From 464fc7dd5e581358c08911b53a5eb3d458c2ee67 Mon Sep 17 00:00:00 2001 From: SoaAlex Date: Mon, 15 Jan 2024 12:57:37 +0100 Subject: [PATCH] feat(action): add `skip_audited` and `verbose` options to `baseline2rdf` --- action.yml | 6 ++++++ baseline2rdf.py | 39 ++++++++++++++++++++++++++------------- entrypoint.sh | 9 ++++++++- 3 files changed, 40 insertions(+), 14 deletions(-) diff --git a/action.yml b/action.yml index 8cfdfed..120d5a3 100644 --- a/action.yml +++ b/action.yml @@ -34,6 +34,12 @@ inputs: baseline_path: description: The baseline path to update. If not provided, a new baseline will be created. default: "" + skip_audited: + description: Whether to skip secrets that have been audited. [true,false] + default: "false" + verbose: + description: Whether to print verbose output. [true,false] + default: "false" runs: using: docker image: Dockerfile diff --git a/baseline2rdf.py b/baseline2rdf.py index bbcd687..6e9615e 100755 --- a/baseline2rdf.py +++ b/baseline2rdf.py @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import sys import json +import argparse rdjson = { 'source': { @@ -13,7 +14,7 @@ } -def main(): +def main(skip_audited: bool = True, verbose: bool = False): baseline = json.load(sys.stdin) if not baseline['results']: baseline['results'] = {} @@ -21,21 +22,25 @@ def main(): results = {} for detects in baseline['results'].values(): for item in detects: - key = '%s:%s' % (item['filename'], item['line_number']) - if key in results: - results[key]['message'] += '\n* ' + item['type'] + if skip_audited and 'is_secret' in item and not item['is_secret']: + if verbose: + print('Skipping verified secret in : %s' % item['filename']) else: - results[key] = { - 'message': '\n* ' + item['type'], - 'location': { - 'path': item['filename'], - 'range': { - 'start': { - 'line': item['line_number'] + key = '%s:%s' % (item['filename'], item['line_number']) + if key in results: + results[key]['message'] += '\n* ' + item['type'] + else: + results[key] = { + 'message': '\n* ' + item['type'], + 'location': { + 'path': item['filename'], + 'range': { + 'start': { + 'line': item['line_number'] + } } } } - } for result in results.values(): rdjson['diagnostics'].append(result) @@ -50,4 +55,12 @@ def main(): if __name__ == '__main__': - sys.exit(main()) + parser = argparse.ArgumentParser() + parser.add_argument('--skip-audited', dest='skip_audited', action='store_true') + parser.add_argument('--no-skip-audited', dest='skip_audited', action='store_false') + parser.set_defaults(skip_audited=True) + parser.add_argument('--verbose', dest='verbose', action='store_true') + parser.set_defaults(verbose=False) + args = parser.parse_args() + + sys.exit(main(skip_audited=args.skip_audited, verbose=args.verbose)) diff --git a/entrypoint.sh b/entrypoint.sh index 67d02aa..3405ffd 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -16,7 +16,14 @@ else detect-secrets scan ${INPUT_DETECT_SECRETS_FLAGS} ${INPUT_WORKDIR} > /tmp/.secrets.baseline fi -cat /tmp/.secrets.baseline | baseline2rdf \ +if [ "${INPUT_SKIP_AUDITED}" = "true" ]; then + SKIP_VERIFIED_FLAG="--skip-verified" +fi +if [ "${INPUT_VERBOSE}" = "true" ]; then + VERBOSE_FLAG="--verbose" +fi + +cat /tmp/.secrets.baseline | baseline2rdf ${SKIP_VERIFIED_FLAG} ${VERBOSE_FLAG} \ | reviewdog -f=rdjson \ -name="${INPUT_NAME:-detect-secrets}" \ -filter-mode="${INPUT_FILTER_MODE:-added}" \