From b7defdd02547c0143cafe88137fa763217d0af0b Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:15:33 +0300 Subject: [PATCH 01/12] Fix BAC-8006: GHA | Local export --- src/index.ts | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/src/index.ts b/src/index.ts index acea604..f0d2732 100644 --- a/src/index.ts +++ b/src/index.ts @@ -1,8 +1,8 @@ import * as core from '@actions/core'; import * as github from '@actions/github'; +import { createHash } from 'crypto'; +import { readFileSync } from 'fs'; import * as process from 'process'; -import { readFileSync } from 'fs' -import { createHash } from 'crypto' import { spawn } from 'child_process'; import { downloadFile } from './util'; @@ -39,9 +39,10 @@ async function run() { const isOnPremise: boolean = core.getBooleanInput('isOnPremise'); const disablePrComments: boolean = core.getBooleanInput('disablePrComments'); const pushToDashboard: boolean = core.getBooleanInput('pushToDashboard'); + const localExport: boolean = core.getBooleanInput('localExport'); const githubToken = core.getInput('githubToken') const cloneUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}.git` - + const provider = isOnPremise ? 'github-enterprise-on-premise' : 'github' const repositoryName = github.context.payload.repository.name @@ -52,11 +53,6 @@ async function run() { return core.setFailed('Repo or branch not defined') } - let githubExtraInput = '' - if(!disablePrComments){ - githubExtraInput = `--providerPrNumber=${github.context.issue.number} --providerAccessToken=${githubToken}` - } - await downloadFile(S3CLIUrl, cliRunnerFileName) await downloadFile(S3CLIShaUrl, cliShaFileName) @@ -68,10 +64,30 @@ async function run() { } console.log(`Cli sha matches`); - const commonArgs = `--authToken=${authToken} ${ignoreBlock ? `--warnOnly`: ''} --deltaScan=${prScan} --analyzedBranch="${analyzedBranch}" --repositoryCloneUrl=${cloneUrl} --provider=${provider} --gitProviderOrganization=${organization} ${baselineBranch && `--baselineBranch="${baselineBranch}" `} ${githubExtraInput} --outputPath=${outputPath}` + let analyzeArgs = `--authToken=${authToken} --deltaScan=${prScan} --analyzedBranch="${analyzedBranch}" --repositoryCloneUrl=${cloneUrl} --provider=${provider} --gitProviderOrganization=${organization} --outputPath=${outputPath}` + + if(!disablePrComments){ + analyzeArgs += ` --providerPrNumber=${github.context.issue.number} --providerAccessToken=${githubToken}` + } + + if (baselineBranch) { + analyzeArgs += ` --baselineBranch="${baselineBranch}"` + } + + if (ignoreBlock) { + analyzeArgs += ` --warnOnly` + } + + if (localExport) { + analyzeArgs += ` --exportPath=Backslash-scan-results/ --exportFormat=json` + } + + if (pushToDashboard) { + analyzeArgs += ` --pushToDashboard` + } + + const runCommand = `bash ${cliRunnerFileName} analyze ${analyzeArgs}` - const runCommand = `bash ${cliRunnerFileName} analyze ${commonArgs} ${pushToDashboard ? `--pushToDashboard` : ''}` - core.debug(`pushToDashboard: ${pushToDashboard}`) core.debug(`Running this command: ${runCommand}`) From 5d4bbb5757d26e3492b7d18365d679731afd97d3 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:17:04 +0300 Subject: [PATCH 02/12] try scan fix --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11128d1..d3c77bb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,12 +15,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Backslash scan step - uses: backslash-security/scan-action@main + uses: backslash-security/scan-action@david-fix-BAC-8006-local-export-fix with: authToken: ${{ env.API_KEY }} prScan: true disablePrComments: false githubToken: ${{ secrets.GITHUB_TOKEN }} + localExport: true - uses: actions/upload-artifact@v4 if: ${{ !cancelled() }} with: From 740cde1bc00a16a4985394a44df5cc013417638b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 19 May 2025 10:17:43 +0000 Subject: [PATCH 03/12] Build: Update dist/ directory --- dist/build/index.js | 28 ++++++++++++++++++++-------- dist/index.js | 28 ++++++++++++++++++++-------- 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/dist/build/index.js b/dist/build/index.js index db3efcd..00aa7ec 100644 --- a/dist/build/index.js +++ b/dist/build/index.js @@ -11,9 +11,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge Object.defineProperty(exports, "__esModule", { value: true }); const core = require("@actions/core"); const github = require("@actions/github"); -const process = require("process"); -const fs_1 = require("fs"); const crypto_1 = require("crypto"); +const fs_1 = require("fs"); +const process = require("process"); const child_process_1 = require("child_process"); const util_1 = require("./util"); const cliRunnerFileName = 'run-cli.sh'; @@ -42,6 +42,7 @@ function run() { const isOnPremise = core.getBooleanInput('isOnPremise'); const disablePrComments = core.getBooleanInput('disablePrComments'); const pushToDashboard = core.getBooleanInput('pushToDashboard'); + const localExport = core.getBooleanInput('localExport'); const githubToken = core.getInput('githubToken'); const cloneUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}.git`; const provider = isOnPremise ? 'github-enterprise-on-premise' : 'github'; @@ -50,10 +51,6 @@ function run() { if (repositoryName === undefined || analyzedBranch === undefined) { return core.setFailed('Repo or branch not defined'); } - let githubExtraInput = ''; - if (!disablePrComments) { - githubExtraInput = `--providerPrNumber=${github.context.issue.number} --providerAccessToken=${githubToken}`; - } yield (0, util_1.downloadFile)(S3CLIUrl, cliRunnerFileName); yield (0, util_1.downloadFile)(S3CLIShaUrl, cliShaFileName); const generatedHash = (0, crypto_1.createHash)('sha256').update((0, fs_1.readFileSync)(cliRunnerFileName)).digest('hex').replace(' ', '').replace('\n', '').replace('\r', ''); @@ -62,8 +59,23 @@ function run() { return core.setFailed(`Checksum failed, got ${fetchedHash} but expected ${generatedHash}`); } console.log(`Cli sha matches`); - const commonArgs = `--authToken=${authToken} ${ignoreBlock ? `--warnOnly` : ''} --deltaScan=${prScan} --analyzedBranch="${analyzedBranch}" --repositoryCloneUrl=${cloneUrl} --provider=${provider} --gitProviderOrganization=${organization} ${baselineBranch && `--baselineBranch="${baselineBranch}" `} ${githubExtraInput} --outputPath=${outputPath}`; - const runCommand = `bash ${cliRunnerFileName} analyze ${commonArgs} ${pushToDashboard ? `--pushToDashboard` : ''}`; + let analyzeArgs = `--authToken=${authToken} --deltaScan=${prScan} --analyzedBranch="${analyzedBranch}" --repositoryCloneUrl=${cloneUrl} --provider=${provider} --gitProviderOrganization=${organization} --outputPath=${outputPath}`; + if (!disablePrComments) { + analyzeArgs += ` --providerPrNumber=${github.context.issue.number} --providerAccessToken=${githubToken}`; + } + if (baselineBranch) { + analyzeArgs += ` --baselineBranch="${baselineBranch}"`; + } + if (ignoreBlock) { + analyzeArgs += ` --warnOnly`; + } + if (localExport) { + analyzeArgs += ` --exportPath=Backslash-scan-results/ --exportFormat=json`; + } + if (pushToDashboard) { + analyzeArgs += ` --pushToDashboard`; + } + const runCommand = `bash ${cliRunnerFileName} analyze ${analyzeArgs}`; core.debug(`pushToDashboard: ${pushToDashboard}`); core.debug(`Running this command: ${runCommand}`); const child = (0, child_process_1.spawn)('bash', ['-c', runCommand], { stdio: ['inherit', 'pipe', 'pipe'] }); diff --git a/dist/index.js b/dist/index.js index 5d7fdd0..dad9b1b 100644 --- a/dist/index.js +++ b/dist/index.js @@ -18,9 +18,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge Object.defineProperty(exports, "__esModule", ({ value: true })); const core = __nccwpck_require__(8167); const github = __nccwpck_require__(3459); -const process = __nccwpck_require__(932); -const fs_1 = __nccwpck_require__(9896); const crypto_1 = __nccwpck_require__(6982); +const fs_1 = __nccwpck_require__(9896); +const process = __nccwpck_require__(932); const child_process_1 = __nccwpck_require__(5317); const util_1 = __nccwpck_require__(9507); const cliRunnerFileName = 'run-cli.sh'; @@ -49,6 +49,7 @@ function run() { const isOnPremise = core.getBooleanInput('isOnPremise'); const disablePrComments = core.getBooleanInput('disablePrComments'); const pushToDashboard = core.getBooleanInput('pushToDashboard'); + const localExport = core.getBooleanInput('localExport'); const githubToken = core.getInput('githubToken'); const cloneUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}.git`; const provider = isOnPremise ? 'github-enterprise-on-premise' : 'github'; @@ -57,10 +58,6 @@ function run() { if (repositoryName === undefined || analyzedBranch === undefined) { return core.setFailed('Repo or branch not defined'); } - let githubExtraInput = ''; - if (!disablePrComments) { - githubExtraInput = `--providerPrNumber=${github.context.issue.number} --providerAccessToken=${githubToken}`; - } yield (0, util_1.downloadFile)(S3CLIUrl, cliRunnerFileName); yield (0, util_1.downloadFile)(S3CLIShaUrl, cliShaFileName); const generatedHash = (0, crypto_1.createHash)('sha256').update((0, fs_1.readFileSync)(cliRunnerFileName)).digest('hex').replace(' ', '').replace('\n', '').replace('\r', ''); @@ -69,8 +66,23 @@ function run() { return core.setFailed(`Checksum failed, got ${fetchedHash} but expected ${generatedHash}`); } console.log(`Cli sha matches`); - const commonArgs = `--authToken=${authToken} ${ignoreBlock ? `--warnOnly` : ''} --deltaScan=${prScan} --analyzedBranch="${analyzedBranch}" --repositoryCloneUrl=${cloneUrl} --provider=${provider} --gitProviderOrganization=${organization} ${baselineBranch && `--baselineBranch="${baselineBranch}" `} ${githubExtraInput} --outputPath=${outputPath}`; - const runCommand = `bash ${cliRunnerFileName} analyze ${commonArgs} ${pushToDashboard ? `--pushToDashboard` : ''}`; + let analyzeArgs = `--authToken=${authToken} --deltaScan=${prScan} --analyzedBranch="${analyzedBranch}" --repositoryCloneUrl=${cloneUrl} --provider=${provider} --gitProviderOrganization=${organization} --outputPath=${outputPath}`; + if (!disablePrComments) { + analyzeArgs += ` --providerPrNumber=${github.context.issue.number} --providerAccessToken=${githubToken}`; + } + if (baselineBranch) { + analyzeArgs += ` --baselineBranch="${baselineBranch}"`; + } + if (ignoreBlock) { + analyzeArgs += ` --warnOnly`; + } + if (localExport) { + analyzeArgs += ` --exportPath=Backslash-scan-results/ --exportFormat=json`; + } + if (pushToDashboard) { + analyzeArgs += ` --pushToDashboard`; + } + const runCommand = `bash ${cliRunnerFileName} analyze ${analyzeArgs}`; core.debug(`pushToDashboard: ${pushToDashboard}`); core.debug(`Running this command: ${runCommand}`); const child = (0, child_process_1.spawn)('bash', ['-c', runCommand], { stdio: ['inherit', 'pipe', 'pipe'] }); From f5fd5c4e654c3da360d854e649417937bcbdff23 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:20:57 +0300 Subject: [PATCH 04/12] again --- .github/CODEOWNERS | 2 ++ src/index.ts | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..a543ce4 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ + +/** @david-backslash @yoli-backslash diff --git a/src/index.ts b/src/index.ts index f0d2732..faf85a1 100644 --- a/src/index.ts +++ b/src/index.ts @@ -79,7 +79,7 @@ async function run() { } if (localExport) { - analyzeArgs += ` --exportPath=Backslash-scan-results/ --exportFormat=json` + analyzeArgs += ` --localExport` } if (pushToDashboard) { From 8fdad311d35e87bb1cc0ec1f695ab1fbce6f65b0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 19 May 2025 10:22:57 +0000 Subject: [PATCH 05/12] Build: Update dist/ directory --- dist/build/index.js | 2 +- dist/index.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/build/index.js b/dist/build/index.js index 00aa7ec..989ffd7 100644 --- a/dist/build/index.js +++ b/dist/build/index.js @@ -70,7 +70,7 @@ function run() { analyzeArgs += ` --warnOnly`; } if (localExport) { - analyzeArgs += ` --exportPath=Backslash-scan-results/ --exportFormat=json`; + analyzeArgs += ` --localExport`; } if (pushToDashboard) { analyzeArgs += ` --pushToDashboard`; diff --git a/dist/index.js b/dist/index.js index dad9b1b..43e0a46 100644 --- a/dist/index.js +++ b/dist/index.js @@ -77,7 +77,7 @@ function run() { analyzeArgs += ` --warnOnly`; } if (localExport) { - analyzeArgs += ` --exportPath=Backslash-scan-results/ --exportFormat=json`; + analyzeArgs += ` --localExport`; } if (pushToDashboard) { analyzeArgs += ` --pushToDashboard`; From 05b4b6c5ba965196ce79e2de4d0d5896b8361540 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:23:20 +0300 Subject: [PATCH 06/12] action fix trigger --- .github/workflows/check-dist.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index d5160f5..74dad39 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -2,9 +2,6 @@ name: Compile typescript on: - pull_request: - branches: - - main push: branches: - main @@ -43,4 +40,4 @@ jobs: git add dist/ git commit -m "Build: Update dist/ directory" git push - fi \ No newline at end of file + fi From 36dbabff7a93b4b5220ad0408362806475f41da8 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:30:05 +0300 Subject: [PATCH 07/12] try use the correct arg --- src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/index.ts b/src/index.ts index faf85a1..65c3955 100644 --- a/src/index.ts +++ b/src/index.ts @@ -79,7 +79,7 @@ async function run() { } if (localExport) { - analyzeArgs += ` --localExport` + analyzeArgs += ` --outputPath=Backslash-scan-results/` } if (pushToDashboard) { From b627961ac271b5e7ae01377054067df122b27a67 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:33:13 +0300 Subject: [PATCH 08/12] again --- src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/index.ts b/src/index.ts index 65c3955..8af8ddb 100644 --- a/src/index.ts +++ b/src/index.ts @@ -79,7 +79,7 @@ async function run() { } if (localExport) { - analyzeArgs += ` --outputPath=Backslash-scan-results/` + analyzeArgs += ` --outputPath=Backslash-scan-results/ --localExport` } if (pushToDashboard) { From fa4f0a50adcbbc8529af39b48182a03817f00282 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:35:15 +0300 Subject: [PATCH 09/12] sure? --- src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/index.ts b/src/index.ts index 8af8ddb..5f265b5 100644 --- a/src/index.ts +++ b/src/index.ts @@ -79,7 +79,7 @@ async function run() { } if (localExport) { - analyzeArgs += ` --outputPath=Backslash-scan-results/ --localExport` + analyzeArgs += ` --exportPath=Backslash-scan-results/` } if (pushToDashboard) { From 816534c7d7a9ffeab490e106ba4582efc1cc0580 Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 13:36:16 +0300 Subject: [PATCH 10/12] hopa --- .github/workflows/check-dist.yml | 3 +++ src/index.ts | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index 74dad39..70e27d7 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -2,6 +2,9 @@ name: Compile typescript on: + pull_request: + branches: + - main push: branches: - main diff --git a/src/index.ts b/src/index.ts index 5f265b5..65c3955 100644 --- a/src/index.ts +++ b/src/index.ts @@ -79,7 +79,7 @@ async function run() { } if (localExport) { - analyzeArgs += ` --exportPath=Backslash-scan-results/` + analyzeArgs += ` --outputPath=Backslash-scan-results/` } if (pushToDashboard) { From deb8db158496fc9633e7bd17e8190d80b971b008 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 19 May 2025 10:36:40 +0000 Subject: [PATCH 11/12] Build: Update dist/ directory --- dist/build/index.js | 2 +- dist/index.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/build/index.js b/dist/build/index.js index 989ffd7..fa8191a 100644 --- a/dist/build/index.js +++ b/dist/build/index.js @@ -70,7 +70,7 @@ function run() { analyzeArgs += ` --warnOnly`; } if (localExport) { - analyzeArgs += ` --localExport`; + analyzeArgs += ` --outputPath=Backslash-scan-results/`; } if (pushToDashboard) { analyzeArgs += ` --pushToDashboard`; diff --git a/dist/index.js b/dist/index.js index 43e0a46..de46362 100644 --- a/dist/index.js +++ b/dist/index.js @@ -77,7 +77,7 @@ function run() { analyzeArgs += ` --warnOnly`; } if (localExport) { - analyzeArgs += ` --localExport`; + analyzeArgs += ` --outputPath=Backslash-scan-results/`; } if (pushToDashboard) { analyzeArgs += ` --pushToDashboard`; From 1a0505bf1d5235a3dc2e3db51767ef07b7d275ae Mon Sep 17 00:00:00 2001 From: david-backslash Date: Mon, 19 May 2025 14:45:38 +0300 Subject: [PATCH 12/12] fix action branch --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d3c77bb..1f7508c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Backslash scan step - uses: backslash-security/scan-action@david-fix-BAC-8006-local-export-fix + uses: backslash-security/scan-action@main with: authToken: ${{ env.API_KEY }} prScan: true