-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
106 lines (103 loc) · 3.77 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# action.yml
name: 'Tizona security checker action'
description: 'Checks and analyzes the security of the code added to the specified repository.'
branding:
icon: 'check-square'
color: 'green'
inputs:
permissive_mode:
description: 'Enables or disables the interruption of the action in the case of finding errors in the execution of the checks.'
required: false
default: 'true'
code_enable:
description: 'Enables code check'
required: false
default: 'true'
sonar_source:
description: 'SonarQube source. Required to run SonarQube. SonarQube also needs sonar-project.properties file.'
required: false
default: '.'
sonar_host:
description: 'SonarQube host. Required to run SonarQube. SonarQube also needs sonar-project.properties file.'
required: false
default: 'SONAR_HOST'
sonar_login:
description: 'SonarQube login key. Required to run SonarQube.SonarQube also needs sonar-project.properties file.'
required: false
default: 'SONAR_LOGIN'
sonar_report_path:
description: 'Location of the scanner metadata report file. Required to run Quality Gate.'
required: false
default: '.scannerwork/report-task.txt'
config_enable:
description: 'Enables configuration check.'
required: false
default: 'true'
secrets_enable:
description: 'Enables secrets check'
required: false
default: 'true'
reviewdog_github_token:
description: 'GitHub token. Required if config checker or secrets checker are enabled.'
required: false
depcheck_project:
description: 'Dependency check project. Required if code checker is enabled.'
default: 'MY_PROJECT'
required: false
depcheck_path:
description: 'Dependency check path. Required if code checker is enabled.'
default: '.'
required: false
depcheck_format:
description: 'Dependency check format. Required if code checker is enabled.'
default: 'HTML'
required: false
trivy_repo_ignore-unfixed:
description: 'Ignore unfixed vulnerabilities. Required if config checker is enabled.'
required: false
default: 'false'
trivy_repo_vuln:
description: 'comma-separated list of vulnerability types (os,library). Required if config checker is enabled.'
required: false
default: 'os,library'
trivy_severity:
description: 'Severities of vulnerabilities to be displayed. Required if config checker is enabled.'
required: false
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
trivy_timeout:
description: 'Trivy timeout duration. Required if config checker is enabled.'
required: false
default: "5m"
dockerlint_enable:
description: 'Enables Docker lint check'
required: false
default: 'false'
dockerlint_level:
description: 'Exit with failure code only when rules with a severity equal to or above THRESHOLD are violated. Accepted values: error, warning, info, style, ignore & none'
required: false
default: "error"
outputs:
riskscore:
description: 'String with the number of vulnerabilities found'
runs:
using: 'docker'
image: 'Dockerfile'
args:
- '-a ${{ inputs.permissive_mode }}'
- '-b ${{ inputs.code_enable }}'
- '-c ${{ inputs.sonar_source }}'
- '-d ${{ inputs.sonar_host }}'
- '-e ${{ inputs.sonar_login }}'
- '-f ${{ inputs.sonar_report_path }}'
- '-g ${{ inputs.config_enable }}'
- '-h ${{ inputs.secrets_enable }}'
- '-i ${{ inputs.reviewdog_github_token }}'
- '-j ${{ inputs.depcheck_project }}'
- '-k ${{ inputs.depcheck_path }}'
- '-l ${{ inputs.depcheck_format }}'
- '-m ${{ inputs.trivy_severity }}'
- '-n ${{ inputs.trivy_repo_ignore-unfixed }}'
- '-o ${{ inputs.trivy_repo_vuln }}'
- '-p ${{ inputs.trivy_timeout }}'
- '-q ${{ inputs.dockerlint_enable }}'
- '-r ${{ inputs.dockerlint_level }}'