mirror of
https://github.com/sonatype/actions.git
synced 2026-03-31 08:32:34 +00:00
168 lines
6.3 KiB
YAML
168 lines
6.3 KiB
YAML
name: 'Run IQ CLI'
|
|
description:
|
|
'run-iq-cli action runs IQ CLI (jar) with the set of parameters provided and outputs the scan id and the report URL'
|
|
author: 'Sonatype'
|
|
|
|
# Add your action's branding here. This will appear on the GitHub Marketplace.
|
|
branding:
|
|
icon: 'shield'
|
|
color: 'purple'
|
|
|
|
# Define your inputs here.
|
|
inputs:
|
|
iq-cli-version:
|
|
description: 'IQ CLI version to be used'
|
|
required: false
|
|
iq-server-url:
|
|
description: 'Lifecycle (IQ Server) URL (e.g. http://localhost:8070).'
|
|
required: true
|
|
username:
|
|
description: 'The username to authenticate with Lifecycle (IQ Server).'
|
|
required: true
|
|
password:
|
|
description: 'The password to authenticate with Lifecycle (IQ Server).'
|
|
required: true
|
|
application-id:
|
|
description:
|
|
'Lifecycle (IQ Server) application ID. When Automatic Applications is enabled and the application ID has not yet
|
|
been used, a new application will be created with the given ID.'
|
|
required: true
|
|
scan-targets:
|
|
description:
|
|
'Space-separated list of paths to specific files, directories, or docker images. Apache Ant-styled patterns are
|
|
allowed.'
|
|
required: true
|
|
organization-id:
|
|
description:
|
|
'The ID for the Lifecycle organization to which the application belongs. When automatic application creation is
|
|
enabled and the application does not exist, it will be created under the organization having the provided
|
|
organization ID.'
|
|
required: false
|
|
stage:
|
|
description: 'Specify the development lifecycle stage for the analysis. Defaults to the build stage.'
|
|
required: false
|
|
default: 'build'
|
|
result-file:
|
|
description:
|
|
'If set, the analysis output (in JSON format) will be uploaded as a run artifact with the specified name.'
|
|
required: false
|
|
module-exclude:
|
|
description: 'Space-separated list of module files to ignore via Apache Ant-styled patterns.'
|
|
required: false
|
|
fail-on-policy-warnings:
|
|
description: 'Causes a failure of the evaluation if any warnings are encountered.'
|
|
required: false
|
|
default: false
|
|
ignore-system-errors:
|
|
description: 'Ignore system errors (e.g. IO, Network, server, etc.) to avoid unintentional build failures.'
|
|
required: false
|
|
default: false
|
|
ignore-scanning-errors:
|
|
description:
|
|
'Ignore scanning errors (e.g. invalid files, inaccessible files, etc). It is useful when the code base contains
|
|
invalid files for testing purposes. Scanning these files may cause unintentional build failures.'
|
|
required: false
|
|
default: false
|
|
debug:
|
|
description:
|
|
'Enables debug logging for troubleshooting. Use with caution as this log may expose sensitive information.'
|
|
required: false
|
|
default: false
|
|
keep-scan-file:
|
|
description: 'Retains and uploads the scan file as an action artifact.'
|
|
required: false
|
|
default: false
|
|
proxy:
|
|
description:
|
|
'Specify a proxy to use when connecting to Lifecycle (IQ Server). This property is set using the format
|
|
host[:port], otherwise, the CLI uses the default HTTP proxy set with the JVM.'
|
|
required: false
|
|
proxy-user:
|
|
description: 'Specify proxy credentials in the following format: username:password.'
|
|
required: false
|
|
include-sha-256:
|
|
description: 'If set, SHA256 checksums are included in the scan file.'
|
|
required: false
|
|
default: false
|
|
exclude-maven-dependency-management:
|
|
description:
|
|
'Enable this parameter to limit analysis to the projects dependencies section of a pom file while excluding the
|
|
components under the dependencyManagement section.'
|
|
required: false
|
|
default: false
|
|
sarif-file:
|
|
description:
|
|
'Generates a SARIF file with a specified name containing all identified vulnerabilities. The SARIF file extension
|
|
must be .sarif or .json. The generated file will be uploaded as an action artifact.'
|
|
required: false
|
|
enable-callflow:
|
|
description: 'Deprecated. Use enable-reachability.'
|
|
required: false
|
|
default: false
|
|
callflow-namespaces:
|
|
description: 'Deprecated. Use reachability-namespaces.'
|
|
required: false
|
|
default: ''
|
|
enable-reachability:
|
|
description:
|
|
'Perform a reachability analysis in Java or JVM language binaries to determine the method signatures that trigger
|
|
a security vulnerability.'
|
|
required: false
|
|
default: false
|
|
reachability-namespaces:
|
|
description:
|
|
'Limit the reachability analysis to a specific namespace for faster, more precise results. Multiple namespaces can
|
|
be delimited by space.'
|
|
required: false
|
|
default: ''
|
|
reachability-entrypoint-strategy:
|
|
description: 'Entrypoint strategy for Java reachability analysis.'
|
|
required: false
|
|
enable-reachability-js:
|
|
description: 'Enable JavaScript reachability analysis (Default: false)'
|
|
required: false
|
|
default: false
|
|
reachability-js-sources:
|
|
description:
|
|
'JavaScript source patterns for reachability analysis (required for JS reachability; these are app files; do not
|
|
include tests or node_modules files here)'
|
|
required: false
|
|
default: ''
|
|
reachability-js-excludes:
|
|
description:
|
|
'JavaScript exclude patterns for reachability analysis (e.g. tests and other source files that are not relevant
|
|
for the analysis)'
|
|
required: false
|
|
default: ''
|
|
reachability-node-path:
|
|
description: 'Path to Node.js executable'
|
|
required: false
|
|
reachability-js-project-root:
|
|
description: 'JavaScript project root directory (i.e. where the main package.json file resides)'
|
|
required: false
|
|
ignore-reachability-errors:
|
|
description: 'Ignore reachability analysis errors (reachability analysis failed to run) (Default: false)'
|
|
required: false
|
|
default: false
|
|
|
|
# Define your outputs here.
|
|
outputs:
|
|
scan-id:
|
|
description: 'Scan id result of the run operation'
|
|
report-url:
|
|
description: 'Use this link to navigate directly to the report'
|
|
priorities-url:
|
|
description: 'Use this link to navigate directly to the priorities report'
|
|
sarif-file:
|
|
description: 'Name of the generated SARIF file containing all found vulnerabilities, if configured.'
|
|
result-file-path:
|
|
description: 'The path to the Result file to upload as artifact'
|
|
sarif-file-path:
|
|
description: 'The path to the SARIF file to upload as artifact'
|
|
scan-file-path:
|
|
description: 'The path to the Scan file to upload as artifact'
|
|
|
|
runs:
|
|
using: node20
|
|
main: dist/main/index.js
|