Skip to content

Update ci.yml

Update ci.yml #127

Workflow file for this run

name: Checkov
on:
push:
branches: [ "main", "master" ]
pull_request:
branches: [ "main", "master" ]
workflow_dispatch:
permissions: read-all
jobs:
scan:
permissions:
contents: read
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkov GitHub Action
uses: bridgecrewio/[email protected]
with:
output_format: cli,sarif
output_file_path: console,results.sarif
soft_fail: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
if: success() || failure()
with:
sarif_file: results.sarif
- name: Close related pull requests
if: success()
run: |
# Extract issue IDs from the SARIF file
issue_ids=$(jq -r '.runs[].results[].locations[].physicalLocation.artifactLocation.uri' results.sarif | grep -oP '\d+$' | sort -u)
# Close pull requests related to each issue
for issue_id in $issue_ids; do
# Fetch open pull requests related to the issue
pr_numbers=$(gh pr list --state=open --label="security-issue-$issue_id" --json=number -q ".[] | .number")
# Close each open pull request
for pr_number in $pr_numbers; do
gh pr close $pr_number --comment="This pull request is being closed because the related security issue has been fixed."
done
done