security-issues¶
Example Usage¶
name: Report Security Issues for Repository
on:
schedule:
# “Every day at 00:00.” (https://crontab.guru)
- cron: "0 0 * * *"
jobs:
report_security_issues:
name: Report Security Issues
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: SCM Checkout
uses: actions/checkout@v4
- name: Report Security Issues
uses: exasol/python-toolbox/.github/actions/security-issues@0.6.1
with:
format: "maven"
command: "cat maven-cve-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }}
Configuration¶
This action exposes 3 configuration parameters command, format and github-token, for details see the specific sections below.
command¶
Workspace command which shall be executed in order to check the project’s dependencies for CVEs.
Note
The calling workflow needs to make sure the specified command can be executed in the context of the workflow.
format¶
Specifies converter which needs to be applied on the output of the provided command. Currently there are only two converters available
maven
Converts the output of mavens oss plugin into required input format.
pass-through
In case the command itself already outputs the expected input format, the format can be specified as code:pass-through.
Input Format¶
The expect intput format is jsonl (line based json), of the following form:
{ "cve": "<cve-id>", "cwe": "<cwe-id>", "description": "<multiline string>", "coordinates": "<string>", "references": ["<url>", "<url>", ...] }
Attention
The input format may change in the future. Therefore make sure to rather use or contribute a converter for a specific format rather than outputting this format by your own tooling.
github-token¶
The temporary GitHub token of the workflow needs to be passed into the action (${{ secrets.GITHUB_TOKEN }}
),
in order to enable the action to query and created GitHub issues.
Ideas¶
Todo
Add additional details to the security.Issue
type
Todo
Consider adapting common CVE report format as input, for additional details see here.