Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github action #420

Closed
wants to merge 56 commits into from
Closed

Github action #420

wants to merge 56 commits into from

Conversation

another-rex
Copy link
Collaborator

@another-rex another-rex commented Jun 21, 2023
edited
Loading

This PR features:

  • Refactors the format flag's internal logic so that we can don't need to repeat the format types so much, and we can test when we add a new format entry if we forgot anything.
  • Adds a new format "sarif", which returns a SARIF report (closes Add support for SARIF output #216 )
  • Adds a Github Action action.yaml and it's specialized dockerfile action.dockerfile. This docker image runs a bash script wrapping osv-scanner, first by preprocessing the input so the last argument will be split by new line, allowing the workflow user to pass in multiple directories/files they wish to scan. The script also changes exit codes 127 and 128 to 0 as they contain errors that the user can't really do anything about.
  • Adds a workflow using this new github action for this repo
  • Sorts the grouped ID output.

Example of what workflow sarif output looks like:
image

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@another-rex another-rex changed the title Markdown output Github action Jun 23, 2023
@another-rex
Copy link
Collaborator Author

  • Added a test for the sarif output
  • Removed markdowntext.go
  • Refactored Sarif reporter so that most of the logic is in the internal output library

oliverchang
oliverchang reviewed Jun 28, 2023
View reviewed changes
.github/workflows/osv-scanner.yml Outdated
results-file: results.sarif
to-scan: |-
./
./cmd/osv-scanner/fixtures/locks-many/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the second arg still necessary if we're doing recursive scans?

.github/workflows/osv-scanner.yml
# The branches below must be a subset of the branches above
branches: [ main ]
merge_group:
branches: [ main ]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we make this a reusable workflow to let users easily use this? https://github.blog/2022-02-10-using-reusable-workflows-github-actions/

Disclaimer: I haven't looked too deeply into this. There's also composite actions which is something different.

internal/output/sarif.go Outdated Show resolved Hide resolved
pkg/models/results.go Outdated Show resolved Hide resolved
@oliverchang oliverchang mentioned this pull request Jul 3, 2023
Closed
@another-rex another-rex closed this Jul 5, 2023
@another-rex another-rex mentioned this pull request Jul 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverchang oliverchang oliverchang left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for SARIF output
2 participants
@another-rex @oliverchang