Add GitHub Action and self-test (#14)

fproulx-boostsecurity · web-flow · commit d6685250b9a0 · 2024-04-14T18:43:27.000-07:00
* Add GitHub Action and self-test

Signed-off-by: François Proulx &lt;76956526+fproulx-boostsecurity@users.noreply.github.com&gt;
Signed-off-by: Becojo &lt;Becojo@users.noreply.github.com&gt;
diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml
@@ -0,0 +1,41 @@
+name: POP - poutine on poutine
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - .github/workflows/**
+      - action.yml
+
+  pull_request:
+    branches: [ main ]
+    paths:
+      - .github/workflows/**
+      - action.yml
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  pop:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        disable-sudo: true
+        egress-policy: audit
+        allowed-endpoints: >
+          github.com:443
+          api.github.com:443
+          codeload.github.com:443
+          objects.githubusercontent.com:443
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: ./
+      name: "Run poutine on poutine's own codebase"
+      id: self-test
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
+      with:
+        sarif_file: results.sarif
diff --git a/Dockerfile.action b/Dockerfile.action
@@ -0,0 +1,5 @@
+FROM ghcr.io/boostsecurityio/poutine:0.9.7@sha256:034326fac021cbedf8df99e90d993ec3553c7649395040bbb8bca05b601de35a
+
+USER root
+
+ENTRYPOINT ["/bin/sh", "-c"]
diff --git a/action.yml b/action.yml
@@ -0,0 +1,21 @@
+name: poutine - GitHub Actions SAST
+description: |
+  BoostSecurity.io’s poutine detects vulnerabilities and misconfigurations in your GitHub Actions workflows.
+  Designed to streamline security analysis, poutine scans your repository’s CI/CD pipelines.
+  It offers insights to secure your software supply chain efficiently.
+inputs:
+  format:
+    description: 'Report format'
+    default: sarif
+    required: true
+  output:
+    description: 'Report file output'
+    default: results.sarif
+    required: true
+runs:
+  using: docker
+  image: Dockerfile.action
+  args:
+    - |
+        git config --global --add safe.directory "$GITHUB_WORKSPACE"
+        poutine -format "$INPUT_FORMAT" analyze_local "$GITHUB_WORKSPACE" > "$INPUT_OUTPUT"
