Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion .github/workflows/hypatia-scan-reusable.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:

permissions:
contents: read
security-events: read
security-events: write

jobs:
scan:
Expand Down Expand Up @@ -94,6 +94,14 @@ jobs:
# counts below, not on the scanner's exit code.
HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json

# Emit SARIF for the GitHub Security tab. The code_scanning_alerts
# meta-rules are filtered at SARIF render time (lib/hypatia/sarif.ex),
# so an upload can never self-echo. Same tool name ("Hypatia") and
# category ("hypatia") as the historical upload, so GitHub RECONCILES:
# findings fixed in code since the last scan auto-close instead of
# orphaning as stale open alerts.
HYPATIA_FORMAT=sarif "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia.sarif || echo '{"version":"2.1.0","runs":[]}' > hypatia.sarif

FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json 2>/dev/null || echo 0)
HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json 2>/dev/null || echo 0)
Expand All @@ -113,6 +121,14 @@ jobs:
echo "| Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
echo "| **Total**| $FINDING_COUNT |" >> $GITHUB_STEP_SUMMARY

- name: Upload SARIF to code scanning
if: always()
continue-on-error: true # callers granting only security-events:read skip gracefully
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v3
with:
sarif_file: hypatia.sarif
category: hypatia

- name: Run panic-attack assail
run: |
if command -v panic-attack >/dev/null 2>&1; then
Expand Down
Loading