Skip to content

tspascoal/fail-workflow-on-alerts-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits

.github

.github

 
 

.vscode

.vscode

 
 

dist

dist

 
 

src

src

 
 

.eslintignore

.eslintignore

 
 

.eslintrc.json

.eslintrc.json

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.prettierignore

.prettierignore

 
 

.prettierrc.json

.prettierrc.json

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

Fail workflow on alerts action

build-test

It is recommended that you advanced-security-compliance instead, it is more feature rich than Fail workflow on alerts action

Warning

EXPERIMENTAL. Haven't completely tested all the semantics. Use at your own peril.

This action will fail a workflow if there are open Code Scanning alerts that exceed the defined thresholds. (eg: there are more than X critical alerts).

It scans for open alerts in the current git reference. Be it a PR or a non PR

Failure is optional, the action also outputs the number of alerts (by type) found, the workflow will fail if the number TYPE alerts found is greater than MAX_ALERT_TYPE.

Known Issue: If action runs immediately after the SARIF file upload (either an action) the results may be delayed. Haven't fully determined the cause but it seems the processing of the SARIF file is asychronous. Try to run the action as later as possible. This no longer happens unless you have set the parameter wait-for-processing to false.

Alternatively you can also configure the severity of alerts that will issue a failed check and then combine this with branch protection rules to prevent pull requests from being completed.

Usage

- uses: tspascoal/fail-workflow-on-alerts-action@v0
  id: alerts
  with:
    max_errors: 10 # optional. Skip or -1 to ignore alerts
    max_warnings: 100 # optional. Skip or -1 to ignore alerts
    max_notes: 1000 # optional. Skip or -1 to ignore alerts
    max_unknowns: 5 # optional. Skip or -1 to ignore alerts
    max_none: 3 # optional. Skip or -1 to ignore alerts

- run: |
    echo number errors ${{ steps.alerts.outputs.error }}
    echo number warnings ${{ steps.alerts.outputs.warning }}
    echo number notes ${{ steps.alerts.outputs.note }}

Alternatives

An alternate method, is to look directly at the Sarif file generated by codeql (or any other scanning tool) and fail workflow if there are issues. This method has the disadvantage of not ignoring alerts that you have dismissed in the UI as not important.

This method is described here.

Related actions

In case you want to generate a nice PDF report with security finds you can use the GitHub Security Report Action action.

License

MIT License

About

GitHub Action to fail a workflow if code scanning alerts exceed certain thresholds

Topics

actions

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 4

V0.0.4 Latest
Oct 5, 2022
+ 3 releases

Contributors 2

  •  
  •  

Languages