diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 402bda5..454c326 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -14,7 +14,15 @@ RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/ # [Optional] Uncomment the next lines to use go get to install anything else you need USER vscode + +# Installing govulncheck && tools used by VSCode Go Extension+ RUN go install golang.org/x/vuln/cmd/govulncheck@latest +RUN go install github.com/cweill/gotests/gotests@latest +RUN go install github.com/fatih/gomodifytags@latest +RUN go install github.com/go-delve/delve/cmd/dlv@latest +RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest +RUN go install golang.org/x/tools/gopls@latest + # [Optional] Uncomment this line to install global node packages. # RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g " 2>&1 diff --git a/.vscode/launch.json b/.vscode/launch.json index 76d2320..94df285 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -5,7 +5,7 @@ "version": "0.2.0", "configurations": [ { - "name": "Launch Package", + "name": "Launch Action", "type": "go", "request": "launch", "mode": "auto", diff --git a/README.md b/README.md index 6293380..9952ad6 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,12 @@ For a full list of currently known limitations please head over to [here](https: ## Usage -### Example Workflow +### Example Workflows + +
+ + This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token. + ```yaml name: My Workflow @@ -37,6 +42,33 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: true ``` +
+ +
+ + This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action + to upload the result directly as build artifact. + + +```yaml +name: My Workflow +on: [push, pull_request] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Running govulncheck + uses: Templum/govulncheck-action@ + with: + skip-upload: true + - name: Upload Sarif Report + uses: actions/upload-artifact@v3 + with: + name: sarif-report + path: govulncheck-report.sarif +``` +
### Inputs @@ -47,6 +79,7 @@ jobs: | `package` _(optional)_ | The package you want to scan, by default will be `./...` | | `github-token` _(optional)_ | Github Token to upload sarif report. **Needs** `write` permissions for `security_events` | | `fail-on-vuln` _(optional)_ | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not | +| `skip-upload` _(optional)_ | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`| > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags). diff --git a/action.yml b/action.yml index 35210eb..46bd7ae 100644 --- a/action.yml +++ b/action.yml @@ -22,6 +22,10 @@ inputs: description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not" default: false required: false + skip-upload: + description: "This flag allows you to skip the sarif upload, it will be instead written to disk" + default: false + required: false runs: using: "composite" @@ -30,7 +34,7 @@ runs: run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH shell: bash - id: run - run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local + run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local shell: bash branding: diff --git a/main.go b/main.go index dbc3bf7..596598a 100644 --- a/main.go +++ b/main.go @@ -43,6 +43,7 @@ func main() { logger.Debug(). Str("Package", os.Getenv("PACKAGE")). + Str("Skip Upload", os.Getenv("SKIP_UPLOAD")). Str("Fail on Vulnerabilities", os.Getenv("STRICT")). Msg("Action Inputs:") @@ -61,13 +62,35 @@ func main() { os.Exit(2) } - err = github.UploadReport(reporter) - if err != nil { - logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error") - os.Exit(2) - } + if os.Getenv("SKIP_UPLOAD") == "true" { + logger.Info().Msg("Action is configured to skip upload instead will write to disk") + + fileName := "govulncheck-report.sarif" + reportFile, err := os.Create(fileName) + + if err != nil { + logger.Error().Err(err).Msg("Failed to create report file") + os.Exit(2) + } + + defer reportFile.Close() - logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing") + err = reporter.Write(reportFile) + if err != nil { + logger.Error().Err(err).Msg("Writing report to file yielded error") + os.Exit(2) + } + + logger.Info().Msgf("Successfully wrote sarif report to file %s", fileName) + } else { + err := github.UploadReport(reporter) + if err != nil { + logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error") + os.Exit(2) + } + + logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing") + } if os.Getenv("STRICT") == "true" { logger.Debug().Msg("Action is running in strict mode") @@ -77,5 +100,4 @@ func main() { os.Exit(2) } } - }