Compare commits
39 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 21213e825c | |||
| 5b46420b3f | |||
| 48ae13709e | |||
| 7efb859132 | |||
| 50b9449a2f | |||
| 56ef6dcc04 | |||
| 6531c188bd | |||
| 0797d4eff6 | |||
| 7ba820f614 | |||
| bd71948983 | |||
| 630165e704 | |||
| 332c61add4 | |||
| 933761652d | |||
| 9aece0e09c | |||
| 41bb53a1db | |||
| 4f00d77f0c | |||
| 1a454445fe | |||
| cf04b7bb63 | |||
| d177d7847a | |||
| d041cfd4c5 | |||
| f7f30e1366 | |||
| 374343effe | |||
| 5a79ab0fa4 | |||
| 0c3e582042 | |||
| 876b304ec0 | |||
| 3104f6d51c | |||
| 5d8c040f29 | |||
| 466989c808 | |||
| 67f3292117 | |||
| 3f420ae88d | |||
| ef571d5a84 | |||
| 0eb73668fa | |||
| 7a168cbdc4 | |||
| d5fd67e101 | |||
| 27e6d82755 | |||
| 3d11e5a0f7 | |||
| 51ef6b3995 | |||
| cfe815dd6d | |||
| 9db31129a3 |
@@ -23,10 +23,10 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 16.x
|
||||
uses: actions/setup-node@v6.2.0
|
||||
uses: actions/setup-node@v4.4.0
|
||||
with:
|
||||
node-version: 16.x
|
||||
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
id: diff
|
||||
|
||||
# If index.js was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v6
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
name: Sync Fork with Upstream
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 0 * * 1' # Runs at midnight UTC every Monday
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
sync:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout Repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Fetch Upstream Remote
|
||||
run: |
|
||||
git remote add upstream https://github.com/advanced-security/component-detection-dependency-submission-action.git
|
||||
git fetch upstream
|
||||
- name: Set Git Config
|
||||
run: |
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
- name: Create and Push Branch
|
||||
run: |
|
||||
git checkout -b weekly-sync-branch-${{ github.run_id }}
|
||||
git merge upstream/main --no-commit
|
||||
git reset -- ./.github
|
||||
git commit -m "Merge upstream:main"
|
||||
git commit --allow-empty -m "Empty commit to open PR"
|
||||
git push --set-upstream origin weekly-sync-branch-${{ github.run_id }}
|
||||
- name: Open Pull Request
|
||||
run: |
|
||||
gh repo set-default actions/component-detection-dependency-submission-action
|
||||
gh pr create -B main -H weekly-sync-branch-${{ github.run_id }} --title 'Sync Fork with Upstream' --body 'Weekly Cron. Created by GitHub Actions.'
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
@@ -16,7 +16,7 @@ jobs:
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v4
|
||||
- name: Unit test
|
||||
run: |
|
||||
npm install
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
* @advanced-security/advanced-security-dependency-graph @advanced-security/oss-maintainers
|
||||
* @advanced-security/advanced-security-dependency-graph
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.
|
||||
|
||||
### Example workflow
|
||||
### Example workflows
|
||||
|
||||
```yaml
|
||||
|
||||
@@ -25,13 +25,40 @@ jobs:
|
||||
uses: advanced-security/component-detection-dependency-submission-action@v0.1.1
|
||||
```
|
||||
|
||||
Additional `Experimental` and `DefaultOff` detectors:
|
||||
- For a list of experimental and default-off detectors that require explicit enablement, see the [Detectors README](https://github.com/microsoft/component-detection/blob/main/docs/detectors/README.md). See [enable-default-off.md](https://github.com/microsoft/component-detection/blob/main/docs/enable-default-off.md) for more details.
|
||||
|
||||
```yaml
|
||||
name: Component Detection
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
dependency-submission:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Component detection
|
||||
uses: advanced-security/component-detection-dependency-submission-action@v0.1.1
|
||||
with:
|
||||
# Experimental detectors: Poetry, UvLock, NpmLockfile3, Ivy
|
||||
# Default-off detectors: ConanLock, CondaLock, Dockerfile, Pip, SimplePip, Spdx22, SwiftResolved
|
||||
detectorArgs: Poetry=EnableIfDefaultOff,UvLock=EnableIfDefaultOff,NpmLockfile3=EnableIfDefaultOff,Ivy=EnableIfDefaultOff,ConanLock=EnableIfDefaultOff,CondaLock=EnableIfDefaultOff,Dockerfile=EnableIfDefaultOff,Pip=EnableIfDefaultOff,SimplePip=EnableIfDefaultOff,Spdx22=EnableIfDefaultOff,SwiftResolved=EnableIfDefaultOff
|
||||
```
|
||||
|
||||
### Configuration options
|
||||
|
||||
| Parameter | Description | Example |
|
||||
| --- | --- | --- |
|
||||
filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
|
||||
directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
|
||||
detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
|
||||
detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is `Experimental` or `DefaultOff` to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
|
||||
dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on | ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab |
|
||||
detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
|
||||
detectorsCategories | A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. | `NuGet,Npm`
|
||||
|
||||
@@ -14,7 +14,6 @@ import tar from 'tar'
|
||||
import fs from 'fs'
|
||||
import * as exec from '@actions/exec';
|
||||
import dotenv from 'dotenv'
|
||||
import { Context } from '@actions/github/lib/context'
|
||||
import { unmockedModulePathPatterns } from './jest.config'
|
||||
import path from 'path';
|
||||
dotenv.config();
|
||||
|
||||
+63146
-5211
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
Generated
+856
-756
File diff suppressed because it is too large
Load Diff
+7
-7
@@ -26,23 +26,23 @@
|
||||
},
|
||||
"homepage": "https://github.com/advanced-security/component-detection-dependency-submission-action#readme",
|
||||
"dependencies": {
|
||||
"@actions/core": "^2.0.2",
|
||||
"@actions/github": "^7.0.0",
|
||||
"@actions/core": "^3.0.0",
|
||||
"@actions/github": "^9.0.0",
|
||||
"@github/dependency-submission-toolkit": "^2.0.5",
|
||||
"cross-fetch": "^4.1.0",
|
||||
"dotenv": "^17.2.3",
|
||||
"dotenv": "^17.3.1",
|
||||
"fs": "^0.0.1-security",
|
||||
"octokit": "^5.0.5",
|
||||
"tar": "^7.5.6",
|
||||
"tar": "^7.5.10",
|
||||
"yaml": "^2.8.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@babel/preset-env": "^7.28.6",
|
||||
"@babel/preset-env": "^7.29.0",
|
||||
"@babel/preset-typescript": "^7.28.5",
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@eslint/js": "^10.0.1",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@vercel/ncc": "^0.38.4",
|
||||
"eslint": "^9.39.2",
|
||||
"eslint": "^10.0.2",
|
||||
"jest": "^30.2.0",
|
||||
"jest-transform-stub": "^2.0.0",
|
||||
"ts-jest": "^29.4.6"
|
||||
|
||||
Generated
+13
-13
@@ -15,7 +15,7 @@
|
||||
"cross-fetch": "^3.1.5",
|
||||
"dotenv": "^16.0.3",
|
||||
"fs": "^0.0.1-security",
|
||||
"tar": "^7.5.4",
|
||||
"tar": "^7.5.8",
|
||||
"yaml": "^2.2.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -3716,9 +3716,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/minimatch": {
|
||||
"version": "3.1.2",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
|
||||
"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
|
||||
"version": "3.1.5",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
|
||||
"integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"brace-expansion": "^1.1.7"
|
||||
@@ -4368,9 +4368,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/tar": {
|
||||
"version": "7.5.4",
|
||||
"resolved": "https://registry.npmjs.org/tar/-/tar-7.5.4.tgz",
|
||||
"integrity": "sha512-AN04xbWGrSTDmVwlI4/GTlIIwMFk/XEv7uL8aa57zuvRy6s4hdBed+lVq2fAZ89XDa7Us3ANXcE3Tvqvja1kTA==",
|
||||
"version": "7.5.8",
|
||||
"resolved": "https://registry.npmjs.org/tar/-/tar-7.5.8.tgz",
|
||||
"integrity": "sha512-SYkBtK99u0yXa+IWL0JRzzcl7RxNpvX/U08Z+8DKnysfno7M+uExnTZH8K+VGgShf2qFPKtbNr9QBl8n7WBP6Q==",
|
||||
"dependencies": {
|
||||
"@isaacs/fs-minipass": "^4.0.0",
|
||||
"chownr": "^3.0.0",
|
||||
@@ -7633,9 +7633,9 @@
|
||||
"dev": true
|
||||
},
|
||||
"minimatch": {
|
||||
"version": "3.1.2",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
|
||||
"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
|
||||
"version": "3.1.5",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
|
||||
"integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
|
||||
"dev": true,
|
||||
"requires": {
|
||||
"brace-expansion": "^1.1.7"
|
||||
@@ -8091,9 +8091,9 @@
|
||||
"dev": true
|
||||
},
|
||||
"tar": {
|
||||
"version": "7.5.4",
|
||||
"resolved": "https://registry.npmjs.org/tar/-/tar-7.5.4.tgz",
|
||||
"integrity": "sha512-AN04xbWGrSTDmVwlI4/GTlIIwMFk/XEv7uL8aa57zuvRy6s4hdBed+lVq2fAZ89XDa7Us3ANXcE3Tvqvja1kTA==",
|
||||
"version": "7.5.8",
|
||||
"resolved": "https://registry.npmjs.org/tar/-/tar-7.5.8.tgz",
|
||||
"integrity": "sha512-SYkBtK99u0yXa+IWL0JRzzcl7RxNpvX/U08Z+8DKnysfno7M+uExnTZH8K+VGgShf2qFPKtbNr9QBl8n7WBP6Q==",
|
||||
"requires": {
|
||||
"@isaacs/fs-minipass": "^4.0.0",
|
||||
"chownr": "^3.0.0",
|
||||
|
||||
+1
-1
@@ -31,7 +31,7 @@
|
||||
"cross-fetch": "^3.1.5",
|
||||
"dotenv": "^16.0.3",
|
||||
"fs": "^0.0.1-security",
|
||||
"tar": "^7.5.4",
|
||||
"tar": "^7.5.8",
|
||||
"yaml": "^2.2.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
+3
-2
@@ -1,7 +1,8 @@
|
||||
{
|
||||
"compilerOptions": {
|
||||
"target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
|
||||
"module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
|
||||
"target": "ES2022", /* Specify ECMAScript target version */
|
||||
"module": "ES2022", /* Specify module code generation */
|
||||
"moduleResolution": "node", /* Specify module resolution strategy: 'node' or 'classic'. */
|
||||
"outDir": "./dist", /* Redirect output structure to the directory. */
|
||||
"rootDir": "./", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
|
||||
"strict": true, /* Enable all strict type-checking options. */
|
||||
|
||||
Reference in New Issue
Block a user