security-issues

Example Usage

name: Report Security Issues for Repository

on:
  schedule:
    # “Every day at 00:00.” (https://crontab.guru)
    - cron: "0 0 * * *"

jobs:

  report_security_issues:

    name: Report Security Issues

    runs-on: ubuntu-latest

    permissions:
      issues: write

    steps:
      - name: SCM Checkout
        uses: actions/checkout@v4

      - name: Report Security Issues
        uses: exasol/python-toolbox/.github/actions/security-issues@0.6.1
        with:
          format: "maven"
          command: "cat maven-cve-report.json"
          github-token: ${{ secrets.GITHUB_TOKEN }}

Configuration

This action exposes 3 configuration parameters command, format and github-token, for details see the specific sections below.

command

Workspace command which shall be executed in order to check the project’s dependencies for CVEs.

Note

The calling workflow needs to make sure the specified command can be executed in the context of the workflow.

format

Specifies converter which needs to be applied on the output of the provided command. Currently there are only two converters available

  1. maven

    Converts the output of mavens oss plugin into required input format.

  2. pass-through

    In case the command itself already outputs the expected input format, the format can be specified as code:pass-through.

Input Format

The expect intput format is jsonl (line based json), of the following form:

{ "cve": "<cve-id>", "cwe": "<cwe-id>", "description": "<multiline string>", "coordinates": "<string>", "references": ["<url>", "<url>", ...] }

Attention

The input format may change in the future. Therefore make sure to rather use or contribute a converter for a specific format rather than outputting this format by your own tooling.

github-token

The temporary GitHub token of the workflow needs to be passed into the action (${{ secrets.GITHUB_TOKEN }}), in order to enable the action to query and created GitHub issues.

Ideas

Todo

Add additional details to the security.Issue type

Todo

Consider adapting common CVE report format as input, for additional details see here.