[new] Code migration

2025-03-31 15:49:50 -04:00 · 2025-03-31 15:49:50 -04:00 · cddba82185
commit cddba82185
3 changed files with 100 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,29 @@
+# report-vulns
+A very simple action to check for vulnerabilities in projects during workflows
+
+## Usage
+Use a tagged release to avoid unexpected changes that may come to the master branch
+```yaml
+name: "security checkpoint"
+uses: https://code.jakeyoungdev.com/actions/report-vulns@master
+with:
+  manager: npm
+  panic: no
+```
+
+### Inputs
+Some inputs are supplied for better customization
+|Input|Required|Values|Default|Description|
+|---|---|---|---|---|
+|manager|required|go/npm|.|Package manager to use for scan|
+|panic|optional|yes/no|yes|Determines whether or not the job fails when vulnerabilities are found
+
+## Requirements
+Package managers like Go and Node must be installed before running this action
+
+## Managers
+The default or "built-in" vulnerability scanner will be used for each package manager
+|Package Manager|Vulnerability Scanner|
+|---|---|
+|npm|npm audit|
+|go|govulncheck|
--- a/action.yaml
+++ b/action.yaml
@ -0,0 +1,20 @@
+name: "report-vulns"
+description: "Check for vulnerabilities in go and node apps"
+inputs:
+  manager:
+    description: "which auditing system to use, based on package manager. Available options are: (go|npm)"
+    required: true
+    default: "."
+  panic:
+    description: "determines whether the workflow fails when vulnerabilities are found: (yes|no)"
+    required: true
+    default: "yes"
+runs:
+  using: composite
+  steps:
+    - name: "run script"
+      shell: bash
+      run: ${{ github.action_path }}/security.sh
+      env:
+        PACKAGE_MANAGER: ${{ inputs.manager }}
+        ERROR_ON_VULN: ${{ inputs.panic }}
--- a/security.sh
+++ b/security.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+echo "Starting security audit"
+
+echo "Parsing package manager"
+# . is the default input and used to ensure required inputs are set, since actions don't for whatever reason
+if [[ "$PACKAGE_MANAGER" == "." ]]; then
+    echo "FATAL: Manager input required"
+    exit 1
+fi
+
+echo "Auditing project with $PACKAGE_MANAGER"
+
+#npm audit
+if [[ "$PACKAGE_MANAGER" == "npm" ]]; then
+    VULNS=$(npm audit)
+    if [[ "$VULNS" == "found 0 vulnerabilities" ]]; then
+        echo "No vulnerabilities found, audit passed!"
+        exit 0
+    else
+        if [[ "$ERROR_ON_VULN" == "no" ]]; then
+            echo "$VULNS"
+            exit 0
+        else
+            echo "FATAL: Vulnerabilities found, details below"
+            echo "$VULNS"
+            exit 1
+        fi
+    fi
+fi
+
+#govulncheck
+if [[ "$PACKAGE_MANAGER" == "go" ]]; then
+    VULNS=$(govulncheck ./...)
+    #if vulns are found the exit status is 1
+    if [ $? -eq 0 ]; then
+        echo "No vulnerabilities found, audit passed!"
+        exit 0
+    else
+        if [[ "$ERROR_ON_VULN" == "no" ]]; then
+            echo "$VULNS"
+            exit 0
+        else
+            echo "FATAL: Vulnerabilities found, details below"
+            echo "$VULNS"
+            exit 1
+        fi
+    fi
+fi
+
+echo "Done"