python-toolbox/.github/actions/security-issues/action.yml at 8b738f22c392f63b50943ead2dff5fdf633a18aa · exasol/python-toolbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: 'SIA'
description: 'The Security Issues Action creates github issues for open security issues in the repository'

inputs:

  command:
    description: 'Command for generating a security report'
    required: true

  format:
    description: 'Input format (e.g. "maven" or "pass-through")'
    required: true

  github-token:
    description: 'Github Token'
    required: true

  project:
    description: 'Project the created tickets shall be associated with'
    required: false


outputs:

  created-issues:
    description: 'Information about the created issues and the vulnerabilities in JSONL format'
    value: ${{ steps.get-created-issues.outputs.issues }}

runs:

  using: "composite"
  steps:

    - name: Setup Python (${{ inputs.python-version}})
      uses: actions/setup-python@v6
      with:
        python-version: 3.11

    - name: Install Python Toolbox / Security tool
      shell: bash
      run: |
        pip install exasol-toolbox==6.1.1

    - name: Create Security Issue Report
      shell: bash
      run: |
        ${{ inputs.command }} | tee input

    - name: Convert Report To Common Input Format
      shell: bash
      run: |
        tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl

    - name: Filter Issues
      env:
        GH_TOKEN: ${{ inputs.github-token }}
      shell: bash
      run: |
        tbx security cve filter github-issues < cves.jsonl 2> filtered.txt | tee issues.jsonl
        cat filtered.txt

    - name: Create Issues
      env:
        GH_TOKEN: ${{ inputs.github-token }}
      shell: bash
      run: |
        tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl

    - name: Define Output Parameter
      id: get-created-issues
      shell: bash
      run: |
        echo 'issues<<EOF' >> "$GITHUB_OUTPUT"
        cat created.jsonl >> "$GITHUB_OUTPUT"
        echo 'EOF' >> "$GITHUB_OUTPUT"

    - name: Create Report
      shell: bash
      run: |
        echo -e "# Summary\n" >> $GITHUB_STEP_SUMMARY
        echo -e "## Created Security Issue\n" >> $GITHUB_STEP_SUMMARY
        cat created.jsonl >> $GITHUB_STEP_SUMMARY
        echo -e "## Filtered Security Issue\n" >> $GITHUB_STEP_SUMMARY
        tail -n +2 filtered.txt | grep . || true >> $GITHUB_STEP_SUMMARY