🐛 👽 Updated action to work with latest json format (#32)

* 👽 Adjusted code to handle new json report format * 🍱 Updated static sample data * 🔥 Removed unused sample data * 👽 Adjusted to work with new json format * 💥 Specified a specific govulncheck version instead of latest * 🗃️ ✅ Using Report from playground
Templum · Mar 21, 2023 · af8ff86 · af8ff86
1 parent 3a015a8
commit af8ff86
Show file tree

Hide file tree

Showing 12 changed files with 715 additions and 5,125 deletions.
diff --git a/README.md b/README.md
@@ -158,12 +158,14 @@ jobs:
 | Input                            | Description                                                                                                    |
 |----------------------------------|----------------------------------------------------------------------------------------------------------------|
 | `go-version` _(optional)_        | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.19`              |
-| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `latest`                                                |
+| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `v0.0.0-20230320232729-bfc1eaef17a4`                                                |
 | `package` _(optional)_           | The package you want to scan, by default will be `./...`                                                       |
 | `github-token` _(optional)_      | Github Token to upload sarif report. **Needs** `write` permissions for `security_events`                       |
 | `fail-on-vuln` _(optional)_      | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
 | `skip-upload` _(optional)_       | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`|
 
 > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).
 
+> :warning: New versions of govulncheck might introduce new report formats, breaking this action. Hence the default version is always the last known working version.
+
 > :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
diff --git a/action.yml b/action.yml
@@ -11,9 +11,9 @@ inputs:
     required: false
     default: "1.19"
   vulncheck-version:
-    description: "Version of govulncheck that should be used, by default latest"
+    description: "Version of govulncheck that should be used, by default v0.0.0-20230320232729-bfc1eaef17a4"
     required: false
-    default: "latest"
+    default: "v0.0.0-20230320232729-bfc1eaef17a4"
   github-token:
     description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
     default: ${{ github.token }}