-
-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 12d7ee8
Showing
3 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
FROM golang AS builder | ||
RUN wget https://get.symfony.com/cli/installer -O - | bash | ||
|
||
FROM scratch | ||
COPY --from=builder /root/.symfony/bin/symfony / | ||
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ | ||
CMD ["/symfony", "check:security"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
PHP Security Checker | ||
==================== | ||
|
||
This action checks your `composer.lock` for known vulnerabilities in your package dependencies. | ||
|
||
Inputs | ||
------ | ||
|
||
* `composer` *optional* The path to the `composer.lock` file (defaults to the repository root directory). | ||
* `disable-exit-code` *optional* Set it to `1` if you don't want the step to fail in case of detected vulnerabilities | ||
|
||
Outputs | ||
------- | ||
|
||
* `vulns` A JSON payload containing all detected vulnerabilities | ||
|
||
Usage | ||
----- | ||
|
||
If you want the step to fail whenever there is a security issue in one of your | ||
dependencies, use this action: | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: symfonycorp/security-checker-action@v1 | ||
|
||
If the `composer.lock` is not in the repository root directory, pass is as an | ||
input: | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: symfonycorp/security-checker-action@v1 | ||
with: | ||
lock: subdir/composer.lock | ||
|
||
Instead of failing, you can also get the vulnerabilities as a JSON output and | ||
do something with them in another step: | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: symfonycorp/security-checker-action@v1 | ||
with: | ||
disable-exit-code: 1 | ||
id: security-check | ||
- name: Display the vulnerabilities as JSON | ||
run: echo ${{ steps.security-check.outputs.vulns }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
name: 'The PHP Security Checker' | ||
description: 'Checks composer.json for known vulnerabilities in your package dependencies' | ||
branding: | ||
icon: 'umbrella' | ||
color: 'gray-dark' | ||
inputs: | ||
lock: | ||
description: 'The path to composer.lock is stored (root directory by default)' | ||
required: false | ||
default: './composer.lock' | ||
disable-exit-code: | ||
description: 'Whether to fail when issues are detected (false by default)' | ||
required: false | ||
default: 0 | ||
outputs: | ||
vulns: | ||
description: 'The detected vulnerabilities as JSON' | ||
runs: | ||
using: 'docker' | ||
image: 'Dockerfile' | ||
args: | ||
- /symfony | ||
- check:security | ||
- "--dir" | ||
- ${{ inputs.lock }} | ||
- "--disable-exit-code=${{ inputs.disable-exit-code }}" |