From 1afd6d2cae70ae8bd900b58506f54487ed863912 Mon Sep 17 00:00:00 2001 From: GriffinMB Date: Sun, 3 Jan 2021 18:01:33 -0600 Subject: [PATCH] Basic Sobelow action with sarif file output --- Dockerfile | 4 ++++ README.md | 2 +- action.yml | 7 ++++++- sobelow.sh | 8 ++++++-- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8610ae5..d409617 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,4 +2,8 @@ FROM elixir:1.11.2 COPY sobelow.sh /sobelow.sh +ENV DIR=GITHUB_WORKSPACE + +WORKDIR ${DIR} + ENTRYPOINT ["/sobelow.sh"] \ No newline at end of file diff --git a/README.md b/README.md index d0bd86d..85163c0 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # Sobelow Action -... + diff --git a/action.yml b/action.yml index 618eca2..01b3aef 100644 --- a/action.yml +++ b/action.yml @@ -3,6 +3,10 @@ author: Griffin Byatt description: Security-focused static analysis for the Phoenix Framework inputs: + report: + required: true + description: "Output a results.sarif file for GitHub Security integration" + default: true flags: description: "Flags (https://github.com/nccgroup/sobelow#options)" @@ -10,4 +14,5 @@ runs: using: 'docker' image: 'Dockerfile' args: - - ${{ inputs.flags }} \ No newline at end of file + - ${{ inputs.flags }} + - ${{ inputs.report }} \ No newline at end of file diff --git a/sobelow.sh b/sobelow.sh index f719475..3bf3866 100755 --- a/sobelow.sh +++ b/sobelow.sh @@ -1,6 +1,10 @@ #!/bin/sh -l mix local.hex --force -mix escript.install github nccgroup/sobelow --force +mix escript.install hex sobelow --force -~/.mix/escripts/sobelow $1 \ No newline at end of file +if [ "$2" = "false" ]; then + ~/.mix/escripts/sobelow $1 +else + ~/.mix/escripts/sobelow $1 --format sarif >> results.sarif +fi \ No newline at end of file