-
-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathscript.sh
executable file
·89 lines (73 loc) · 2.98 KB
/
script.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash
# Print commands for debugging
if [[ "$RUNNER_DEBUG" = "1" ]]; then
set -x
fi
# Fail fast on errors, unset variables, and failures in piped commands
set -Eeuo pipefail
cd "${GITHUB_WORKSPACE}/${INPUT_WORKING_DIRECTORY}" || exit
echo '::group::Preparing ...'
unameOS="$(uname -s)"
case "${unameOS}" in
Linux*) os=linux;;
Darwin*) os=darwin;;
CYGWIN*) os=windows;;
MINGW*) os=windows;;
MSYS_NT*) os=windows;;
*) echo "Unknown system: ${unameOS}" && exit 1
esac
unameArch="$(uname -m)"
case "${unameArch}" in
x86*) arch=amd64;;
arm64) arch=arm64;;
*) echo "Unsupported architecture: ${unameArch}. Only AMD64 and ARM64 are supported by the action" && exit 1
esac
TEMP_PATH="$(mktemp -d)"
echo "Detected ${os} running on ${arch}, will install tools in ${TEMP_PATH}"
REVIEWDOG_PATH="${TEMP_PATH}/reviewdog"
TFSEC_PATH="${TEMP_PATH}/tfsec"
echo '::endgroup::'
echo "::group::🐶 Installing reviewdog (${REVIEWDOG_VERSION}) ... https://github.com/reviewdog/reviewdog"
curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${REVIEWDOG_PATH}" "${REVIEWDOG_VERSION}" 2>&1
echo '::endgroup::'
echo "::group:: Installing tfsec (${INPUT_TFSEC_VERSION}) ... https://github.com/aquasecurity/tfsec"
test ! -d "${TFSEC_PATH}" && install -d "${TFSEC_PATH}"
binary="tfsec"
if [[ "${INPUT_TFSEC_VERSION}" = "latest" ]]; then
# latest release is available on this url.
# document: https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases
url="https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-${os}-${arch}"
else
url="https://github.com/aquasecurity/tfsec/releases/download/${INPUT_TFSEC_VERSION}/tfsec-${os}-${arch}"
fi
if [[ "${os}" = "windows" ]]; then
url+=".exe"
binary+=".exe"
fi
curl --silent --show-error --fail \
--location "${url}" \
--output "${binary}"
install tfsec "${TFSEC_PATH}"
echo '::endgroup::'
echo "::group:: Print tfsec details ..."
"${TFSEC_PATH}/tfsec" --version
echo '::endgroup::'
echo '::group:: Running tfsec with reviewdog 🐶 ...'
export REVIEWDOG_GITHUB_API_TOKEN="${INPUT_GITHUB_TOKEN}"
# Allow failures now, as reviewdog handles them
set +Eeuo pipefail
# shellcheck disable=SC2086
"${TFSEC_PATH}/tfsec" --format=json ${INPUT_TFSEC_FLAGS:-} . 2> /dev/null \
| jq -r -f "${GITHUB_ACTION_PATH}/to-rdjson.jq" \
| "${REVIEWDOG_PATH}/reviewdog" -f=rdjson \
-name="${INPUT_TOOL_NAME}" \
-reporter="${INPUT_REPORTER}" \
-level="${INPUT_LEVEL}" \
-fail-on-error="${INPUT_FAIL_ON_ERROR}" \
-filter-mode="${INPUT_FILTER_MODE}" \
${INPUT_FLAGS}
tfsec_return="${PIPESTATUS[0]}" reviewdog_return="${PIPESTATUS[2]}" exit_code=$?
echo "tfsec-return-code=${tfsec_return}" >> "$GITHUB_OUTPUT"
echo "reviewdog-return-code=${reviewdog_return}" >> "$GITHUB_OUTPUT"
echo '::endgroup::'
exit "${exit_code}"