Sonatype Evaluate Action
A GitHub Action for evaluations against a Sonatype Lifecycle instance in GitHub workflows. It sets up Sonatype CLI and runs it to execute the evaluation.
This is a convenience composite action that internally uses the following actions with some predefined parameters, enabling developers to quickly start running Lifecycle evaluations:
- Setup Java - makes Java available for GitHub runners by selecting an appropriate version for the Sonatype CLI;
- Setup Sonatype CLI - makes the latest version of Sonatype CLI available for GitHub runners;
- Run Sonatype CLI - runs an evaluation using the tools set up in the previous two actions.
Usage Example
name: Sonatype Workflow
on: push
jobs:
sonatype-cli:
runs-on: ubuntu-latest
steps:
# some steps are omitted...
# Check out your code
- name: Checkout
id: checkout
uses: actions/checkout@v4
# Perform an evaluation
- name: Run evaluate action
id: evaluate
uses: sonatype/actions/evaluate@v1
with:
iq-server-url: https://your.lifecycle.server
username: ${{ secrets.LIFECYCLE_USERNAME }}
password: ${{ secrets.LIFECYCLE_PASSWORD }}
application-id: lifecycle-app
scan-targets: package.json
# Print out the results
- name: Log evaluate action output
run: echo "${{ steps.evaluate.outputs.scan-id }} ${{ steps.evaluate.outputs.report-url }}"
Parameters
iq-server-url
Lifecycle (IQ Server) URL.Required
username
The username to authenticate with Lifecycle (IQ Server).Required
password
The password to authenticate with Lifecycle (IQ Server).Required
application-id
Lifecycle (IQ Server) application ID. When Automatic Applications is enabled and the application ID has not yet been used, a new application will be created with the given ID.Required
organization-id
The ID for the Lifecycle organization to which the application belongs. When automatic application creation is enabled and the application does not exist, it will be created under the organization having the provided organization ID. See Automatic application creation with the CLI for more details.Optional
scan-targets
Space separated list of paths to specific files, directories or docker images. Apache Ant-styled patterns are allowed. See supported file formats in Analysis.Required
stage
Specify the development lifecycle stage for the analysis. Defaults to thebuildstage.Optional
result-file
If set, the analysis output (in JSON format) will be stored as a run artifact with the specified name.Optional
module-exclude
Specify module files to ignore via Apache Ant-styled patterns.Optional
fail-on-policy-warnings
Causes a failure of the evaluation if any warnings are encountered. Default:false.Optional
ignore-system-errors
Ignore system errors (e.g. IO, Network, server, etc.) to avoid unintentional build failures. Default:false.Optional
ignore-scanning-errors
Ignore scanning errors (e.g. invalid files, inaccessible files, etc). It is useful when the code base contains invalid files for testing purposes. Scanning these files may cause unintentional build failures. Default:false.Optional
debug
Enables debug logging for troubleshooting. Use with caution as this log may expose sensitive information. Default:false.Optional
keep-scan-file
Retains the scan file as an action artifact. Default:false.Optional
proxy
Specify a proxy to use when connecting to Lifecycle (IQ Server). This property is set using the formathost[:port], otherwise, the CLI uses the default HTTP proxy set with the JVM.'Optional
proxy-user
Specify proxy credentials in the following format:username:password.Optional
include-sha-256
If set, SHA256 checksums are included in the scan file. Default:false.Optional
exclude-maven-dependency-management
Enable this parameter to limit analysis to the projects dependencies section of a pom file while excluding the components under the dependencyManagement section. Default:false.Optional
Output
scan-id
Scan id result of the run operation. It can be used to access the Lifecycle report of relater artifacts.
report-url
Use this link to navigate directly to the analysis report in Lifecycle (IQ Server).