above your policy).

Inputs

Input	Required	Description
`tas-base-url`	Yes	Base URL of the TAS API (e.g. `https://tas.example.com`)
`sarif-file`	Yes	Path to the SARIF report file (JSON)
`owner`	No	Repository owner (default: `github.repository_owner`)
`repo`	No	Repository name (default: `github.event.repository.name`)
`branch`	No	Branch name (default: `github.ref_name`)

Usage

- name: Upload SARIF to TAS and gate
  uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
  with:
    tas-base-url: "https://tas.example.com"
    sarif-file: "results.sarif"

With explicit owner/repo/branch (e.g. for monorepos or custom refs):

- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
  with:
    tas-base-url: ${{ vars.TAS_BASE_URL }}
    sarif-file: "scan-output.sarif"
    owner: ${{ github.repository_owner}}
    repo: ${{ github.event.repository.name }}
    branch: ${{ github.head_ref }}

Behavior

POSTs the SARIF file to {tas-base-url}/repos/{owner}/{repo}/branches/{branch}/reports.
On HTTP non-200, the step fails and prints the response body.
On success, reads the JSON response:
- If allowed is true, the step succeeds.
- If allowed is false, the step fails and prints reason and the full response (e.g. new_critical, new_high, new_findings).

Requirements

GitHub-hosted runners: curl and jq are available by default.
Self-hosted runners: ensure curl and jq are installed.

2.0 KiB Raw Permalink Blame History