-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
48 lines (46 loc) · 1.91 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: 'LaunchDarkly Gosec'
description: 'Run gosec and upload the resutls to s3 and workflow artifacts'
author: '@kparkinson-ld'
inputs:
aws-assume-role:
description: 'The ARN of an AWS IAM role to assume. Used to auth with AWS to upload results to S3.'
required: true
s3-bucket:
description: 'Name of the s3 bucket to upload results to.'
required: true
s3-path:
description: 'Path to write results to within the s3 bucket.'
required: false
default: 'scan-results/gosec'
gosec-args:
description: 'Override the arguments passed to the gosec command.'
required: false
default: '--exclude-generated=true --severity=medium --concurrency=1 --fmt json --out=gosec-results.json --stdout --verbose=text --no-fail ./...'
runs:
using: "composite"
steps:
- name: Get date partition
shell: bash
id: date-partition
run: echo "DATE_PARTITION=$(date +'%Y/%m/%d')" >> $GITHUB_OUTPUT
- name: Checkout Source
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
- name: Run Gosec Security Scanner
uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # [email protected]
with:
args: ${{ inputs.gosec-args }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # pin@v1-node16
with:
audience: https://github.com/launchdarkly
role-to-assume: ${{ inputs.aws-assume-role }}
aws-region: us-east-1
- name: Upload scan results to S3
shell: bash
run: |
aws s3 cp ./gosec-results.json s3://${{ inputs.s3-bucket }}/${{ inputs.s3-path }}/${{ steps.date-partition.outputs.DATE_PARTITION }}/$GITHUB_REPOSITORY.json
- name: Upload scan results artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # [email protected]
with:
name: gosec-results
path: gosec-results.json