diff --git a/.github/workflows/test-slack-actions.yaml b/.github/workflows/test-slack-actions.yml similarity index 100% rename from .github/workflows/test-slack-actions.yaml rename to .github/workflows/test-slack-actions.yml diff --git a/README.md b/README.md index 4e279efa9..45dce3f6d 100644 --- a/README.md +++ b/README.md @@ -28,11 +28,12 @@ Refer to the official Lefthook [installation guide](https://github.com/evilmarti --- ## Step 4: Sync Lefthook Hooks -This repo should already contain a `lefthook.yml` configuration file in the root directory. The configuration in the lefthook.yml file enforces commit message linting using Commitlint. -Package.json runs the below command as part of `pnpm install` to sync the Lefthook configuration with your Git hooks: +This repo should already contain a `lefthook.yml` configuration file in the root directory. + +The lefthook hooks are synced as part of `pnpm install` command using a `postinstall` hook that runs the below command automatically ```bash -lefthook run pre-commit +lefthook install ``` --- @@ -70,4 +71,9 @@ To verify that Lefthook is correctly set up: By setting up Lefthook, you ensure that all developers adhere to the commit message conventions.. +# Setting Up zizmor for GH workflows Analysis + +This guide will help you install and configure zizmor to analyze GH workflows and Actions locally. +## Step 1: Install zizmor +Installed as dependency during `pnpm install` along with all the other dependencies. diff --git a/code-check-actions/rust-lint/scripts/set-env.sh b/code-check-actions/rust-lint/scripts/set-env.sh index 05926c127..16ac691ef 100755 --- a/code-check-actions/rust-lint/scripts/set-env.sh +++ b/code-check-actions/rust-lint/scripts/set-env.sh @@ -3,5 +3,5 @@ set -euo pipefail if [[ -n ${manifest_dir} ]]; then - echo "manifest_path=${manifest_dir}/Cargo.toml" >> $GITHUB_OUTPUT + echo "manifest_path=${manifest_dir}/Cargo.toml" >> "$GITHUB_OUTPUT" fi \ No newline at end of file diff --git a/lefthook.yml b/lefthook.yml index ab1a301a2..fe480c16b 100644 --- a/lefthook.yml +++ b/lefthook.yml @@ -1,6 +1,14 @@ # Reference: # https://github.com/evilmartians/lefthook/blob/master/docs/full_guide.md +pre-commit: + # Run `zizmor` only on matching files + commands: + gh-analyze: + run: zizmor --no-exit-codes --collect=all --persona=pedantic --format plain {staged_files} + glob: "{**/action,.github/workflows/*}.{yml,yaml}" + continue: true + commit-msg: commands: commitlint: diff --git a/package.json b/package.json index 14e5f527d..c08d6f66c 100644 --- a/package.json +++ b/package.json @@ -18,14 +18,17 @@ "version:ci": "lerna version --yes --create-release github", "version:dry-run": "pnpm run version:ci --no-push", "lint": "eslint '**/*.{js,jsx,ts,tsx,vue}' --ignore-path '.eslintignore'", - "prepare": "lefthook run pre-commit" + "install-python-dependencies": "pip install -r requirements.txt", + "prepare": "pnpm run install-python-dependencies", + "postinstall": "lefthook install", + "pre-commit": "lefthook run pre-commit" }, "keywords": [], "devDependencies": { "@commitlint/cli": "^17.6.6", "@commitlint/config-conventional": "^17.6.6", "@commitlint/config-lerna-scopes": "^17.6.6", - "@evilmartians/lefthook": "^1.9.2", + "@evilmartians/lefthook": "^1.10.10", "@rushstack/eslint-patch": "^1.2.0", "@typescript-eslint/eslint-plugin": "^5.51.0", "@typescript-eslint/parser": "^5.51.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index cd03888c1..ae88b7d89 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,8 +18,8 @@ importers: specifier: ^17.6.6 version: 17.8.1(lerna@7.4.2(encoding@0.1.13)) '@evilmartians/lefthook': - specifier: ^1.9.2 - version: 1.9.2 + specifier: ^1.10.10 + version: 1.10.10 '@rushstack/eslint-patch': specifier: ^1.2.0 version: 1.10.4 @@ -64,6 +64,8 @@ importers: security-actions/scan-docker-image: {} + security-actions/scan-gh-workflows: {} + security-actions/scan-rust: {} security-actions/semgrep: {} @@ -202,8 +204,8 @@ packages: resolution: {integrity: sha512-d9zaMRSTIKDLhctzH12MtXvJKSSUhaHcjV+2Z+GK+EEY7XKpP5yR4x+N3TAcHTcu963nIr+TMcCb4DBCYX1z6Q==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} - '@evilmartians/lefthook@1.9.2': - resolution: {integrity: sha512-bcYrzoRh8toQTk/kHgzJbRiWPmogIn9jHxFpPFj/mbhz5y6CmIy1ebfncIRYTJl8XhztSlr2Zf7/5t1FNgi+bA==} + '@evilmartians/lefthook@1.10.10': + resolution: {integrity: sha512-MRIA0zJzUBbmcbecI7QjI08li4ffpmZ6DeVydEiZSg0vSx5mElEMEjDEjkI60eSV0XOm7LRbQKz2rfW6NqH8Cw==} cpu: [x64, arm64, ia32] os: [darwin, linux, win32] hasBin: true @@ -3215,7 +3217,7 @@ snapshots: '@eslint/js@8.57.1': {} - '@evilmartians/lefthook@1.9.2': {} + '@evilmartians/lefthook@1.10.10': {} '@gar/promisify@1.1.3': {} diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 000000000..b67ddfad1 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +zizmor>=v1.2.2 \ No newline at end of file diff --git a/security-actions/sca/scripts/scan-metadata.sh b/security-actions/sca/scripts/scan-metadata.sh index 7c43e607a..553c0bb90 100755 --- a/security-actions/sca/scripts/scan-metadata.sh +++ b/security-actions/sca/scripts/scan-metadata.sh @@ -22,37 +22,37 @@ if [[ -z ${DIR} && -z ${FILE} ]]; then fi if [[ -n ${DIR} ]]; then - echo "scan_dir=${DIR}" >> $GITHUB_OUTPUT + echo "scan_dir=${DIR}" >> "$GITHUB_OUTPUT" fi if [[ -n ${FILE} ]]; then - echo "scan_file=${FILE}" >> $GITHUB_OUTPUT + echo "scan_file=${FILE}" >> "$GITHUB_OUTPUT" fi if [[ -n ${ASSET_PREFIX} ]]; then - echo "sbom_spdx_file=${ASSET_PREFIX##*/}-${spdx_ext}" >> $GITHUB_OUTPUT - echo "sbom_cyclonedx_file=${ASSET_PREFIX##*/}-${cyclonedx_ext}" >> $GITHUB_OUTPUT - echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> $GITHUB_OUTPUT - echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> $GITHUB_OUTPUT - echo "cis_json_file=${ASSET_PREFIX##*/}-${cis_json_ext}" >> $GITHUB_OUTPUT + echo "sbom_spdx_file=${ASSET_PREFIX##*/}-${spdx_ext}" >> "$GITHUB_OUTPUT" + echo "sbom_cyclonedx_file=${ASSET_PREFIX##*/}-${cyclonedx_ext}" >> "$GITHUB_OUTPUT" + echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> "$GITHUB_OUTPUT" + echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> "$GITHUB_OUTPUT" + echo "cis_json_file=${ASSET_PREFIX##*/}-${cis_json_ext}" >> "$GITHUB_OUTPUT" else - echo "sbom_spdx_file=${spdx_ext}" >> $GITHUB_OUTPUT - echo "sbom_cyclonedx_file=${cyclonedx_ext}" >> $GITHUB_OUTPUT - echo "grype_json_file=${cve_json_ext}" >> $GITHUB_OUTPUT - echo "grype_sarif_file=${cve_sarif_ext}" >> $GITHUB_OUTPUT - echo "cis_json_file=${cis_json_ext}" >> $GITHUB_OUTPUT + echo "sbom_spdx_file=${spdx_ext}" >> "$GITHUB_OUTPUT" + echo "sbom_cyclonedx_file=${cyclonedx_ext}" >> "$GITHUB_OUTPUT" + echo "grype_json_file=${cve_json_ext}" >> "$GITHUB_OUTPUT" + echo "grype_sarif_file=${cve_sarif_ext}" >> "$GITHUB_OUTPUT" + echo "cis_json_file=${cis_json_ext}" >> "$GITHUB_OUTPUT" fi if [[ -n ${global_severity_cutoff} ]]; then - echo "global_severity_cutoff=${global_severity_cutoff}" >> $GITHUB_OUTPUT + echo "global_severity_cutoff=${global_severity_cutoff}" >> "$GITHUB_OUTPUT" else - echo '::error ::set global_severity_cutoff in $0' + echo "::error ::set global_severity_cutoff in $0" exit 1 fi if [[ -n ${global_enforce_build_failure} ]]; then - echo "global_enforce_build_failure=${global_enforce_build_failure}" >> $GITHUB_OUTPUT + echo "global_enforce_build_failure=${global_enforce_build_failure}" >> "$GITHUB_OUTPUT" else - echo '::error ::set global_enforce_build_failure in $0' + echo "::error ::set global_enforce_build_failure in $0" exit 1 fi diff --git a/security-actions/scan-docker-image/scripts/scan-metadata.sh b/security-actions/scan-docker-image/scripts/scan-metadata.sh index 0bb3198f8..d20568306 100755 --- a/security-actions/scan-docker-image/scripts/scan-metadata.sh +++ b/security-actions/scan-docker-image/scripts/scan-metadata.sh @@ -19,36 +19,36 @@ fi # OCI archive should be passed as image instead of file if [[ -n ${IMAGE} ]]; then if [[ -n ${TAG} ]]; then - echo "scan_image=${IMAGE}:${TAG}" >> $GITHUB_OUTPUT + echo "scan_image=${IMAGE}:${TAG}" >> "$GITHUB_OUTPUT" else - echo "scan_image=${IMAGE}" >> $GITHUB_OUTPUT + echo "scan_image=${IMAGE}" >> "$GITHUB_OUTPUT" fi fi if [[ -n ${ASSET_PREFIX} ]]; then - echo "sbom_spdx_file=${ASSET_PREFIX##*/}-${spdx_ext}" >> $GITHUB_OUTPUT - echo "sbom_cyclonedx_file=${ASSET_PREFIX##*/}-${cyclonedx_ext}" >> $GITHUB_OUTPUT - echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> $GITHUB_OUTPUT - echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> $GITHUB_OUTPUT - echo "cis_json_file=${ASSET_PREFIX##*/}-${cis_json_ext}" >> $GITHUB_OUTPUT + echo "sbom_spdx_file=${ASSET_PREFIX##*/}-${spdx_ext}" >> "$GITHUB_OUTPUT" + echo "sbom_cyclonedx_file=${ASSET_PREFIX##*/}-${cyclonedx_ext}" >> "$GITHUB_OUTPUT" + echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> "$GITHUB_OUTPUT" + echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> "$GITHUB_OUTPUT" + echo "cis_json_file=${ASSET_PREFIX##*/}-${cis_json_ext}" >> "$GITHUB_OUTPUT" else - echo "sbom_spdx_file=${spdx_ext}" >> $GITHUB_OUTPUT - echo "sbom_cyclonedx_file=${cyclonedx_ext}" >> $GITHUB_OUTPUT - echo "grype_json_file=${cve_json_ext}" >> $GITHUB_OUTPUT - echo "grype_sarif_file=${cve_sarif_ext}" >> $GITHUB_OUTPUT - echo "cis_json_file=${cis_json_ext}" >> $GITHUB_OUTPUT + echo "sbom_spdx_file=${spdx_ext}" >> "$GITHUB_OUTPUT" + echo "sbom_cyclonedx_file=${cyclonedx_ext}" >> "$GITHUB_OUTPUT" + echo "grype_json_file=${cve_json_ext}" >> "$GITHUB_OUTPUT" + echo "grype_sarif_file=${cve_sarif_ext}" >> "$GITHUB_OUTPUT" + echo "cis_json_file=${cis_json_ext}" >> "$GITHUB_OUTPUT" fi if [[ -n ${global_severity_cutoff} ]]; then - echo "global_severity_cutoff=${global_severity_cutoff}" >> $GITHUB_OUTPUT + echo "global_severity_cutoff=${global_severity_cutoff}" >> "$GITHUB_OUTPUT" else - echo '::error ::set global_severity_cutoff in $0' + echo "::error ::set global_severity_cutoff in $0" exit 1 fi if [[ -n ${global_enforce_build_failure} ]]; then - echo "global_enforce_build_failure=${global_enforce_build_failure}" >> $GITHUB_OUTPUT + echo "global_enforce_build_failure=${global_enforce_build_failure}" >> "$GITHUB_OUTPUT" else - echo '::error ::set global_enforce_build_failure in $0' + echo "::error ::set global_enforce_build_failure in $0" exit 1 fi diff --git a/security-actions/scan-gh-workflows/action.yml b/security-actions/scan-gh-workflows/action.yml new file mode 100644 index 000000000..d21c55631 --- /dev/null +++ b/security-actions/scan-gh-workflows/action.yml @@ -0,0 +1,145 @@ +name: GH Actions SAST +description: Static analyzer for GH actions +author: 'Kong' +inputs: + scan_path: + description: 'File, Dir, Repository formatted: "owner/repo[@]" containing workflow files' + required: true + default: '.' #Default is workspace + github_token: + description: 'PAT for fetching remote "scan_path" of format "owner/repo[@]"' + required: false + default: '' + asset_prefix: + description: 'prefix for generated artifacts' + required: false + offline_audit_checks: + description: "Runs offline audit checks but performs repository pulls" + required: true + default: true + type: choice + options: + - 'true' + - 'false' + persona: + description: 'Run specific audit checks based on selected persona.' + required: true + type: choice + default: 'regular' + options: + - 'regular' + - 'pedantic' + - 'auditor' + fail_on_findings: + description: 'Fail build / job on findings/errors' + required: true + type: choice + default: false + options: + - 'true' + - 'false' + +runs: + using: 'composite' + steps: + + - name: Set Scan metadata + shell: bash + id: meta + env: + SCAN_PATH: ${{ inputs.SCAN_PATH }} + PERSONA: ${{ inputs.persona }} + OFFLINE_AUDIT_CHECKS: ${{ inputs.offline_audit_checks }} + GITHUB_TOKEN: ${{ inputs.github_token }} + ASSET_PREFIX: ${{ inputs.asset_prefix }} + run: $GITHUB_ACTION_PATH/scripts/scan-metadata.sh + + - name: Install cargo-hack from crates.io + uses: baptiste0928/cargo-install@91c5da15570085bcde6f4d7aed98cb82d6769fd3 + with: + crate: zizmor + locked: true + version: '~1' + + - name: Run GH Actions SAST - [SARIF format] + shell: bash + id: gh_actions_sast_sarif + # Continue on error to upload results + continue-on-error: true + run: | + zizmor ${{ env.SCAN_ARGS }} ${{ env.SCAN_PATH }} --format sarif > ${{ steps.meta.outputs.sarif_file }} + env: + SCAN_ARGS: ${{ steps.meta.outputs.scan_args }} + SCAN_PATH: ${{ inputs.scan_path }} + GH_TOKEN: ${{ inputs.github_token }} + + - name: Run GH Actions SAST - [JSON format] + shell: bash + # Continue on error to upload results + continue-on-error: true + id: gh_actions_sast_json + run: | + zizmor ${{ env.SCAN_ARGS }} ${{ env.SCAN_PATH }} --format plain > ${{ steps.meta.outputs.json_file }} + env: + SCAN_ARGS: ${{ steps.meta.outputs.scan_args }} + SCAN_PATH: ${{ inputs.scan_path }} + GH_TOKEN: ${{ inputs.github_token }} + + - name: Run GH Actions SAST - [Plain format] + shell: bash + # Continue on error to upload results + continue-on-error: true + id: gh_actions_sast_plain + run: | + zizmor ${{ env.SCAN_ARGS }} ${{ env.SCAN_PATH }} --format plain > ${{ steps.meta.outputs.out_file }} + env: + SCAN_ARGS: ${{ steps.meta.outputs.scan_args }} + SCAN_PATH: ${{ inputs.scan_path }} + GH_TOKEN: ${{ inputs.github_token }} + + - name: Upload GH Actions SAST reports to Workflow + if: always() && steps.gh_actions_sast_plain.conclusion == 'success' && steps.gh_actions_sast_sarif.conclusion == 'success' + uses: actions/upload-artifact@v4 + with: + name: ${{ steps.meta.outputs.report_file_name }}.zip + path: | + ${{ steps.meta.outputs.sarif_file }} + ${{ steps.meta.outputs.json_file }} + ${{ steps.meta.outputs.out_file}} + if-no-files-found: warn + + # - name: Add findings as check summary + # if: always() + # shell: bash + # run: | + # if [[ -f "${OUT_FILE}" ]]; then + # echo "## GH Actions SAST CI Scan Summary Report" >> $GITHUB_STEP_SUMMARY + # while IFS= read -r line; do + # echo "- $line" >> $GITHUB_STEP_SUMMARY + # done < ${OUT_FILE} + # fi + # env: + # OUT_FILE: ${{ steps.meta.outputs.out_file}} + + - name: Print findings to console out + if: always() + shell: bash + run: | + echo "::group::Github Actions SAST Scan Summary Report" + if [[ -f "${OUT_FILE}" ]]; then + cat ${OUT_FILE} + fi + echo "::endgroup::" + env: + OUT_FILE: ${{ steps.meta.outputs.out_file}} + + - name: Fail on findings + if: always() + shell: bash + run: | + if [[ ${SCAN_STATUS} == 'failure' ]] && [[ ${FAIL_BUILD} == 'true' ]]; then + exit 1 + fi + env: + SCAN_STATUS: ${{ steps.gh_actions_sast_plain.outcome }} + FAIL_BUILD: ${{ steps.meta.outputs.global_enforce_build_failure == 'true' && steps.meta.outputs.global_enforce_build_failure || inputs.fail_on_findings }} \ No newline at end of file diff --git a/security-actions/scan-gh-workflows/package.json b/security-actions/scan-gh-workflows/package.json new file mode 100644 index 000000000..be69a930c --- /dev/null +++ b/security-actions/scan-gh-workflows/package.json @@ -0,0 +1,14 @@ +{ + "name": "@security-actions/scan-gh-workflows", + "version": "4.0.0", + "description": "The package scans github actions and workflows for anti-patterns", + "main": "index.js", + "repository": { + "type": "git", + "url": "https://github.com/Kong/public-shared-actions", + "directory": "security-actions/scan-gh-workflows" + }, + "private": false, + "author": "Kong, Inc.", + "license": "UNLICENSED" +} diff --git a/security-actions/scan-gh-workflows/scripts/scan-metadata.sh b/security-actions/scan-gh-workflows/scripts/scan-metadata.sh new file mode 100755 index 000000000..08455ffbe --- /dev/null +++ b/security-actions/scan-gh-workflows/scripts/scan-metadata.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash + +set -euo pipefail + +readonly report_file_name="zizmor_gh_anti_pattern" +readonly json_ext="${report_file_name}.json" +readonly sarif_ext="${report_file_name}.sarif" +readonly out_ext="${report_file_name}.txt" + +global_enforce_build_failure='false' + +# Function to check if a given string matches the remote repo format +is_remote_repo() { + # Regex to match the form owner/repo or owner/repo@sha + # This allows owner and repo to contain alphanumeric characters, hyphens, and underscores. + # sha is optional and must start with "@" followed by alphanumeric characters and/or hyphens + [[ "$1" =~ ^[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+(@[a-zA-Z0-9_-]+)?$ ]] +} + +if [[ -n ${ASSET_PREFIX} ]]; then + echo "report_file_name=${ASSET_PREFIX##*/}_${report_file_name}" >> "$GITHUB_OUTPUT" + echo "json_file=${ASSET_PREFIX##*/}_${json_ext}" >> "$GITHUB_OUTPUT" + echo "sarif_file=${ASSET_PREFIX##*/}_${sarif_ext}" >> "$GITHUB_OUTPUT" + echo "out_file=${ASSET_PREFIX##*/}_${out_ext}" >> "$GITHUB_OUTPUT" +else + echo "report_file_name=${report_file_name}" >> "$GITHUB_OUTPUT" + echo "json_file=${json_ext}" >> "$GITHUB_OUTPUT" + echo "sarif_file=${sarif_ext}" >> "$GITHUB_OUTPUT" + echo "out_file=${out_ext}" >> "$GITHUB_OUTPUT" +fi + +if [[ -n ${global_enforce_build_failure} ]]; then + echo "global_enforce_build_failure=${global_enforce_build_failure}" >> "$GITHUB_OUTPUT" +fi + +if [[ -z ${SCAN_PATH} ]]; then + echo 'Specify "scan_path" input' >&2 + exit 1 +fi + +# Always scan for both GH workflows and GH composite actions within a scan path" +# Refer https://woodruffw.github.io/zizmor/usage/#input-collection +scan_args="--collect=all --persona=${PERSONA}" + +# When GITHUB_TOKEN input is specified +if [[ -n ${GITHUB_TOKEN} ]]; then + echo 'Found CI token for online checks' + # Check if explicitly specified to run only offline audit checks + if [[ -n "${OFFLINE_AUDIT_CHECKS}" ]] && [[ "${OFFLINE_AUDIT_CHECKS}" == "true" ]]; then + echo 'Explicitly requested for only offline audit checks' + scan_args+=" --no-online-audits" + fi +fi + +# If scan_path matches local path: +if [[ -d ${SCAN_PATH} ]] || [[ -f ${SCAN_PATH} ]]; then + echo "Input: ${SCAN_PATH}, exists locally" + if [[ -z ${GITHUB_TOKEN} ]]; then + echo 'CI token was not set. Continuing scan with only offline audit checks' + scan_args+=" --no-online-audits" + fi +# If scan_path matches remote repo format: +elif is_remote_repo "${SCAN_PATH}"; then + echo "Input: ${SCAN_PATH}, matches remote repository of format: {owner}/{repo}[@]" + # Check if GH_TOKEN is set for remote repo pulls + if [[ -z ${GITHUB_TOKEN} ]]; then + echo '::Input "github_token" must be set' >&2 + exit 1 + fi +else + echo "Input: ${SCAN_PATH} is invalid. Must be one of directory / file / remote repository with github workflows" >&2 + exit 1 +fi + +echo "GH Actions sast scanning arguments: ${scan_args}" +echo "scan_args=${scan_args}" >> "$GITHUB_OUTPUT" \ No newline at end of file diff --git a/security-actions/scan-rust/scripts/scan-metadata.sh b/security-actions/scan-rust/scripts/scan-metadata.sh index 8338ecfaf..c28a11af4 100755 --- a/security-actions/scan-rust/scripts/scan-metadata.sh +++ b/security-actions/scan-rust/scripts/scan-metadata.sh @@ -14,27 +14,27 @@ if [[ -z ${DIR} ]]; then fi if [[ -n ${DIR} ]]; then - echo "scan_dir=${DIR}" >> $GITHUB_OUTPUT + echo "scan_dir=${DIR}" >> "$GITHUB_OUTPUT" fi if [[ -n ${ASSET_PREFIX} ]]; then - echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> $GITHUB_OUTPUT - echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> $GITHUB_OUTPUT + echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> "$GITHUB_OUTPUT" + echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> "$GITHUB_OUTPUT" else - echo "grype_json_file=${cve_json_ext}" >> $GITHUB_OUTPUT - echo "grype_sarif_file=${cve_sarif_ext}" >> $GITHUB_OUTPUT + echo "grype_json_file=${cve_json_ext}" >> "$GITHUB_OUTPUT" + echo "grype_sarif_file=${cve_sarif_ext}" >> "$GITHUB_OUTPUT" fi if [[ -n ${global_severity_cutoff} ]]; then - echo "global_severity_cutoff=${global_severity_cutoff}" >> $GITHUB_OUTPUT + echo "global_severity_cutoff=${global_severity_cutoff}" >> "$GITHUB_OUTPUT" else - echo '::error ::set global_severity_cutoff in $0' + echo "::error ::set global_severity_cutoff in $0" exit 1 fi if [[ -n ${global_enforce_build_failure} ]]; then - echo "global_enforce_build_failure=${global_enforce_build_failure}" >> $GITHUB_OUTPUT + echo "global_enforce_build_failure=${global_enforce_build_failure}" >> "$GITHUB_OUTPUT" else - echo '::error ::set global_enforce_build_failure in $0' + echo "::error ::set global_enforce_build_failure in $0" exit 1 fi diff --git a/security-actions/sign-docker-image/scripts/cosign-metadata.sh b/security-actions/sign-docker-image/scripts/cosign-metadata.sh index c152e7398..06af2b4f3 100755 --- a/security-actions/sign-docker-image/scripts/cosign-metadata.sh +++ b/security-actions/sign-docker-image/scripts/cosign-metadata.sh @@ -19,16 +19,16 @@ if [[ "${LOCAL_SAVE_COSIGN_ASSETS}" == "true" ]]; then signature_file="${ASSET_PREFIX##*/}${signature_ext}" certificate_file="${ASSET_PREFIX##*/}${signing_cert_ext}" else - echo '::error ::set input cosign_output_prefix in $0' + echo "::error ::set input cosign_output_prefix in $0" exit 1 # signature_file="${ASSET_PREFIX##*/}${signature_ext}" # certificate_file="${ASSET_PREFIX##*/}${signing_cert_ext}" fi - echo "signature_file=${signature_file}" >> $GITHUB_OUTPUT - echo "certificate_file=${certificate_file}" >> $GITHUB_OUTPUT + echo "signature_file=${signature_file}" >> "$GITHUB_OUTPUT" + echo "certificate_file=${certificate_file}" >> "$GITHUB_OUTPUT" signing_args+=" --output-certificate=${certificate_file} --output-signature=${signature_file}" fi echo "COSIGN SIGNING ARGS: ${signing_args}" -echo "cosign_signing_args=${signing_args}" >> $GITHUB_OUTPUT \ No newline at end of file +echo "cosign_signing_args=${signing_args}" >> "$GITHUB_OUTPUT" \ No newline at end of file