agent-shield/action.yml at main · elliotllliu/agent-shield · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: 'AgentShield Security Scan'
description: 'Scan AI agent skills, MCP servers, and plugins for security vulnerabilities. Supports SARIF output for GitHub Code Scanning.'
author: 'Elliot Liu'

branding:
  icon: 'shield'
  color: 'green'

inputs:
  path:
    description: 'Directory to scan'
    required: false
    default: '.'
  fail-under:
    description: 'Fail if security score is below this threshold (0-100)'
    required: false
    default: ''
  format:
    description: 'Output format: terminal or json'
    required: false
    default: 'terminal'
  sarif:
    description: 'Generate SARIF output for GitHub Code Scanning'
    required: false
    default: 'false'
  sarif-file:
    description: 'SARIF output file path'
    required: false
    default: 'agent-shield-results.sarif'

outputs:
  score:
    description: 'Security score (0-100)'
    value: ${{ steps.scan.outputs.score }}
  findings:
    description: 'Number of findings'
    value: ${{ steps.scan.outputs.findings }}
  high:
    description: 'Number of high-risk findings'
    value: ${{ steps.scan.outputs.high }}
  medium:
    description: 'Number of medium-risk findings'
    value: ${{ steps.scan.outputs.medium }}
  low:
    description: 'Number of low-risk findings'
    value: ${{ steps.scan.outputs.low }}
  sarif-file:
    description: 'Path to SARIF output file (if sarif=true)'
    value: ${{ steps.scan.outputs.sarif_file }}

runs:
  using: 'composite'
  steps:
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '20'

    - name: Run AgentShield scan
      id: scan
      shell: bash
      run: |
        SCAN_PATH="${{ inputs.path }}"
        FAIL_UNDER="${{ inputs.fail-under }}"
        FORMAT="${{ inputs.format }}"
        SARIF="${{ inputs.sarif }}"
        SARIF_FILE="${{ inputs.sarif-file }}"

        # Build scan args
        ARGS="scan $SCAN_PATH --json"

        if [ -n "$FAIL_UNDER" ]; then
          ARGS="$ARGS --fail-under $FAIL_UNDER"
        fi

        # Run scan
        set +e
        OUTPUT=$(npx -y @elliotllliu/agent-shield $ARGS 2>&1)
        SCAN_EXIT=$?
        set -e

        # Parse JSON output
        SCORE=$(echo "$OUTPUT" | grep -o '"score":[0-9]*' | head -1 | cut -d: -f2 || echo "unknown")
        FINDINGS=$(echo "$OUTPUT" | grep -o '"totalFindings":[0-9]*' | head -1 | cut -d: -f2 || echo "0")
        HIGH=$(echo "$OUTPUT" | grep -o '"high":[0-9]*' | head -1 | cut -d: -f2 || echo "0")
        MEDIUM=$(echo "$OUTPUT" | grep -o '"medium":[0-9]*' | head -1 | cut -d: -f2 || echo "0")
        LOW=$(echo "$OUTPUT" | grep -o '"low":[0-9]*' | head -1 | cut -d: -f2 || echo "0")

        echo "score=$SCORE" >> "$GITHUB_OUTPUT"
        echo "findings=$FINDINGS" >> "$GITHUB_OUTPUT"
        echo "high=$HIGH" >> "$GITHUB_OUTPUT"
        echo "medium=$MEDIUM" >> "$GITHUB_OUTPUT"
        echo "low=$LOW" >> "$GITHUB_OUTPUT"

        # Generate SARIF if requested
        if [ "$SARIF" = "true" ]; then
          npx -y @elliotllliu/agent-shield scan $SCAN_PATH --sarif -o "$SARIF_FILE" 2>/dev/null || true
          echo "sarif_file=$SARIF_FILE" >> "$GITHUB_OUTPUT"
        fi

        # Write Step Summary
        {
          echo "## 🛡️ AgentShield Scan Results"
          echo ""
          echo "| Metric | Value |"
          echo "|--------|-------|"
          echo "| Score | **${SCORE}/100** |"
          echo "| 🔴 High | ${HIGH} |"
          echo "| 🟡 Medium | ${MEDIUM} |"
          echo "| 🟢 Low | ${LOW} |"
          echo "| Total Findings | ${FINDINGS} |"
          echo ""
          if [ "$SCORE" != "unknown" ]; then
            if [ "$SCORE" -ge 90 ] 2>/dev/null; then
              echo "✅ **Low Risk** — safe to use"
            elif [ "$SCORE" -ge 70 ] 2>/dev/null; then
              echo "🟡 **Moderate Risk** — review warnings"
            elif [ "$SCORE" -ge 40 ] 2>/dev/null; then
              echo "🟠 **High Risk** — investigate before using"
            else
              echo "🔴 **Critical Risk** — do not install"
            fi
          fi
        } >> "$GITHUB_STEP_SUMMARY"

        # Print terminal output if not json format
        if [ "$FORMAT" != "json" ]; then
          npx -y @elliotllliu/agent-shield scan $SCAN_PATH 2>&1 || true
        else
          echo "$OUTPUT"
        fi

        exit $SCAN_EXIT