t.behrendt/tas-actions
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Releases Activity
Files
main
tas-actions/tas-upload-sarif/action.yml
Timo Behrendt 5e1031a9ef
All checks were successful
CD / Release (push) Successful in 1m49s
Details
fix: url encode owner, repo, and branch name (#7) 
Reviewed-on: #7
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
2026-02-12 20:23:23 +01:00

70 lines
2.4 KiB
YAML
Raw Permalink Blame History

name: "TAS Upload SARIF"
description: "Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false"
inputs:
tas-base-url:
description: "Base URL of the TAS API (e.g. https://tas.example.com)"
required: true
sarif-file:
description: "Path to the SARIF report file (JSON)"
required: true
owner:
description: "Repository owner (default: GitHub repository owner)"
required: false
repo:
description: "Repository name (default: GitHub repository name)"
required: false
branch:
description: "Branch name (default: current ref name, e.g. main)"
required: false
runs:
using: "composite"
steps:
- name: Upload SARIF to TAS and gate
shell: bash
env:
OWNER: ${{ inputs.owner || github.repository_owner }}
REPO: ${{ inputs.repo || github.event.repository.name }}
BRANCH: ${{ inputs.branch || github.ref_name }}
BASE_URL: ${{ inputs.tas-base-url }}
SARIF_FILE: ${{ inputs.sarif-file }}
run: |
BASE_URL="${BASE_URL%/}"
OWNER_ENC=$(jq -rn --arg x "$OWNER" '$x | @uri')
REPO_ENC=$(jq -rn --arg x "$REPO" '$x | @uri')
BRANCH_ENC=$(jq -rn --arg x "$BRANCH" '$x | @uri')
URL="${BASE_URL}/repos/${OWNER_ENC}/${REPO_ENC}/branches/${BRANCH_ENC}/reports"
echo "Uploading SARIF to TAS: $URL"
if [[ ! -f "$SARIF_FILE" ]]; then
echo "::error::SARIF file not found: $SARIF_FILE"
exit 1
fi
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$URL" \
-H "Content-Type: application/json" \
-d @"$SARIF_FILE")
HTTP_BODY=$(echo "$RESPONSE" | head -n -1)
HTTP_CODE=$(echo "$RESPONSE" | tail -n 1)
if [[ "$HTTP_CODE" != "200" ]]; then
echo "::error::TAS API returned HTTP $HTTP_CODE"
echo "$HTTP_BODY" | head -20
exit 1
fi
ALLOWED=$(echo "$HTTP_BODY" | jq -r '.allowed')
REASON=$(echo "$HTTP_BODY" | jq -r '.reason // empty')
if [[ "$ALLOWED" != "true" ]]; then
echo "::error::TAS gating failed (allowed: false). $REASON"
echo "::error::new_critical/new_high/new_medium/new_low are in the API response."
echo "$HTTP_BODY" | jq '.'
exit 1
fi
echo "TAS gating passed (allowed: true)."
if [[ -n "$REASON" ]]; then
echo "$REASON"
fi
Reference in New Issue View Git Blame Copy Permalink