/
entrypoint.sh
executable file
·100 lines (86 loc) · 3.98 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/bin/bash
# Copyright 2021 Security Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -euo pipefail
# https://docs.github.com/en/actions/learn-github-actions/environment-variables
# GITHUB_EVENT_PATH contains the json file for the event.
# GITHUB_SHA contains the commit hash.
# GITHUB_WORKSPACE contains the repo folder.
# GITHUB_EVENT_NAME contains the event name.
# GITHUB_ACTIONS is true in GitHub env.
export GITHUB_AUTH_TOKEN="$INPUT_REPO_TOKEN"
export ENABLE_SARIF=1
export ENABLE_LICENSE=1
export ENABLE_DANGEROUS_WORKFLOW=1
export SCORECARD_POLICY_FILE="/policy.yml" # Copied at docker image creation.
export SCORECARD_RESULTS_FILE="$INPUT_RESULTS_FILE"
export SCORECARD_RESULTS_FORMAT="$INPUT_RESULTS_FORMAT"
export SCORECARD_PUBLISH_RESULTS="$INPUT_PUBLISH_RESULTS"
# https://docs.github.com/en/actions/learn-github-actions/environment-variables
export SCORECARD_PRIVATE_REPOSITORY="$(jq '.repository.private' $GITHUB_EVENT_PATH)"
export SCORECARD_DEFAULT_BRANCH="refs/heads/$(jq -r '.repository.default_branch' $GITHUB_EVENT_PATH)"
export SCORECARD_BIN="/scorecard"
export ENABLED_CHECKS=
# WARNING: boolean inputs are strings https://github.com/actions/runner/issues/1483.
# If the repository is private, never publish the results.
if [[ "$SCORECARD_PRIVATE_REPOSITORY" == "true" ]]; then
export SCORECARD_PUBLISH_RESULTS="false"
fi
# We only use the policy file if the request format is sarif.
if [[ "$SCORECARD_RESULTS_FORMAT" != "sarif" ]]; then
unset SCORECARD_POLICY_FILE
fi
echo "Event file: $GITHUB_EVENT_PATH"
echo "Event name: $GITHUB_EVENT_NAME"
echo "Ref: $GITHUB_REF"
echo "Private repository: $SCORECARD_PRIVATE_REPOSITORY"
echo "Publication enabled: $SCORECARD_PUBLISH_RESULTS"
echo "Format: $SCORECARD_RESULTS_FORMAT"
echo "Policy file: $SCORECARD_POLICY_FILE"
echo "Default branch: $SCORECARD_DEFAULT_BRANCH"
# Note: this will fail if we push to a branch on the same repo, so it will show as failing
# on forked repos.
if [[ "$GITHUB_EVENT_NAME" != "pull_request"* ]] && [[ "$GITHUB_REF" != "$SCORECARD_DEFAULT_BRANCH" ]]; then
echo "$GITHUB_REF not supported with '$GITHUB_EVENT_NAME' event."
echo "Only the default branch '$SCORECARD_DEFAULT_BRANCH' is supported"
exit 1
fi
# It's important to change directories here, to ensure
# the files in SARIF start at the source of the repo.
# This allows GitHub to highlight the file.
cd "$GITHUB_WORKSPACE"
if [[ "$GITHUB_EVENT_NAME" == "pull_request"* ]]
then
# For pull request events, we run on a local folder.
if [[ -z "$SCORECARD_POLICY_FILE" ]]
then
$SCORECARD_BIN --local . --format "$SCORECARD_RESULTS_FORMAT" --show-details > "$SCORECARD_RESULTS_FILE"
else
$SCORECARD_BIN --local . --format "$SCORECARD_RESULTS_FORMAT" --show-details --policy "$SCORECARD_POLICY_FILE" > "$SCORECARD_RESULTS_FILE"
fi
else
# For other events, we run on the repo.
# For the branch protection trigger, we only run the Branch-Protection check.
if [[ "$GITHUB_EVENT_NAME" == "branch_protection_rule" ]]
then
export ENABLED_CHECKS="--checks Branch-Protection"
fi
if [[ -z "$SCORECARD_POLICY_FILE" ]]
then
$SCORECARD_BIN --repo="$GITHUB_REPOSITORY" --format "$SCORECARD_RESULTS_FORMAT" $ENABLED_CHECKS --show-details > "$SCORECARD_RESULTS_FILE"
else
$SCORECARD_BIN --repo="$GITHUB_REPOSITORY" --format "$SCORECARD_RESULTS_FORMAT" $ENABLED_CHECKS --show-details --policy "$SCORECARD_POLICY_FILE" > "$SCORECARD_RESULTS_FILE"
fi
fi
jq '.' "$SCORECARD_RESULTS_FILE"