forked from stackrox/kube-linter
-
Notifications
You must be signed in to change notification settings - Fork 0
73 lines (62 loc) · 2.98 KB
/
test-sarif.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Test kube-linter SARIF output
on:
# Important! Event type should be (or include) `pull_request` if you want to see linter checks in pull request UI.
#
# `github/codeql-action/upload-sarif@v1` action seems to use `${{ github.ref }}` context property when it submits
# SARIF through the API.
# When `github.ref` points to the branch, sarif results appear only in the security tab. When `github.ref` points to
# PR, results will appear also in the PR UI.
# See info here https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data
# Although not documented officially, `pull_request` event type will make `github.ref` in PR format.
# See https://frontside.com/blog/2020-05-26-github-actions-pull_request/#how-does-pull_request-affect-actionscheckout
- pull_request
# `push` event type should also be turned on in order for GitHub to be able to figure out diff between alerts in
# source and target branches of PR and display it in Actions | Code scanning results.
- push
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
# Checkout all repo history to make tags available for figuring out kube-linter version during build.
fetch-depth: 0
- name: Read Go version from go.mod
run: echo "GO_VERSION=$(grep -E "^go\s+[0-9.]+$" go.mod | cut -d " " -f 2)" >> $GITHUB_ENV
- name: Setup Go environment
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go modules
uses: actions/cache@v2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build binaries
run: make build
- name: Print kube-linter version
run: .gobin/kube-linter version
- name: Run kube-linter on a sample file with SARIF output
run: .gobin/kube-linter lint --format=sarif tests/testdata/splunk.yaml > results.sarif
continue-on-error: true
- name: Dump output file and check it is not empty
# The if part will generate no-zero exit code if the file is empty. See https://github.com/stedolan/jq/issues/1142#issuecomment-432003984
run: jq -es 'if . == [] then null else .[] | . end' results.sarif
- name: Upload output file as GitHub artifact for manual investigation
uses: actions/upload-artifact@v2
with:
name: results.sarif
path: results.sarif
- name: Check if output file is valid according to SARIF schema
run: |
set -ex
GO111MODULE=on go get github.com/neilpa/yajsv@v1.4.0
schema=$(jq -r '.["$schema"]' results.sarif)
[ -n "$schema" ] && wget -nv $schema
yajsv -s $(basename $schema) results.sarif
- name: Upload SARIF output file to GitHub
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif