-
Notifications
You must be signed in to change notification settings - Fork 4
/
entrypoint.sh
167 lines (154 loc) · 5.16 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/bin/bash
exit_with_err() {
local msg="${1?}"
echo "ERROR: ${msg}"
exit 1
}
function run_orca_fs_scan() {
cd "${GITHUB_WORKSPACE}" || exit_with_err "could not find GITHUB_WORKSPACE: ${GITHUB_WORKSPACE}"
echo "Running Orca FS scan:"
echo orca-cli "${GLOBAL_FLAGS[@]}" fs scan "${SCAN_FLAGS[@]}"
orca-cli "${GLOBAL_FLAGS[@]}" fs scan "${SCAN_FLAGS[@]}"
export ORCA_EXIT_CODE=$?
echo "exit_code=${ORCA_EXIT_CODE}" >>"$GITHUB_OUTPUT"
}
function set_global_flags() {
GLOBAL_FLAGS=()
if [ "${INPUT_EXIT_CODE}" ]; then
GLOBAL_FLAGS+=(--exit-code "${INPUT_EXIT_CODE}")
fi
if [ "${INPUT_NO_COLOR}" == "true" ]; then
GLOBAL_FLAGS+=(--no-color)
fi
if [ "${INPUT_PROJECT_KEY}" ]; then
GLOBAL_FLAGS+=(--project-key "${INPUT_PROJECT_KEY}")
fi
if [ "${INPUT_SILENT}" == "true" ]; then
GLOBAL_FLAGS+=(--silent)
fi
if [ "${INPUT_CONFIG}" ]; then
GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
fi
if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-err-report)
fi
if [ "${INPUT_DISPLAY_NAME}" ]; then
GLOBAL_FLAGS+=(--display-name "${INPUT_DISPLAY_NAME}")
fi
if [ "${INPUT_DEBUG}" == "true" ]; then
GLOBAL_FLAGS+=(--debug)
fi
if [ "${INPUT_DISABLE_ACTIVE_VERIFICATION}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-active-verification)
fi
if [ "${INPUT_LOG_PATH}" ]; then
GLOBAL_FLAGS+=(--log-path "${INPUT_LOG_PATH}")
fi
}
# Json format must be reported and be stored in a file for github annotations
function prepare_json_to_file_flags() {
# Output directory must be provided to store the json results
OUTPUT_FOR_JSON="${INPUT_OUTPUT}"
CONSOLE_OUTPUT_FOR_JSON="${INPUT_CONSOLE_OUTPUT}"
if [[ -z "${INPUT_OUTPUT}" ]]; then
# Results should be printed to console in the selected format
CONSOLE_OUTPUT_FOR_JSON="${INPUT_FORMAT:-table}"
# Results should also be stored in a directory
OUTPUT_FOR_JSON="orca_results/"
fi
if [[ -z "${INPUT_FORMAT}" ]]; then
# The default format should be provided together with the one we are adding
FORMATS_FOR_JSON="table,json"
else
if [[ "${INPUT_FORMAT}" == *"json"* ]]; then
FORMATS_FOR_JSON="${INPUT_FORMAT}"
else
FORMATS_FOR_JSON="${INPUT_FORMAT},json"
fi
fi
# Used during the annotation process
export OUTPUT_FOR_JSON CONSOLE_OUTPUT_FOR_JSON FORMATS_FOR_JSON
}
function set_fs_scan_flags() {
SCAN_FLAGS=()
if [ "${INPUT_PATH}" ]; then
SCAN_FLAGS+=("${INPUT_PATH}")
fi
if [ "${INPUT_DISABLE_SECRET}" = "true" ]; then
SCAN_FLAGS+=(--disable-secret)
fi
if [ "${INPUT_EXCEPTIONS_FILEPATH}" ]; then
SCAN_FLAGS+=(--exceptions-filepath "${INPUT_EXCEPTIONS_FILEPATH}")
fi
if [ "${INPUT_TIMEOUT}" ]; then
SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")
fi
if [ "${INPUT_SHOW_FAILED_ISSUES_ONLY}" = "true" ]; then
SCAN_FLAGS+=(--show-failed-issues-only)
fi
if [ "${INPUT_HIDE_VULNERABILITIES}" = "true" ]; then
SCAN_FLAGS+=(--hide-vulnerabilities)
fi
if [ "${INPUT_NUM_CPU}" ]; then
SCAN_FLAGS+=(--num-cpu "${INPUT_NUM_CPU}")
fi
if [ "${FORMATS_FOR_JSON}" ]; then
SCAN_FLAGS+=(--format "${FORMATS_FOR_JSON}")
fi
if [ "${OUTPUT_FOR_JSON}" ]; then
SCAN_FLAGS+=(--output "${OUTPUT_FOR_JSON}")
fi
if [ "${CONSOLE_OUTPUT_FOR_JSON}" ]; then
SCAN_FLAGS+=(--console-output="${CONSOLE_OUTPUT_FOR_JSON}")
fi
if [ "${INPUT_CUSTOM_SECRET_CONTROLS}" ]; then
SCAN_FLAGS+=(--custom-secret-controls "${INPUT_CUSTOM_SECRET_CONTROLS}")
fi
if [ "${INPUT_HIDE_SKIPPED_VULNERABILITIES}" == "true" ]; then
SCAN_FLAGS+=(--hide-skipped-vulnerabilities)
fi
if [ "${INPUT_MAX_SECRET}" ]; then
SCAN_FLAGS+=(--max-secret "${INPUT_MAX_SECRET}")
fi
if [ "${INPUT_EXCLUDE_PATHS}" ]; then
SCAN_FLAGS+=(--exclude-paths "${INPUT_EXCLUDE_PATHS}")
fi
if [ "${INPUT_DEPENDENCY_TREE}" == "true" ]; then
SCAN_FLAGS+=(--dependency-tree)
fi
if [ "${INPUT_SECURITY_CHECKS}" ]; then
SCAN_FLAGS+=(--security-checks "${INPUT_SECURITY_CHECKS}")
fi
}
function set_env_vars() {
if [ "${INPUT_API_TOKEN}" ]; then
export ORCA_SECURITY_API_TOKEN="${INPUT_API_TOKEN}"
fi
}
function validate_flags() {
[[ -n "${INPUT_PATH}" ]] || exit_with_err "Path must be provided"
[[ "${INPUT_PATH}" != /* ]] || exit_with_err "Path shouldn't be absolute. Please provide a relative path within the repository. Use '.' to scan the entire repository"
[[ -n "${INPUT_API_TOKEN}" ]] || exit_with_err "api_token must be provided"
[[ -n "${INPUT_PROJECT_KEY}" ]] || exit_with_err "project_key must be provided"
[[ -z "${INPUT_OUTPUT}" ]] || [[ "${INPUT_OUTPUT}" == */ ]] || [[ -d "${INPUT_OUTPUT}" ]] || exit_with_err "Output must be a folder (end with /)"
}
annotate() {
if [ "${INPUT_SHOW_ANNOTATIONS}" == "false" ]; then
exit "${ORCA_EXIT_CODE}"
fi
mkdir -p "/app/${OUTPUT_FOR_JSON}"
cp "${OUTPUT_FOR_JSON}/file_system.json" "/app/${OUTPUT_FOR_JSON}/" || exit_with_err "error during copy of results"
cd /app || exit_with_err "error during annotations initiation"
npm run build --if-present
node dist/index.js
}
function main() {
validate_flags
set_env_vars
set_global_flags
prepare_json_to_file_flags
set_fs_scan_flags
run_orca_fs_scan
annotate
}
main "${@}"