49 lines
1.7 KiB
Markdown
49 lines
1.7 KiB
Markdown
# TAS Upload SARIF
|
|
|
|
Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Security)](https://github.com/go-gitea/gitea) and **fails the job** if the API responds with `allowed: false` (e.g. new findings above your policy).
|
|
|
|
## Inputs
|
|
|
|
| Input | Required | Description |
|
|
|-------|----------|-------------|
|
|
| `tas-base-url` | Yes | Base URL of the TAS API (e.g. `https://tas.example.com`) |
|
|
| `sarif-file` | Yes | Path to the SARIF report file (JSON) |
|
|
| `owner` | No | Repository owner (default: `github.repository_owner`) |
|
|
| `repo` | No | Repository name (default: `github.event.repository.name`) |
|
|
| `branch` | No | Branch name (default: `github.ref_name`) |
|
|
|
|
## Usage
|
|
|
|
```yaml
|
|
- name: Upload SARIF to TAS and gate
|
|
uses: your-org/tas-actions/tas-upload-sarif@v1
|
|
with:
|
|
tas-base-url: 'https://tas.example.com'
|
|
sarif-file: 'results.sarif'
|
|
```
|
|
|
|
With explicit owner/repo/branch (e.g. for monorepos or custom refs):
|
|
|
|
```yaml
|
|
- uses: your-org/tas-actions/tas-upload-sarif@v1
|
|
with:
|
|
tas-base-url: ${{ vars.TAS_BASE_URL }}
|
|
sarif-file: 'scan-output.sarif'
|
|
owner: my-org
|
|
repo: my-repo
|
|
branch: ${{ github.head_ref }}
|
|
```
|
|
|
|
## Behavior
|
|
|
|
1. **POST**s the SARIF file to `{tas-base-url}/repos/{owner}/{repo}/branches/{branch}/reports`.
|
|
2. On HTTP non-200, the step fails and prints the response body.
|
|
3. On success, reads the JSON response:
|
|
- If `allowed` is `true`, the step succeeds.
|
|
- If `allowed` is `false`, the step **fails** and prints `reason` and the full response (e.g. `new_critical`, `new_high`, `new_findings`).
|
|
|
|
## Requirements
|
|
|
|
- **GitHub-hosted runners**: `curl` and `jq` are available by default.
|
|
- **Self-hosted runners**: ensure `curl` and `jq` are installed.
|