✨ Allow skipping Sarif Upload (#13)

* 🔧 Minor Renaming * ✨ Added option to skip upload * 📝 Documented new feature Also extended example descriptions a bit * 📝 Used collapsed sections * 🔧 Explicit installing all dev tools
Templum · Nov 6, 2022 · c75372f · c75372f
1 parent 40992ab
commit c75372f
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 10 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -14,7 +14,15 @@ RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/
 
 # [Optional] Uncomment the next lines to use go get to install anything else you need
 USER vscode
+
+# Installing govulncheck && tools used by VSCode Go Extension+
 RUN go install golang.org/x/vuln/cmd/govulncheck@latest
+RUN go install github.com/cweill/gotests/gotests@latest
+RUN go install github.com/fatih/gomodifytags@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+RUN go install golang.org/x/tools/gopls@latest
+
 
 # [Optional] Uncomment this line to install global node packages.
 # RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -5,7 +5,7 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Launch Package",
+            "name": "Launch Action",
             "type": "go",
             "request": "launch",
             "mode": "auto",

diff --git a/README.md b/README.md
@@ -18,7 +18,12 @@ For a full list of currently known limitations please head over to [here](https:
 
 ## Usage
 
-### Example Workflow
+### Example Workflows
+
+<details>
+  <summary>
+  This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token.
+  </summary>
 
 ```yaml
 name: My Workflow
@@ -37,6 +42,33 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           fail-on-vuln: true
 ```
+</details>
+
+<details>
+  <summary>
+  This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action
+  to upload the result directly as build artifact.
+  </summary>
+
+```yaml
+name: My Workflow
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Running govulncheck
+        uses: Templum/govulncheck-action@<version>
+        with:
+          skip-upload: true
+      - name: Upload Sarif Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: sarif-report
+          path: govulncheck-report.sarif
+```
+</details>
 
 ### Inputs
 
@@ -47,6 +79,7 @@ jobs:
 | `package` _(optional)_           | The package you want to scan, by default will be `./...`                                                       |
 | `github-token` _(optional)_      | Github Token to upload sarif report. **Needs** `write` permissions for `security_events`                       |
 | `fail-on-vuln` _(optional)_      | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
+| `skip-upload` _(optional)_       | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`|
 
 > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).
 

diff --git a/action.yml b/action.yml
@@ -22,6 +22,10 @@ inputs:
     description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
     default: false
     required: false
+  skip-upload:
+    description: "This flag allows you to skip the sarif upload, it will be instead written to disk"
+    default: false
+    required: false
 
 runs:
   using: "composite"
@@ -30,7 +34,7 @@ runs:
       run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
       shell: bash
     - id: run
-      run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
+      run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
       shell: bash
 
 branding:

diff --git a/main.go b/main.go
@@ -43,6 +43,7 @@ func main() {
 
 	logger.Debug().
 		Str("Package", os.Getenv("PACKAGE")).
+		Str("Skip Upload", os.Getenv("SKIP_UPLOAD")).
 		Str("Fail on Vulnerabilities", os.Getenv("STRICT")).
 		Msg("Action Inputs:")
 
@@ -61,13 +62,35 @@ func main() {
 		os.Exit(2)
 	}
 
-	err = github.UploadReport(reporter)
-	if err != nil {
-		logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error")
-		os.Exit(2)
-	}
+	if os.Getenv("SKIP_UPLOAD") == "true" {
+		logger.Info().Msg("Action is configured to skip upload instead will write to disk")
+
+		fileName := "govulncheck-report.sarif"
+		reportFile, err := os.Create(fileName)
+
+		if err != nil {
+			logger.Error().Err(err).Msg("Failed to create report file")
+			os.Exit(2)
+		}
+
+		defer reportFile.Close()
 
-	logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing")
+		err = reporter.Write(reportFile)
+		if err != nil {
+			logger.Error().Err(err).Msg("Writing report to file yielded error")
+			os.Exit(2)
+		}
+
+		logger.Info().Msgf("Successfully wrote sarif report to file %s", fileName)
+	} else {
+		err := github.UploadReport(reporter)
+		if err != nil {
+			logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error")
+			os.Exit(2)
+		}
+
+		logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing")
+	}
 
 	if os.Getenv("STRICT") == "true" {
 		logger.Debug().Msg("Action is running in strict mode")
@@ -77,5 +100,4 @@ func main() {
 			os.Exit(2)
 		}
 	}
-
 }