Closed yongyan-gh closed 1 year ago
@ssbarnea thanks for your thoughts/inputs, understand the design principle not to modify container image.
The GITHUB_SARIF
variable is not a GitHub preserved environment variable, we can define any variable name to be used in the action. The goal of creating this variable is, when the users of the action want to generate a .sarif file, they can set this variable value to a valid file name, the ansible-lint action should export the results in sarif formart to the file which specified by the variable, then they can use another action github/codeql-action/upload-sarif@v2
to upload the .sarif file to GHAS to produce the code scanning alerts. The path will be GITHUB_WORKSPACE
by default if not specified.
Please let me know what is the preferably way to implement the feature. Thanks!
To be honest, I would even consider adding an option upload_sarif
to our action to allow using it directly. Only this morning we were also considering making the checkout step implicit inside the action, so it could be easier to enable.
@sbarnea I see, you mean we should add an input parameter for the action e.g. 'upload_sarif', instead of using an hidden system environment variable. Updated the PR with the change.
Still a custom entrypoint.sh still needs to be inserted into the docker image to handle the input parameters. If we don't want to modify the image, what is the preferable way to handle the input parameters without the shell script?
As discussed in #98, this change enables the users of ansible-lint-action to be able to generate a Sarif result file by specifying an environment variable
GITHUB_SARIF
through action. The Sarif file can be used to upload to GitHub Advanced Security and show the alerts in users repository security tab.The example action with the environment variable set:
Tested the action in my test workflow, the result can be found at https://github.com/yongyan-gh/ansiblelinttest/actions/workflows/sarifactiontest.yml
@ssbarnea please review and let me know what you think, thanks!