code-security-action/action.yaml at main · lacework/code-security-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: 'lacework-code-security'
description: "Scan code with Lacework's Code Security offering"
author: 'Lacework'
inputs:
  sources:
    description: 'Sources directory to analyze'
    required: false
    default: '.'
  target:
    description: 'One of push, old or new to represent which is being analyzed'
    required: false
  debug:
    description: 'Set to true to enable debug logging'
    required: false
    default: false
  token:
    description: 'Set to a GitHub token for the repository with write permissions for PRs to enable PR comments'
    required: false
  footer:
    description: 'A block of Markdown that will be appended to any PR comments posted'
    required: false
  artifact-prefix:
    description: 'Prefix for the artifact name'
    required: false
    default: ''
  code-scanning-path:
    description: 'Path to write code scanning SARIF file'
    required: false
    default: 'code-scanning.sarif'
outputs:
  old-completed:
    description: 'If running a target called old, whether the analysis for this was completed'
    value: ${{ steps.run-analysis.outputs.old-completed }}
  new-completed:
    description: 'If running a target called new, whether the analysis for this was completed'
    value: ${{ steps.run-analysis.outputs.new-completed }}
  push-completed:
    description: 'If running a target called push, whether the analysis for this was completed'
    value: ${{ steps.run-analysis.outputs.push-completed }}
  display-completed:
    description: 'If displaying results, whether this was completed'
    value: ${{ steps.run-analysis.outputs.display-completed }}
  comment-posted:
    description: 'If a comment was posted, a link to this comment'
    value: ${{ steps.run-analysis.outputs.comment-posted }}
runs:
  using: 'composite'
  steps:
    - shell: bash
      run: echo "LACEWORK_START_TIME=$(date --rfc-3339=seconds)" >> $GITHUB_ENV
    - id: init
      shell: bash
      env:
        LACEWORK_ACTION_REF: '${{ github.action_ref }}'
      run: |
        LACEWORK_CONTEXT_ID=`echo $RANDOM | md5sum | head -c 32`
        echo "Lacework context ID: $LACEWORK_CONTEXT_ID"
        echo "LACEWORK_CONTEXT_ID=$(echo $LACEWORK_CONTEXT_ID)" >> $GITHUB_ENV
        echo "LACEWORK_ACTION_REF=$(echo $LACEWORK_ACTION_REF)" >> $GITHUB_ENV
    - name: Sets LW_LOG var for debug
      shell: bash
      if: ${{ inputs.debug == 'true' }}
      run: |
        echo "LW_LOG=debug" >> $GITHUB_ENV
    - name: Set Lacework account environment variable
      shell: bash
      run: |
        if [ -n "$LW_ACCOUNT_NAME" ]; then
          echo "LW_ACCOUNT=$LW_ACCOUNT_NAME" >> $GITHUB_ENV
        fi
    - uses: actions/setup-node@v4
      with:
        node-version: 18
    - shell: bash
      run: |
        rm -rf ../lacework-code-security
        cp -r "${{ github.action_path }}" ../lacework-code-security
        cd ../lacework-code-security
        HUSKY=0 npm install
        npm run compile
        yq -i -o yaml 'del(.runs.steps) | del(.outputs) | .runs.using="node16" | .runs.main="dist/src/index.js"' action.yaml
    - id: run-analysis
      uses: './../lacework-code-security'
      with:
        sources: '${{ inputs.sources }}'
        target: '${{ inputs.target }}'
        debug: '${{ inputs.debug }}'
        token: '${{ inputs.token || github.token }}'
        footer: '${{ inputs.footer }}'
        artifact-prefix: '${{ inputs.artifact-prefix }}'
        code-scanning-path: '${{ inputs.code-scanning-path }}'