whispers github action

[davidogbiko]

This tool is ideal for a CI pipeline and would be great if we have a whispers github action in the github action marketplace.

[adeptex]

hey @davidogbiko, thanks for your feedback.

I have bounced this idea around, and here are several thoughts that come to mind:

• Running Whispers with GA means everybody will see the secrets printed in the build log, unless there is already tooling to send results elsewhere. Doing this in a private repo would mitigate exposure, but there are definitely security concerns there.
• If you are building with GA already, and want to use Whispers anyway, currently the simplest form for a GA step would be something like:

- name: Run whispers
  run: |
        pip3 install whispers
        whispers src/dir

What do you think? Are there any specific benefits of having a GA in the marketplace over the above example? Let me know what you think!

Best regards

[davidogbiko]

Our current implementation mirrors what we have in this repo https://github.com/davidogbiko/whispers_test, using a private docker image and running on a private project as well. A market place GA would reduce config repetition across repos.

[adeptex]

hey @davidogbiko,

Your workflow implies that you already have a prebuilt image for running whispers. You could provision that container with your whispers config, and then use that container to scan all your projects. This would avoid config replication, and is the approach I would recommend.

[davidogbiko]

Thanks @adeptex, I will follow your recommendation. I think we can close this issue.