sonatype/actions
0
0
Fork 0
mirror of https://github.com/sonatype/actions.git synced 2026-03-27 22:52:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
actions/evaluate
History
Sonatype Zion 8b4feb2fcc Release: 1.9.3
2026-03-09 17:29:22 +00:00
..
action.yml
Release: 1.9.3
2026-03-09 17:29:22 +00:00
README.md
Release: 1.9.0
2025-12-23 18:02:38 +00:00

README.md

Sonatype Evaluate Action

A GitHub Action for evaluations against a Sonatype Lifecycle instance in GitHub workflows. It sets up Sonatype CLI and runs it to execute the evaluation.

This is a convenience composite action that internally uses the following actions with some predefined parameters, enabling developers to quickly start running Lifecycle evaluations:

  • Setup Java - makes Java available for GitHub runners by selecting an appropriate version for the Sonatype CLI;
  • Setup Sonatype CLI - makes the latest version of Sonatype CLI available for GitHub runners;
  • Run Sonatype CLI - runs an evaluation using the tools set up in the previous two actions.

Usage Example

name: Sonatype Workflow
on: push
jobs:
  sonatype-cli:
    runs-on: ubuntu-latest
    steps:
      # some steps are omitted...
      # Check out your code
      - name: Checkout
        id: checkout
        uses: actions/checkout@v4
      # Perform an evaluation
      - name: Run evaluate  action
        id: evaluate
        uses: sonatype/actions/evaluate@v1
        with:
          iq-server-url: https://your.lifecycle.server
          username: ${{ secrets.LIFECYCLE_USERNAME }}
          password: ${{ secrets.LIFECYCLE_PASSWORD }}
          application-id: lifecycle-app
          scan-targets: package.json
      # Print out the results
      - name: Log evaluate action output
        run: echo "${{ steps.evaluate.outputs.scan-id }} ${{ steps.evaluate.outputs.report-url }}"

Parameters

iq-server-url
Lifecycle (IQ Server) URL. Required

username
The username to authenticate with Lifecycle (IQ Server). Required

password
The password to authenticate with Lifecycle (IQ Server). Required

application-id
Lifecycle (IQ Server) application ID. When Automatic Applications is enabled and the application ID has not yet been used, a new application will be created with the given ID. Required

organization-id
The ID for the Lifecycle organization to which the application belongs. When automatic application creation is enabled and the application does not exist, it will be created under the organization having the provided organization ID. See Automatic application creation with the CLI for more details. Optional

scan-targets
Space-separated list of paths to specific files, directories or docker images. Apache Ant-styled patterns are allowed. See supported file formats in Analysis. Required

stage
Specify the development lifecycle stage for the analysis. Defaults to the build stage. Optional

result-file
If set, the analysis output (in JSON format) will be stored as a run artifact with the specified name. Optional

module-exclude
Space-separated list of module files to ignore via Apache Ant-styled patterns. Optional

fail-on-policy-warnings
Causes a failure of the evaluation if any warnings are encountered. Default: false. Optional

ignore-system-errors
Ignore system errors (e.g. IO, Network, server, etc.) to avoid unintentional build failures. Default: false. Optional

ignore-scanning-errors
Ignore scanning errors (e.g. invalid files, inaccessible files, etc). It is useful when the code base contains invalid files for testing purposes. Scanning these files may cause unintentional build failures. Default: false. Optional

debug
Enables debug logging for troubleshooting. Use with caution as this log may expose sensitive information. Default: false. Optional

keep-scan-file
Retains the scan file as an action artifact. Default: false. Optional

proxy
Specify a proxy to use when connecting to Lifecycle (IQ Server). This property is set using the format host[:port], otherwise, the CLI uses the default HTTP proxy set with the JVM.' Optional

proxy-user
Specify proxy credentials in the following format: username:password. Optional

include-sha-256
If set, SHA256 checksums are included in the scan file. Default: false. Optional

exclude-maven-dependency-management
Enable this parameter to limit analysis to the projects dependencies section of a pom file while excluding the components under the dependencyManagement section. Default: false. Optional

sarif-file
Generates a SARIF file with a specified name containing all identified vulnerabilities. The SARIF file extension must be .sarif or .json. The generated file will be uploaded as an action artifact. Optional

upload-sarif-file
Enable this parameter to generate or use the generated sarif-file to update the "Code scanning" section under the GitHub repository's Security tab. Default: false. Optional
If sarif-file is not defined, the generated file will be named result.sarif by default, and it will be uploaded as an action artifact.
GitHub Advanced Security is available for GitHub Enterprise and public repositories.

enable-reachability
Since version 1.3.0, you can perform a reachability analysis in Java or JVM language binaries to determine the method signatures that trigger a security vulnerability. Default: false. Optional

reachability-namespaces
Since version 1.3.0, you can limit the reachability analysis to a specific namespace for faster, more precise results. Multiple namespaces can be delimited by space. Default: empty. Optional

reachability-entrypoint-strategy
Entrypoint strategy for Java reachability analysis. Optional

enable-reachability-js
Enable JavaScript reachability analysis. Default: false. Optional

reachability-js-sources
JavaScript source patterns for reachability analysis (required for JS reachability; these are app files; do not include tests or node_modules files here). Default: empty. Optional

reachability-js-excludes
JavaScript exclude patterns for reachability analysis (e.g. tests and other source files that are not relevant for the analysis). Default: empty. Optional

reachability-node-path
Path to Node.js executable. Optional

reachability-js-project-root
JavaScript project root directory (i.e. where the main package.json file resides). Optional

ignore-reachability-errors
Ignore reachability analysis errors (reachability analysis failed to run). Default: false. Optional

Output

scan-id
Scan id result of the run operation. It can be used to access the Lifecycle report of relater artifacts.

report-url
Link to navigate directly to the analysis report in Lifecycle (IQ Server).

sarif-file
Name of the generated SARIF file containing all found vulnerabilities, if configured.

GitHub Advanced Security

Prerequisites

In order to use the GitHub Advanced Security feature, you must grant your workflow the security-events: write permission.

Usage Example with Results in GitHub Security Tab

name: Workflow for GitHub Advanced Security
on: push
jobs:
  sonatype-cli:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      # some steps are omitted...
      # Check out your code
      - name: Checkout
        id: checkout
        uses: actions/checkout@v4
      # Perform an evaluation
      - name: Run evaluate  action
        id: evaluate
        uses: sonatype/actions/evaluate@v1
        with:
          iq-server-url: https://your.lifecycle.server
          username: ${{ secrets.LIFECYCLE_USERNAME }}
          password: ${{ secrets.LIFECYCLE_PASSWORD }}
          application-id: lifecycle-app
          scan-targets: package.json
          upload-sarif-file: true
Reference in New Issue View Git Blame Copy Permalink