forked from alexeisnyk/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 0
103 lines (92 loc) · 4.46 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: Snyk IaC Analysis and PR Comment
on:
pull_request_target:
types: [opened, edited, synchronize, reopened]
jobs:
code-analysis-and-comment:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Run Snyk IaC Test
uses: snyk/actions/node@master
continue-on-error: true # To ensure the comment gets posted regardless of scan results
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: |
'auth'
'iac test' # Specifies to run a code analysis
args: '--sarif-file-output=snyk-iac-results.sarif' # Outputs results in SARIF format
- name: Comment in PR
uses: actions/github-script@v6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
script: |
const fs = require('fs');
const sarifPath = './snyk-iac-results.sarif';
let message = '👋 Thanks for reporting! The Snyk IaC scan was completed.';
try {
if (fs.existsSync(sarifPath)) {
const sarifOutput = JSON.parse(fs.readFileSync(sarifPath, 'utf8'));
let results = sarifOutput.runs && sarifOutput.runs[0].results ? sarifOutput.runs[0].results : [];
// Sorting logic to sort issues by severity from High to Low
results.sort((a, b) => {
const severityLevels = { 'error': 1, 'warning': 2, 'note': 3, 'unknown': 4 };
const severityA = severityLevels[a.level] || 4;
const severityB = severityLevels[b.level] || 4;
return severityA - severityB;
});
if (results.length > 0) {
message += ` We found ${results.length} potential issues:\n\n`;
message += '| Icon | Severity | Issue | URI | Problem |\n';
message += '| --- | --- | --- | --- | --- |\n';
results.forEach(result => {
let icon;
let severityText;
switch(result.level) {
case 'error':
icon = '🔴'; // Red circle for high severity
severityText = 'High';
break;
case 'warning':
icon = '🟠'; // Orange circle for medium severity
severityText = 'Medium';
break;
case 'note':
icon = '🟡'; // Yellow circle for low severity
severityText = 'Low';
break;
default:
icon = '⚪'; // White circle for unknown severity
severityText = 'Unknown';
break;
}
const rule = sarifOutput.runs[0].tool.driver.rules.find(r => r.id === result.ruleId) || {};
const shortDescription = rule.shortDescription && rule.shortDescription.text ? rule.shortDescription.text : 'No description available';
const problemSeverity = rule.properties && rule.properties.problem && rule.properties.problem.severity ? rule.properties.problem.severity : 'Unknown severity';
const uri = result.locations && result.locations[0] && result.locations[0].physicalLocation && result.locations[0].physicalLocation.artifactLocation ? result.locations[0].physicalLocation.artifactLocation.uri : 'Unknown URI';
message += `| ${icon} | ${severityText} | ${rule.id} | ${uri} | ${shortDescription} (${problemSeverity}) |\n`;
});
} else {
message += ' No issues were found.';
}
} else {
message += ' No SARIF output file found, please check the action logs.';
}
} catch (error) {
console.error('Error processing SARIF output:', error);
message += ' An error occurred while processing the SARIF output.';
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: message
});