-
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathaction.yml
113 lines (109 loc) · 3.82 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: 'Run trivy with reviewdog'
description: '🐶 Run trivy with reviewdog on pull requests to enforce security best practices'
author: 'vlaaaaaaad (reviewdog)'
inputs:
github_token:
description: 'GITHUB_TOKEN'
required: true
default: "${{ github.token }}"
working_directory:
description: |
Directory to run the action on, from the repo root.
Default is . ( root of the repository)
default: '.'
required: false
level:
description: 'Report level for reviewdog [info,warning,error]'
default: 'error'
required: false
tool_name:
description: |
The name for the report as it will show up in GitHub's interface.
Default is trivy.
default: 'trivy'
required: false
reporter:
description: |
Reporter of reviewdog command [github-pr-check,github-pr-review].
Default is github-pr-check.
default: 'github-pr-check'
required: false
filter_mode:
description: |
Filtering for the reviewdog command [added,diff_context,file,nofilter].
Default is added.
default: 'added'
required: false
fail_level:
description: |
If set to `none`, always use exit code 0 for reviewdog. Otherwise, exit code 1 for reviewdog if it finds at least 1 issue with severity greater than or equal to the given level. Possible values: [none,any,info,warning,error] Default is `none`.
default: 'none'
required: false
fail_on_error:
description: |
**Deprecated**. This option is no longer recommended for use and will be removed in future versions.
Exit code for reviewdog when errors are found [true,false]
Default is `false`.
default: 'false'
required: false
deprecationMessage: Deprecated, use `fail_level` instead.
flags:
description: 'Additional reviewdog flags'
default: ''
required: false
trivy_command:
description: |
Trivy command [aws,config,filesystem,image,kubernetes,rootfs,sbom,vm]
required: true
trivy_target:
description: |
Trivy target to scan
required: true
trivy_version:
description: |
The version of trivy to install.
Default is latest.
default: 'latest'
required: false
trivy_flags:
description: |
List of arguments to send to trivy
For the output to be parsable by reviewdog --format=checkstyle is enforced
Default is blank.
default: ''
required: false
outputs:
trivy-return-code:
description: 'trivy command return code'
value: ${{ steps.trivy.outputs.trivy-return-code }}
reviewdog-return-code:
description: 'reviewdog command return code'
value: ${{ steps.trivy.outputs.reviewdog-return-code }}
runs:
using: 'composite'
steps:
- run: $GITHUB_ACTION_PATH/script.sh
id: trivy
shell: bash
env:
# We may want to allow specifying reviewdog version as
# action's input, but let's start with hard coded latest stable version for reviewdog
REVIEWDOG_VERSION: v0.20.3
# INPUT_<VARIABLE_NAME> is not available in Composite run steps
# https://github.community/t/input-variable-name-is-not-available-in-composite-run-steps/127611
INPUT_GITHUB_TOKEN: ${{ inputs.github_token }}
INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
INPUT_LEVEL: ${{ inputs.level }}
INPUT_REPORTER: ${{ inputs.reporter }}
INPUT_TOOL_NAME: ${{ inputs.tool_name }}
INPUT_FILTER_MODE: ${{ inputs.filter_mode }}
INPUT_FAIL_ON_ERROR: ${{ inputs.fail_on_error }}
INPUT_FAIL_LEVEL: ${{ inputs.fail_level }}
INPUT_FLAGS: ${{ inputs.flags }}
INPUT_TRIVY_VERSION: ${{ inputs.trivy_version }}
INPUT_TRIVY_COMMAND: ${{ inputs.trivy_command }}
INPUT_TRIVY_TARGET: ${{ inputs.trivy_target }}
INPUT_TRIVY_FLAGS: ${{ inputs.trivy_flags }}
branding:
icon: 'edit'
color: 'gray-dark'