66 runs-on : ubuntu-latest
77
88 steps :
9- - uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
9+ - uses : actions/checkout@v4
1010 with :
1111 ref : ${{ github.event.pull_request.head.sha }}
1212
13- - uses : actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
13+ - uses : actions/setup-go@v5
1414 with :
1515 go-version : " ^1.22"
1616
3636
3737 - name : Run 2ms Scan for each repo
3838 run : |
39- mkdir -p $GITHUB_WORKSPACE/results
40- IFS=' ' read -r -a REPOS_ARRAY <<< "$repos"
41- touch $GITHUB_WORKSPACE/scan_results.json
42- echo "[" > $GITHUB_WORKSPACE/scan_results.json
43- for repo_url in "${REPOS_ARRAY[@]}"; do
44- repo_name=$(basename "$repo_url" .git)
45- result_sarif="$GITHUB_WORKSPACE/results/$repo_name.sarif"
46- start_time=$(date +%s.%N)
47- if $GITHUB_WORKSPACE/2ms/dist/2ms filesystem --path "$GITHUB_WORKSPACE/repos/$repo_name" --ignore-on-exit results --report-path "$result_sarif"; then
48- scan_status="success"
49- else
50- scan_status="failure"
51- fi
52- end_time=$(date +%s.%N)
53- execution_time=$(echo "$end_time - $start_time" | bc)
54- execution_time_formatted=$(printf "%.2f" "$execution_time")
55- echo "{
56- \"repo_name\": \"$repo_name\",
57- \"scan_status\": \"$scan_status\",
58- \"execution_time\": \"$execution_time_formatted\"
59- }," >> $GITHUB_WORKSPACE/scan_results.json
60- done
61- sed -i '$ s/,$//' $GITHUB_WORKSPACE/scan_results.json
62- echo "]" >> $GITHUB_WORKSPACE/scan_results.json
63- cp -r $GITHUB_WORKSPACE/results $GITHUB_WORKSPACE/results_backup
64-
65- - name : Get Results Directory
66- id : get_results_dir
67- run : |
68- echo "results_dir=results" >> $GITHUB_ENV
69-
70- - name : Get 2ms Version
71- id : get_twoms_version
72- run : |
73- echo "twoms_version=$(curl -s https://api.github.com/repos/checkmarx/2ms/releases/latest | jq -r '.tag_name')" >> $GITHUB_ENV
74-
75- - name : Set S3 Destination Path
76- id : set_s3_path
77- run : |
78- BRANCH_NAME="${{ github.head_ref || github.ref_name }}"
79- PR_NUMBER="${{ github.event.number }}"
80- ENGINE="2ms"
81- COMMIT_HASH="${{ github.sha }}"
82- PR_OWNER="${{ github.actor }}"
83- TARGET_BRANCH="master"
84- DEST_DIR="${ENGINE}/${TARGET_BRANCH}/${BRANCH_NAME}/${{ env.twoms_version }}/pr-${PR_NUMBER}"
85- echo "destination_dir=$DEST_DIR" >> $GITHUB_ENV
86- echo "results_dir=${{ env.results_dir }}" >> $GITHUB_ENV
87-
88- - name : Organize SARIF files
89- run : |
90- mkdir -p "${{ env.results_dir }}/pr-${{ github.event.number }}"
91- for sarif_file in $GITHUB_WORKSPACE/results/*.sarif; do
92- if [[ -f "$sarif_file" ]]; then
93- project_name=$(basename "$sarif_file" .sarif)
94- mkdir -p "${{ env.results_dir }}/pr-${{ github.event.number }}/$project_name"
95- mv "$sarif_file" "${{ env.results_dir }}/pr-${{ github.event.number }}/$project_name/results.sarif"
39+ mkdir -p $GITHUB_WORKSPACE/results
40+ IFS=' ' read -r -a REPOS_ARRAY <<< "$repos"
41+ echo "[" > $GITHUB_WORKSPACE/scan_results.json
42+ for repo_url in "${REPOS_ARRAY[@]}"; do
43+ repo_name=$(basename "$repo_url" .git)
44+ result_sarif="$GITHUB_WORKSPACE/results/$repo_name.sarif"
45+ start_time=$(date +%s.%N)
46+ if $GITHUB_WORKSPACE/2ms/dist/2ms filesystem --path "$GITHUB_WORKSPACE/repos/$repo_name" --ignore-on-exit results --report-path "$result_sarif"; then
47+ scan_status="success"
48+ else
49+ scan_status="failure"
9650 fi
51+ end_time=$(date +%s.%N)
52+ execution_time=$(echo "$end_time - $start_time" | bc)
53+ execution_time_formatted=$(printf "%.2f" "$execution_time")
54+ echo "{
55+ \"repo_name\": \"$repo_name\",
56+ \"scan_status\": \"$scan_status\",
57+ \"execution_time\": \"$execution_time_formatted\"
58+ }," >> $GITHUB_WORKSPACE/scan_results.json
9759 done
98-
99- - name : Create Metadata File
100- run : |
101- COMMIT_TIMESTAMP=$(git log -1 --format=%ct)
102- METADATA_PATH="${{ env.results_dir }}/pr-${{ github.event.number }}/metadata.json"
103- echo '{
104- "seq": "'"${COMMIT_TIMESTAMP}"'",
105- "tag": "'"${{ github.event.number }}"'",
106- "comment": "'"${{ github.event.pull_request.title }}"'",
107- "commit": "'"${{ github.sha }}"'",
108- "owner": "'"${{ github.actor }}"'",
109- "branch": "'"${{ github.head_ref || github.ref_name }}"'",
110- "engine": "2ms",
111- "version": "'"${{ env.twoms_version }}"'"
112- }' > "$METADATA_PATH"
60+ sed -i '$ s/,$//' $GITHUB_WORKSPACE/scan_results.json
61+ echo "]" >> $GITHUB_WORKSPACE/scan_results.json
11362
11463 - name : Upload results to S3
115- run : |
116- aws s3 cp --recursive "${{ env.results_dir }}/pr-${{ github.event.number }}" "s3://${{ secrets.CES_AWS_BUCKET }}/${{ env.destination_dir }}" \
117- --storage-class STANDARD
11864 env :
11965 AWS_ACCESS_KEY_ID : ${{ secrets.CES_BUCKET_AWS_ACCESS_KEY }}
12066 AWS_SECRET_ACCESS_KEY : ${{ secrets.CES_BUCKET_AWS_SECRET_ACCESS_KEY }}
121-
122- - name : Get Scan Results for Comment
123- id : scan_results
12467 run : |
125- echo "| Repository | Status | Execution Time (seconds) |" > $GITHUB_WORKSPACE/scan_results_table.md
126- echo "|------------|--------|--------------------------|" >> $GITHUB_WORKSPACE/scan_results_table.md
127- jq -r '
128- .[] |
129- "| \(.repo_name) | " +
130- (if .scan_status == "success" then "✅" else "❌" end) +
131- " | \(.execution_time) |"' $GITHUB_WORKSPACE/scan_results.json >> $GITHUB_WORKSPACE/scan_results_table.md
132- echo "SCAN_RESULTS<<EOF" >> $GITHUB_ENV
133- cat $GITHUB_WORKSPACE/scan_results_table.md >> $GITHUB_ENV
134- echo "EOF" >> $GITHUB_ENV
68+ aws s3 cp --recursive "${{ env.results_dir }}/pr-${{ github.event.number }}" "s3://${{ secrets.CES_AWS_BUCKET }}/${{ env.destination_dir }}" --storage-class STANDARD
13569
13670 - name : Create PR Comment with Job Summary in Table
13771 uses : peter-evans/create-or-update-comment@v2
13872 with :
139- issue-number : ${{ github.event.pull_request.number }}
140- body : |
141- ## 🛠 Scan Summary
142-
143-
144- ${{ env.SCAN_RESULTS }}
145-
73+ issue-number : ${{ github.event.pull_request.number }}
74+ body : |
75+ ## 🛠 Scan Summary
76+
77+ ${{ env.SCAN_RESULTS }}
78+
0 commit comments