go/compose-parser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: go:v1.0.1
Branches Tags
go:main
go:v1.0.5 go:v1.0.4 go:v1.0.3 go:v1.0.2 go:v1.0.1 go:v1.0.0
..
compare: go:v1.0.3
Branches Tags
go:main
go:v1.0.5 go:v1.0.4 go:v1.0.3 go:v1.0.2 go:v1.0.1 go:v1.0.0

2 Commits
v1.0.1 ... v1.0.3

Author SHA1 Message Date
jake
f88893748a adding fails and fail skips 2025-11-11 18:04:21 -05:00
jake
b6dfca1cf2 regex fixes for environment variables 2025-11-11 17:45:34 -05:00
2 changed files with 16 additions and 6 deletions
Expand all files Collapse all files

8
action.yaml
View File

@@ -9,12 +9,14 @@ inputs:
description: "what level of issues to show (all|fatal)" description: "what level of issues to show (all|fatal)"
required: false required: false
default: "all" default: "all"
outputs: fail:
report: description: "determines whether or not the workflow fails upon finding fatal issues (yes(default)|no)"
description: "results of the scan" required: false
default: "yes"
runs: runs:
using: docker using: docker
image: Dockerfile image: Dockerfile
env: env:
COMPOSE_FILE_PATH: ${{ inputs.path }} COMPOSE_FILE_PATH: ${{ inputs.path }}
LOG_LEVEL: ${{ inputs.show }} LOG_LEVEL: ${{ inputs.show }}
FAIL_ON_FATAL: ${{ inputs.fail }}

14
main.go
View File

@@ -21,7 +21,7 @@ const (
ROOT_USER = "1000" ROOT_USER = "1000"
ROOT_GROUP = "1000" ROOT_GROUP = "1000"
//this is an insane regex to detect IP:PORT:PORT in port configuration but also supports the ability to detect secrets.* and vars.* from workflows //this is an insane regex to detect IP:PORT:PORT in port configuration but also supports the ability to detect secrets.* and vars.* from workflows
IM_SO_SORRY = `^(\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}){1}:(\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}|[0-9]+){1}:(\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}|[0-9]+){1}$` IM_SO_SORRY = `^(\${\s*\w+\s*}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}){1}:(\${\s*\w+\s*}|[0-9]+){1}:(\${\s*\w+\s*}|[0-9]+){1}$`
) )
func main() { func main() {
@@ -98,11 +98,15 @@ func main() {
//this is better printing, it should probably group up the port issues in a better printing. Not sure how //this is better printing, it should probably group up the port issues in a better printing. Not sure how
lvl := os.Getenv("LOG_LEVEL") lvl := os.Getenv("LOG_LEVEL")
fatalCount := 0
for _, p := range issues { for _, p := range issues {
fmt.Println() fmt.Println()
fmt.Println("----------------------------------------------------------------------------") fmt.Println("----------------------------------------------------------------------------")
fmt.Println(p.Name) fmt.Println(p.Name)
for _, x := range p.Issues { for _, x := range p.Issues {
if x.Level == issue.FATAL {
fatalCount++
}
if lvl == "all" { if lvl == "all" {
fmt.Printf("\tsafe: %t\n\tlevel: %s\n\tMessages:\n\t\t%s\n\n", x.Safe, x.Level, strings.Join(x.Messages, "\n\t\t")) fmt.Printf("\tsafe: %t\n\tlevel: %s\n\tMessages:\n\t\t%s\n\n", x.Safe, x.Level, strings.Join(x.Messages, "\n\t\t"))
} else if lvl == "fatal" { } else if lvl == "fatal" {
@@ -112,6 +116,10 @@ func main() {
} }
} }
} }
if strings.EqualFold(os.Getenv("FAIL_ON_FATAL"), "yes") {
os.Exit(fatalCount)
}
} }
// ensure cpus and mem_limit are set on the service // ensure cpus and mem_limit are set on the service
@@ -173,7 +181,7 @@ func SecurityOptCheck(srv compose.ServiceConfig) *issue.Issue {
for _, opt := range *srv.SecOpts { for _, opt := range *srv.SecOpts {
if strings.EqualFold(opt, PRIVILEGE_OPT) { if strings.EqualFold(opt, PRIVILEGE_OPT) {
i.Passed() i.Passed()
i.Messages = append(i.Messages, "security option are safe") i.Messages = append(i.Messages, "security options are safe")
return i return i
} }
} }
@@ -208,7 +216,7 @@ func PortCheck(srv compose.ServiceConfig) ([]*issue.Issue, error) {
continue continue
} }
ms, err := regexp.Match(`^\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}{1}:\${{\s*(vars|secrets)\.[[:alnum:]]+\s*}}{1}$`, []byte(prt)) ms, err := regexp.Match(`^\${\s*\w+\s*}{1}:\${\s*\w+\s*}{1}$`, []byte(prt))
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }