diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0d0b1e4..1cdfa5f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -98,6 +98,12 @@ on: required: false type: boolean default: false + upload-sarif: + description: "Upload checkov/trivy/zizmor results to GitHub code scanning (requires GitHub Advanced Security). Set + false for private repos without GHAS to gate on exit codes with console output instead." + required: false + type: boolean + default: true permissions: contents: read @@ -452,10 +458,18 @@ jobs: version: ${{ inputs.mise-version }} - name: Run checkov - run: mise exec -- checkov -d . --output sarif --output-file-path . || true + env: + UPLOAD_SARIF: ${{ inputs.upload-sarif }} + run: |- + if [ "${UPLOAD_SARIF}" = "true" ]; then + mise exec -- checkov -d . --output sarif --output-file-path . || true + else + # No GitHub Advanced Security: gate on exit code with console output. + mise exec -- checkov -d . --compact --quiet + fi - name: Filter skipped checks from SARIF - if: always() + if: ${{ always() && inputs.upload-sarif }} run: |- if [ -f results_sarif.sarif ]; then jq ' @@ -470,7 +484,7 @@ jobs: - name: Upload SARIF report uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 - if: always() + if: ${{ always() && inputs.upload-sarif }} with: sarif_file: results_sarif.sarif category: checkov @@ -499,6 +513,7 @@ jobs: - name: Run trivy env: CONFIG_DIR: ${{ inputs.lint-config-dir }} + UPLOAD_SARIF: ${{ inputs.upload-sarif }} run: |- # Lint tool versions are owned by the consuming repo: pinned and # Renovate-managed in its mise config. Fail early with guidance when @@ -516,13 +531,21 @@ jobs: trivy_args+=(--config "${CONFIG_DIR}/trivy.yaml") fi - mise exec -- trivy fs "${trivy_args[@]}" \ - --scanners misconfig,secret \ - --format sarif \ - --output trivy.sarif . || true + if [ "${UPLOAD_SARIF}" = "true" ]; then + mise exec -- trivy fs "${trivy_args[@]}" \ + --scanners misconfig,secret \ + --format sarif \ + --output trivy.sarif . || true + else + # No GitHub Advanced Security: gate on exit code with console output. + mise exec -- trivy fs "${trivy_args[@]}" \ + --scanners misconfig,secret \ + --exit-code 1 . + fi - name: Upload SARIF report uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 + if: ${{ inputs.upload-sarif }} with: sarif_file: trivy.sarif category: trivy @@ -549,11 +572,19 @@ jobs: version: ${{ inputs.mise-version }} - name: Run zizmor - run: mise exec -- zizmor --format sarif . > zizmor.sarif + env: + UPLOAD_SARIF: ${{ inputs.upload-sarif }} + run: |- + if [ "${UPLOAD_SARIF}" = "true" ]; then + mise exec -- zizmor --format sarif . > zizmor.sarif + else + # No GitHub Advanced Security: gate on exit code with console output. + mise exec -- zizmor . + fi - name: Upload SARIF report uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 - if: always() + if: ${{ always() && inputs.upload-sarif }} with: sarif_file: zizmor.sarif category: zizmor diff --git a/workflow-templates/lint.yml b/workflow-templates/lint.yml index 0d9082f..64f586c 100644 --- a/workflow-templates/lint.yml +++ b/workflow-templates/lint.yml @@ -25,6 +25,10 @@ jobs: # lint-config-dir: config-sync/files # Optional: fail this workflow when a linter fails (default: false). # lint-fail-on-error: true + # Optional: upload checkov/trivy/zizmor results to GitHub code scanning + # (default: true, requires GitHub Advanced Security). Set false for + # private repos without GHAS to gate on exit codes with console output. + # upload-sarif: false # Optional: use a different Go version file. # go-version-file: go.mod # Toggle linters on/off (all default to true):