fix: update error handling and clean up some of the error messages to be more useful to consumers #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Google GitHub Admin: Actions Workflow Security Scan' | |
| on: | |
| pull_request: | |
| paths: | |
| - '.github/workflows/**/*.yml' | |
| - '.github/workflows/**/*.yaml' | |
| - '.github/actions/**/*.yml' | |
| - '.github/actions/**/*.yaml' | |
| env: | |
| ACTIONS_SUITE_CONTENT: | | |
| - qlpack: codeql/actions-queries | |
| - include: | |
| id: actions/envvar-injection/critical | |
| - include: | |
| id: actions/envpath-injection/critical | |
| - include: | |
| id: actions/cache-poisoning/poisonable-step | |
| - include: | |
| id: actions/artifact-poisoning/critical | |
| - include: | |
| id: actions/untrusted-checkout/critical | |
| - include: | |
| id: actions/untrusted-checkout/high | |
| permissions: | |
| contents: 'read' | |
| actions: 'write' # Upload artifact | |
| jobs: | |
| scan-pr: | |
| permissions: | |
| contents: 'read' | |
| if: "github.event_name == 'pull_request'" | |
| runs-on: 'ubuntu-latest' | |
| steps: | |
| - name: 'Checkout PR Code' | |
| uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 | |
| with: | |
| fetch-depth: 1 | |
| sparse-checkout: '.github' | |
| - name: 'Check for Workflow Files' | |
| id: 'check_files' | |
| run: | | |
| FOUND_FILES=$(find . -type f -regextype posix-extended -regex '\./\.github/(workflows|actions)/.*\.ya?ml' | head -n 1) | |
| if [ -n "$FOUND_FILES" ]; then | |
| echo "workflow_files_found=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "workflow_files_found=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: 'Create CodeQL Query Suite' | |
| if: "steps.check_files.outputs.workflow_files_found == 'true'" | |
| run: 'echo "${{ env.ACTIONS_SUITE_CONTENT }}" > actions-suite.qls' | |
| - name: 'Initialize CodeQL' | |
| if: "steps.check_files.outputs.workflow_files_found == 'true'" | |
| uses: 'google/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db' # ratchet:google/codeql-action/init@v4 | |
| with: | |
| languages: 'actions' | |
| config: | | |
| name: 'Custom Action Scan' | |
| disable-default-queries: true | |
| queries: | |
| - uses: ./actions-suite.qls | |
| - name: 'Perform CodeQL Analysis' | |
| if: "steps.check_files.outputs.workflow_files_found == 'true'" | |
| id: 'codeql_analysis' | |
| uses: 'google/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db' # ratchet:google/codeql-action/analyze@v4 | |
| with: | |
| upload: 'never' | |
| - name: 'Check for Vulnerabilities and Set Status' | |
| id: 'vuln_check' | |
| if: "steps.check_files.outputs.workflow_files_found == 'true'" | |
| run: | | |
| SARIF_FILE="${{ steps.codeql_analysis.outputs.sarif-output }}/actions.sarif" | |
| if [ ! -f "$SARIF_FILE" ]; then | |
| echo "SARIF file not found at $SARIF_FILE" | |
| exit 1 | |
| fi | |
| RESULT_COUNT=$(jq '.runs[0].results | length' "$SARIF_FILE") | |
| if [ "$RESULT_COUNT" -gt 0 ]; then | |
| echo "::error::CodeQL found $RESULT_COUNT potential vulnerabilities." | |
| echo "---" | |
| jq -r '.runs[0].results[] | ("Rule ID: " + .ruleId + "\nMessage: " + .message.text + "\nFile: " + .locations[0].physicalLocation.artifactLocation.uri + "\nLine: " + (.locations[0].physicalLocation.region.startLine | tostring) + "\n---")' "$SARIF_FILE" | |
| exit 1 | |
| else | |
| echo "No vulnerabilities found. Check passed." | |
| fi | |
| - name: 'Upload SARIF file on failure' | |
| if: "failure() && steps.vuln_check.conclusion == 'failure'" | |
| uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4 | |
| with: | |
| name: 'sarif-report' | |
| path: '${{ steps.codeql_analysis.outputs.sarif-output }}/actions.sarif' | |
| retention-days: 1 | |
| overwrite: 'true' |