llm-authz-audit/action.yml at main · aiauthz/llm-authz-audit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
name: 'LLM AuthZ Audit'
description: 'Static security analyzer for LLM applications — finds OWASP LLM Top 10 issues before they reach production'

branding:
  icon: 'shield'
  color: 'green'

inputs:
  path:
    description: 'Path to scan'
    required: false
    default: '.'
  format:
    description: 'Output format: console, json, sarif'
    required: false
    default: 'sarif'
  fail-on:
    description: 'Minimum severity for non-zero exit: critical, high, medium, low'
    required: false
    default: 'high'
  min-confidence:
    description: 'Minimum confidence to include: low, medium, high'
    required: false
    default: ''
  exclude:
    description: 'Comma-separated glob patterns to exclude'
    required: false
    default: ''
  extra-rules:
    description: 'Comma-separated paths to custom rule directories'
    required: false
    default: ''
  suppress:
    description: 'Path to suppression YAML file'
    required: false
    default: ''
  diff:
    description: 'Only scan files changed since this git ref (e.g. HEAD~1, main)'
    required: false
    default: ''
  python-version:
    description: 'Python version to use'
    required: false
    default: '3.12'
  version:
    description: 'llm-authz-audit version to install (default: latest)'
    required: false
    default: ''

outputs:
  sarif-file:
    description: 'Path to SARIF output file (when format=sarif)'
    value: ${{ steps.scan.outputs.sarif-file }}
  exit-code:
    description: 'Exit code from the scan (0=pass, 1=findings, 2=error)'
    value: ${{ steps.scan.outputs.exit-code }}

runs:
  using: 'composite'
  steps:
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: ${{ inputs.python-version }}

    - name: Install llm-authz-audit
      shell: bash
      run: |
        if [ -n "${{ inputs.version }}" ]; then
          pip install llm-authz-audit==${{ inputs.version }}
        else
          pip install llm-authz-audit
        fi

    - name: Run scan
      id: scan
      shell: bash
      run: |
        CMD="llm-authz-audit scan ${{ inputs.path }}"
        CMD="$CMD --format ${{ inputs.format }}"
        CMD="$CMD --fail-on ${{ inputs.fail-on }}"

        if [ -n "${{ inputs.min-confidence }}" ]; then
          CMD="$CMD --min-confidence ${{ inputs.min-confidence }}"
        fi
        if [ -n "${{ inputs.exclude }}" ]; then
          CMD="$CMD --exclude ${{ inputs.exclude }}"
        fi
        if [ -n "${{ inputs.extra-rules }}" ]; then
          CMD="$CMD --extra-rules ${{ inputs.extra-rules }}"
        fi
        if [ -n "${{ inputs.suppress }}" ]; then
          CMD="$CMD --suppress ${{ inputs.suppress }}"
        fi
        if [ -n "${{ inputs.diff }}" ]; then
          CMD="$CMD --diff ${{ inputs.diff }}"
        fi

        SARIF_FILE=""
        if [ "${{ inputs.format }}" = "sarif" ]; then
          SARIF_FILE="llm-authz-audit-results.sarif"
          CMD="$CMD > $SARIF_FILE"
        fi

        echo "Running: $CMD"
        set +e
        eval "$CMD"
        EXIT_CODE=$?
        set -e

        echo "exit-code=$EXIT_CODE" >> "$GITHUB_OUTPUT"
        if [ -n "$SARIF_FILE" ]; then
          echo "sarif-file=$SARIF_FILE" >> "$GITHUB_OUTPUT"
        fi

        exit $EXIT_CODE