Merge pull request #14 from datatheorem/wait-for-dynamic-results

By default, wait for DAST results when checking the scan status.

Added a new input parameter WAIT_FOR_STATIC_SCAN_ONLY to action.yml, allowing users to specify if the action should wait for the static scan to complete instead of the top-level scan.

Author: quantumdark

action.yml

@@ -68,6 +68,10 @@ inputs:
     description: >
       Stop polling the scan result after the specified time in seconds, default is 5 minutes.
     required: false
+  WAIT_FOR_STATIC_SCAN_ONLY:
+    description: >
+      When enabled, waits for the static_scan to be COMPLETED instead of the top-level scan. Default is false.
+    required: false
 runs:
   using: 'node20'
   main: 'main.js'

main.js

@@ -107,6 +107,7 @@ function run() {
         const block_on_severity = core.getInput("BLOCK_ON_SEVERITY");
         const warn_on_severity = core.getInput("WARN_ON_SEVERITY");
         const polling_timeout = core.getInput("POLLING_TIMEOUT");
+        const wait_for_static_scan_only = core.getInput("WAIT_FOR_STATIC_SCAN_ONLY");
         var parsed_polling_timeout;
         if (polling_timeout) {
             parsed_polling_timeout = parseInt(polling_timeout, 10);
@@ -269,6 +270,9 @@ function run() {
         if (warn_on_severity) {
             console.log(`Warning on vulnerabilities with minimum severity: ${warn_on_severity}`);
         }
+        if (wait_for_static_scan_only === 'true') {
+            console.log('WAIT_FOR_STATIC_SCAN_ONLY is enabled: will wait for static_scan completion');
+        }
         for (const scan of scan_info) {
             const { mobile_app_id, scan_id } = scan;
             var maxWaitTime = 300000; // 5 minutes
@@ -292,15 +296,27 @@ function run() {
                         continue;
                     }
                     const status_data = yield status_response.json();
-                    const scan_status = ((_a = status_data.static_scan) === null || _a === void 0 ? void 0 : _a.status) || status_data.status;
+                    // Check status based on WAIT_FOR_STATIC_SCAN_ONLY parameter
+                    let scan_status;
+                    if (wait_for_static_scan_only === 'true') {
+                        if ((_a = status_data.static_scan) === null || _a === void 0 ? void 0 : _a.status) {
+                            scan_status = status_data.static_scan.status;
+                        }
+                        else {
+                            console.log(`static_scan field not available for scan ${scan_id}, falling back to overall scan status`);
+                            scan_status = status_data.status;
+                        }
+                    }
+                    else {
+                        scan_status = status_data.status;
+                    }
                     if (scan_status &&
                         ["FAILED", "SCAN_ATTEMPT_ERROR", "CANCELLED"].includes(scan_status)) {
                         console.log(`Scan ${scan_id} failed, skipping vulnerability check`);
                         break;
                     }
-                    if (!status_data.static_scan ||
-                        status_data.static_scan.status !== "COMPLETED") {
-                        console.log(`Scan ${scan_id} still in progress, waiting...`);
+                    if (scan_status !== "COMPLETED") {
+                        console.log(`Scan ${scan_id} still in progress (current status: ${scan_status}), waiting...`);
                         yield new Promise((resolve) => setTimeout(resolve, pollInterval));
                         continue;
                     }

main.ts

@@ -126,6 +126,7 @@ async function run() {
   const block_on_severity = core.getInput("BLOCK_ON_SEVERITY");
   const warn_on_severity = core.getInput("WARN_ON_SEVERITY");
   const polling_timeout = core.getInput("POLLING_TIMEOUT");
+  const wait_for_static_scan_only = core.getInput("WAIT_FOR_STATIC_SCAN_ONLY");
   var parsed_polling_timeout;
   if (polling_timeout) {
         parsed_polling_timeout = parseInt(polling_timeout, 10);
@@ -325,6 +326,10 @@ async function run() {
     );
   }
 
+  if (wait_for_static_scan_only === 'true') {
+    console.log('WAIT_FOR_STATIC_SCAN_ONLY is enabled: will wait for static_scan completion');
+  }
+
   for (const scan of scan_info) {
     const { mobile_app_id, scan_id } = scan;
 
@@ -363,7 +368,19 @@ async function run() {
         }
 
         const status_data = await status_response.json();
-        const scan_status = status_data.static_scan?.status || status_data.status;
+        // Check status based on WAIT_FOR_STATIC_SCAN_ONLY parameter
+        let scan_status;
+        if (wait_for_static_scan_only === 'true') {
+          if (status_data.static_scan?.status) {
+            scan_status = status_data.static_scan.status;
+          } else {
+            console.log(`static_scan field not available for scan ${scan_id}, falling back to overall scan status`);
+            scan_status = status_data.status;
+          }
+        } else {
+          scan_status = status_data.status;
+        }
+
         if (
           scan_status &&
           ["FAILED", "SCAN_ATTEMPT_ERROR", "CANCELLED"].includes(scan_status)
@@ -372,11 +389,8 @@ async function run() {
           break;
         }
 
-        if (
-          !status_data.static_scan ||
-          status_data.static_scan.status !== "COMPLETED"
-        ) {
-          console.log(`Scan ${scan_id} still in progress, waiting...`);
+        if (scan_status !== "COMPLETED") {
+          console.log(`Scan ${scan_id} still in progress (current status: ${scan_status}), waiting...`);
           await new Promise((resolve) => setTimeout(resolve, pollInterval));
           continue;
         }