forked from zizmorcore/zizmor-action
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yml
More file actions
121 lines (107 loc) · 3.78 KB
/
action.yml
File metadata and controls
121 lines (107 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: zizmor-action
description: Run zizmor from GitHub Actions 🌈
branding:
icon: "shield"
color: "blue"
outputs:
output-file:
description: Filepath to static analysis results in SARIF format"
value: ${{ steps.run-zizmor.outputs.sarif-file }}
inputs:
inputs:
description: |
The inputs to pass to `zizmor`.
This should be a whitespace-separated list of inputs. Inputs will
be split with shell splitting rules.
required: false
default: "."
online-audits:
description: |
Whether to run online audits.
required: false
default: "true"
persona:
description: |
The auditing persona to use.
This can be 'regular' (default), 'pedantic', or 'auditor'.
required: false
default: "regular"
min-severity:
description: |
The minimum severity to report findings for.
This can be 'unknown', 'informational', 'low', 'medium', or 'high'.
required: false
min-confidence:
description: |
The minimum confidence to report findings for.
This can be 'unknown', 'low', 'medium', or 'high'.
required: false
version:
description: The version of zizmor to use
required: false
default: latest
token:
description: |
The GitHub API token to use for zizmor online-audits (if enabled).
required: false
default: ${{ github.token }}
advanced-security:
description: |
Whether to enable GitHub Advanced Security for zizmor's results.
This will use the SARIF output format under the hood and will upload the
results to the repository's security tab.
required: false
default: "true"
color:
description: |
Whether zizmor should output colorized CLI output.
required: false
default: "true"
annotations:
description: |
Whether to emit GitHub annotations for zizmor's results.
This will use GitHub's workflow commands under the hood.
This option is **mutually exclusive** with `advanced-security: true`.
You must explicitly set `advanced-security: false` to enable this option.
required: false
default: "false"
config:
description: Path to a custom zizmor configuration file Path (e.g., zizmor.yml).
required: false
fail-on-no-inputs:
description: |
Whether the action should fail if no inputs are collected by zizmor.
By default, zizmor will fail if it couldn't collect any inputs to audit.
Setting this option to `false` will make the action succeed in such cases,
with a warning message instead.
This input only works with zizmor v1.21.0 and later. Earlier versions
will always fail on no inputs.
required: false
default: "true"
runs:
using: composite
steps:
- name: Run zizmor
id: run-zizmor
run: |
"${GITHUB_ACTION_PATH}/action.sh"
env:
GHA_ZIZMOR_INPUTS: ${{ inputs.inputs }}
GHA_ZIZMOR_ONLINE_AUDITS: ${{ inputs.online-audits }}
GHA_ZIZMOR_PERSONA: ${{ inputs.persona }}
GHA_ZIZMOR_MIN_SEVERITY: ${{ inputs.min-severity }}
GHA_ZIZMOR_MIN_CONFIDENCE: ${{ inputs.min-confidence }}
GHA_ZIZMOR_VERSION: ${{ inputs.version }}
GHA_ZIZMOR_TOKEN: ${{ inputs.token }}
GHA_ZIZMOR_ADVANCED_SECURITY: ${{ inputs.advanced-security }}
GHA_ZIZMOR_COLOR: ${{ inputs.color }}
GHA_ZIZMOR_ANNOTATIONS: ${{ inputs.annotations }}
GHA_ZIZMOR_CONFIG: ${{ inputs.config }}
GHA_ZIZMOR_FAIL_ON_NO_INPUTS: ${{ inputs.fail-on-no-inputs }}
shell: bash
- name: Upload SARIF file to GitHub Advanced Security
uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
if: ${{ inputs.advanced-security == 'true' }}
with:
sarif_file: ${{ steps.run-zizmor.outputs.sarif-file }}
category: zizmor