Add Sarif result file support by setting an env variable

ansible / ansible-lint-action

❗️Replaced by https://github.com/marketplace/actions/run-ansible-lint

https://github.com/marketplace/actions/run-ansible-lint

MIT License

254 stars 132 forks source link

Add Sarif result file support by setting an env variable #111

Closed yongyan-gh closed 1 year ago

yongyan-gh commented 2 years ago

As discussed in #98, this change enables the users of ansible-lint-action to be able to generate a Sarif result file by specifying an environment variable GITHUB_SARIF through action. The Sarif file can be used to upload to GitHub Advanced Security and show the alerts in users repository security tab.

The example action with the environment variable set:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Run ansible-lint
        uses: ansible-community/ansible-lint-action@main
        # optional:
        # with:
        #   path: "playbooks/"  # <-- only one value is allowed
        env:
          GITHUB_SARIF: "ansiblelint_results.sarif"

Tested the action in my test workflow, the result can be found at https://github.com/yongyan-gh/ansiblelinttest/actions/workflows/sarifactiontest.yml

@ssbarnea please review and let me know what you think, thanks!

yongyan-gh commented 2 years ago

@ssbarnea thanks for your thoughts/inputs, understand the design principle not to modify container image.

The GITHUB_SARIF variable is not a GitHub preserved environment variable, we can define any variable name to be used in the action. The goal of creating this variable is, when the users of the action want to generate a .sarif file, they can set this variable value to a valid file name, the ansible-lint action should export the results in sarif formart to the file which specified by the variable, then they can use another action github/codeql-action/upload-sarif@v2 to upload the .sarif file to GHAS to produce the code scanning alerts. The path will be GITHUB_WORKSPACE by default if not specified.

Please let me know what is the preferably way to implement the feature. Thanks!

ssbarnea commented 2 years ago

To be honest, I would even consider adding an option upload_sarif to our action to allow using it directly. Only this morning we were also considering making the checkout step implicit inside the action, so it could be easier to enable.

yongyan-gh commented 2 years ago

@sbarnea I see, you mean we should add an input parameter for the action e.g. 'upload_sarif', instead of using an hidden system environment variable. Updated the PR with the change.

Still a custom entrypoint.sh still needs to be inserted into the docker image to handle the input parameters. If we don't want to modify the image, what is the preferable way to handle the input parameters without the shell script?