Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tspascoal/fail-workflow-on-alerts-action

GitHub Action to fail a workflow if code scanning alerts exceed certain thresholds
https://github.com/tspascoal/fail-workflow-on-alerts-action

actions

Last synced: 25 days ago
JSON representation

GitHub Action to fail a workflow if code scanning alerts exceed certain thresholds

Host: GitHub
URL: https://github.com/tspascoal/fail-workflow-on-alerts-action
Owner: tspascoal
License: mit
Created: 2021-05-11T11:13:59.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-06-18T16:56:44.000Z (5 months ago)
Last Synced: 2024-09-19T13:01:58.376Z (about 2 months ago)
Topics: actions
Language: TypeScript
Homepage:
Size: 433 KB
Stars: 0
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Fail workflow on alerts action

![build-test](https://github.com/tspascoal/fail-workflow-on-alerts-action/actions/workflows/test.yml/badge.svg)

It is recommended that you [advanced-security-compliance](https://github.com/advanced-security/policy-as-code) instead, it is more feature rich than Fail workflow on alerts action

> [!WARNING]
> EXPERIMENTAL. Haven't completely tested all the semantics. Use at your own peril.

This action will fail a workflow if there are open [Code Scanning](https://docs.github.com/en/code-security/secure-coding/about-code-scanning) alerts that exceed the defined thresholds. (eg: there are more than X critical alerts).

It scans for open alerts in the current git reference. Be it a PR or a non PR

Failure is optional, the action also outputs the number of alerts (by type) found, the workflow will fail if the number `TYPE` alerts found is greater than `MAX_ALERT_TYPE`.

> ~~Known Issue: If action runs immediately after the SARIF file upload (either an action) the results may be delayed. Haven't fully determined the cause but it seems the processing of the SARIF file is asychronous. Try to run the action as later as possible.~~ This no longer happens unless you have set the parameter `wait-for-processing` to false.

Alternatively you can also configure the severity of [alerts that will issue a failed check](https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-alert-severities-causing-pull-request-check-failure) and then combine this with branch protection rules to prevent pull requests from being completed.

## Usage

```YAML
- uses: tspascoal/fail-workflow-on-alerts-action@v0
id: alerts
with:
max_errors: 10 # optional. Skip or -1 to ignore alerts
max_warnings: 100 # optional. Skip or -1 to ignore alerts
max_notes: 1000 # optional. Skip or -1 to ignore alerts
max_unknowns: 5 # optional. Skip or -1 to ignore alerts
max_none: 3 # optional. Skip or -1 to ignore alerts

- run: |
echo number errors ${{ steps.alerts.outputs.error }}
echo number warnings ${{ steps.alerts.outputs.warning }}
echo number notes ${{ steps.alerts.outputs.note }}
```

## Alternatives

An alternate method, is to look directly at the Sarif file generated by codeql (or any other scanning tool) and fail workflow if there are issues. This method has the disadvantage of not ignoring alerts that you have dismissed in the UI as not important.

This method is described [here](https://josh-ops.com/posts/github-codeql-pr/).

## Related actions

In case you want to generate a nice PDF report with security finds you can use the [GitHub Security Report Action](https://github.com/marketplace/actions/github-security-report-action) action.

## License

[MIT License](LICENSE)