Add support for SAST (#66)

* Add support for SAST * minor * update upload-artifact action * more * build: update version for node and yarn to match actions/setup-node@v3 * build: add generated output --------- Co-authored-by: Nathan Hughes <nathan@endor.ai>
endorlabs · Oct 29, 2024 · a8ad74e · a8ad74e
1 parent e4ee275
commit a8ad74e
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 9 deletions.
diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
@@ -47,7 +47,7 @@ jobs:
         id: diff
 
       # If index.js was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

diff --git a/.nvmrc b/.nvmrc
@@ -0,0 +1 @@
+v20.18.0
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -20,11 +20,11 @@ We have prepared a short guide so that the process of making your contribution i
 Before you start, ensure that you have the necessary dependencies for developing and building the action. Without the required dependencies, building or testing the action locally will fail.
 
 - [node](https://nodejs.org/en): JavaScript runtime environment used for the GitHub action development
-  - Recommended version ">=20"
+  - Recommended version ">=20.18"
   - Download and install from https://nodejs.org/en/download
   - Alternative: install and manage node versions with [`nvm`](https://github.com/nvm-sh/nvm)
 - [yarn](https://yarnpkg.com):
-  - Recommended version: "Classic Stable: v1.22.19"
+  - Recommended version: "Classic Stable: v1.22.22"
   - Install and manage yarn through Corepack (requires node > "v16.9.x0")
     - `corepack enable yarn` ([Reference](https://github.com/nodejs/corepack#corepack-enable--name))
   - Alternative: install from [classic.yarnpkg.com](https://classic.yarnpkg.com/en/docs/install)

diff --git a/action.yml b/action.yml
@@ -151,6 +151,11 @@ inputs:
     description: >-
       "Scan source code repository and generate findings for secrets. See also `scan_git_logs`."
     default: false
+  # Scan source code for SAST.
+  scan_sast:
+    description: >-
+      "Scan source code repository and generate findings for SAST."
+    default: false
   # Set the endorctl output format.
   scan_summary_output_type:
     description: >-

diff --git a/dist/index.js b/dist/index.js
@@ -24557,6 +24557,7 @@ function get_scan_options(options) {
     const PHANTOM_DEPENDENCIES = core.getBooleanInput("phantom_dependencies");
     const SCAN_PROJECT_NAME = core.getInput("project_name");
     const SCAN_IMAGE_NAME = core.getInput("image");
+    const SCAN_SAST = core.getBooleanInput("scan_sast");
     const ADDITION_OPTIONS = ADDITIONAL_ARGS.split(" ");
     const SARIF_FILE = core.getInput("sarif_file");
     const ENABLE_PR_COMMENTS = core.getBooleanInput("enable_pr_comments");
@@ -24569,11 +24570,12 @@ function get_scan_options(options) {
     const BAZEL_TARGETS_QUERY = core.getInput("bazel_targets_query");
     if (!SCAN_DEPENDENCIES &&
         !SCAN_SECRETS &&
+        !SCAN_SAST &&
         !SCAN_CONTAINER &&
         !SCAN_TOOLS &&
         !SCAN_PACKAGE &&
         !SCAN_GITHUB_ACTIONS) {
-        core.error("At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled");
+        core.error("At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_sast`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled");
     }
     if (SCAN_CONTAINER && SCAN_DEPENDENCIES) {
         core.error("Container scan and dependency scan cannot be set at the same time");
@@ -24588,6 +24590,9 @@ function get_scan_options(options) {
         if (SCAN_SECRETS) {
             core.error("Package scan and Secrets scan cannot be set at the same time");
         }
+        if (SCAN_SAST) {
+            core.error("Package scan and SAST scan cannot be set at the same time");
+        }
         if (!SCAN_PROJECT_NAME) {
             core.error("Please provide project name via project_name parameter");
         }
@@ -24604,6 +24609,9 @@ function get_scan_options(options) {
     if (SCAN_SECRETS) {
         options.push(`--secrets=true`);
     }
+    if (SCAN_SAST) {
+        options.push(`--sast=true`);
+    }
     if (SCAN_CONTAINER) {
         options.push(`--container=${SCAN_IMAGE_NAME}`);
         if (SCAN_PROJECT_NAME) {

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/package.json b/package.json
@@ -45,11 +45,11 @@
     "typescript": "4.9.5"
   },
   "engines": {
-    "node": ">=20",
+    "node": ">=20.18.0",
     "npm": "Please use yarn instead of npm to install dependencies",
-    "yarn": "1.22.19"
+    "yarn": "1.22.22"
   },
-  "packageManager": "yarn@1.22.19",
+  "packageManager": "yarn@1.22.22",
   "resolutions": {
     "semver": ">=7.5.2"
   }

diff --git a/src/scan.ts b/src/scan.ts
@@ -29,6 +29,7 @@ function get_scan_options(options: any[]): void {
   const PHANTOM_DEPENDENCIES = core.getBooleanInput("phantom_dependencies");
   const SCAN_PROJECT_NAME = core.getInput("project_name");
   const SCAN_IMAGE_NAME = core.getInput("image");
+  const SCAN_SAST = core.getBooleanInput("scan_sast");
 
   const ADDITION_OPTIONS = ADDITIONAL_ARGS.split(" ");
   const SARIF_FILE = core.getInput("sarif_file");
@@ -45,13 +46,14 @@ function get_scan_options(options: any[]): void {
   if (
     !SCAN_DEPENDENCIES &&
     !SCAN_SECRETS &&
+    !SCAN_SAST &&
     !SCAN_CONTAINER &&
     !SCAN_TOOLS &&
     !SCAN_PACKAGE &&
     !SCAN_GITHUB_ACTIONS
   ) {
     core.error(
-      "At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled"
+      "At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_sast`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled"
     );
   }
   if (SCAN_CONTAINER && SCAN_DEPENDENCIES) {
@@ -75,6 +77,9 @@ function get_scan_options(options: any[]): void {
         "Package scan and Secrets scan cannot be set at the same time"
       );
     }
+    if (SCAN_SAST) {
+      core.error("Package scan and SAST scan cannot be set at the same time");
+    }
     if (!SCAN_PROJECT_NAME) {
       core.error("Please provide project name via project_name parameter");
     }
@@ -94,6 +99,9 @@ function get_scan_options(options: any[]): void {
   if (SCAN_SECRETS) {
     options.push(`--secrets=true`);
   }
+  if (SCAN_SAST) {
+    options.push(`--sast=true`);
+  }
   if (SCAN_CONTAINER) {
     options.push(`--container=${SCAN_IMAGE_NAME}`);
     if (SCAN_PROJECT_NAME) {