Merge pull request #20 from kartverket/skip-severity-check

Add option to disable severity check
kartverket · Feb 19, 2024 · d6601c1 · d6601c1
2 parents 8afd771 + 3260952
commit d6601c1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -16,13 +16,14 @@ As of v0.1.0 only GitHub registries are tested and supported.
 
 ### Inputs
 
-| Key                  | Required | Description                                                                                                                                                                                                                         |
-| -------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| image_url            |          | The Docker image url must be of the form `registry/repository:tag` or `registry/repository@digest` for run-security-scans. It is not required; however, in order to run Trivy image_url must be supplied.                           |
-| trivy                |          | An optional boolean that determines whether trivy-scan will be run. Defaults to 'true'.                                                                                                                                             |
-| tfsec                |          | An optional boolean that determines whether tfsec-scan will be run. Defaults to 'true'.                                                                                                                                             |
-| allow_severity_level |          | A string which determines the highest level of severity the security scans can find while still succeeding workflows. Only `medium`, `high` and `critical` are allowed as input strings. Note that these values are case sensitive. |
-| trivy_category       |          | A category for describing the Trivy action. Useful for differentiating between different runs of different images.                                                                                                                  |
+| Key                    | Required | Description                                                                                                                                                                                                                         |
+|------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| image_url              |          | The Docker image url must be of the form `registry/repository:tag` or `registry/repository@digest` for run-security-scans. It is not required; however, in order to run Trivy image_url must be supplied.                           |
+| trivy                  |          | An optional boolean that determines whether trivy-scan will be run. Defaults to 'true'.                                                                                                                                             |
+| tfsec                  |          | An optional boolean that determines whether tfsec-scan will be run. Defaults to 'true'.                                                                                                                                             |
+| allow_severity_level   |          | A string which determines the highest level of severity the security scans can find while still succeeding workflows. Only `medium`, `high` and `critical` are allowed as input strings. Note that these values are case sensitive. |
+| disable_severity_check |          | Disables the severity check to allow action to succeed regardless of result. Useful for ad-hoc runs to update the status for the given branch. Defaults to `false`.                                                                 |
+| trivy_category         |          | A category for describing the Trivy action. Useful for differentiating between different runs of different images.                                                                                                                  |
 
 ### Example usage
 

diff --git a/action.yaml b/action.yaml
@@ -19,6 +19,10 @@ inputs:
     description: "A string which determines the highest level of severity the security scans can find while still succeeding workflows. Only `medium`, `high` and `critical` are allowed as input strings. Note that these values are case sensitive."
     required: false
     default: medium
+  disable_severity_check:
+    description: "Skip checking severity of scan results. Useful when running the action ad-hoc to update the Github security status."
+    required: false
+    default: "false"
   trivy_category:
     description: "A category for describing the Trivy action. Useful for differentiating between different runs of different images."
     required: false
@@ -103,6 +107,7 @@ runs:
     #
 
     - name: Set high and critical severity outputs
+      if: inputs.disable_severity_check != 'true'
       id: severity_check_outputs
       shell: bash
       env:
@@ -125,6 +130,7 @@ runs:
         echo "is_critical_vuln_present=$is_critical_vuln_present" >> $GITHUB_OUTPUT
 
     - name: Succeed or fail based on severity
+      if: inputs.disable_severity_check != 'true'
       id: severity_check
       shell: bash
       env: