feat: Enable users to take advantage of the SARIF format

Use `csgrep` to save defects in SARIF format and return the file's location in the `sarif` output. Path to SARIF file can be accessed using `${{ steps.<id>.outputs.sarif }}`.
fedora-copr · Jan 30, 2023 · a82c1a8 · a82c1a8
1 parent ca8efb9
commit a82c1a8
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -18,12 +18,34 @@ jobs:
   lint:
     runs-on: ubuntu-latest
 
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
     steps:
       - name: Repository checkout
         uses: actions/checkout@v3
 
-      - name: VCS Diff Lint
+      - id: VCS_Diff_Lint
+        name: VCS Diff Lint
         uses: fedora-copr/vcs-diff-lint-action@v1
+
+      - if: ${{ always() }}
+        name: Upload artifact with detected defects in SARIF format
+        uses: actions/upload-artifact@v3
+        with:
+          name: VCS Diff Lint SARIF
+          path: ${{ steps.VCS_Diff_Lint.outputs.sarif }}
+
+      - if: ${{ always() }}
+        name: Upload SARIF to GitHub using github/codeql-action/upload-sarif
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.VCS_Diff_Lint.outputs.sarif }}
 ```
 
 ## Options
@@ -69,3 +91,11 @@ Turn on debugging info.
 
 * default value: `false`
 * requirements: `optional`
+
+## Outputs
+
+VCS Diff Lint GitHub Action exposes following [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs).
+
+### sarif
+
+Relative path to SARIF file containing detected defects.
diff --git a/action.yml b/action.yml
@@ -33,6 +33,10 @@ inputs:
     default: 'false'
     required: false
 
+outputs:
+  sarif:
+    description: 'The SARIF file containing defects'
+
 runs:
   using: docker
   image: docker://quay.io/copr/vcs-diff-lint:latest
diff --git a/container/cmd b/container/cmd
@@ -39,6 +39,17 @@ set_linter_options()
     fi
 }
 
+get_pure_defects()
+{
+    set +e
+    if [[ -z "${linter_options[*]/--log-level=debug}" ]]; then
+        vcs-diff-lint >> defects.log
+    else
+        vcs-diff-lint "${linter_options[@]}" >> defects.log
+    fi
+    set -e
+}
+
 analyze_subdir()
 {
     echo
@@ -49,6 +60,7 @@ analyze_subdir()
         result=false
         return
     }
+    get_pure_defects
     vcs-diff-lint --print-fixed-errors "${linter_options[@]}" || result=false
 }
 
@@ -64,4 +76,12 @@ for subdir in $INPUT_SUBDIRECTORIES; do
     analyze_subdir "$subdir"
 done
 
+csgrep \
+    --strip-path-prefix "./" \
+    --mode=sarif \
+    --set-scan-prop="tool:vcs-diff-lint" \
+    --set-scan-prop="tool-url:https://github.com/fedora-copr/vcs-diff-lint#readme" \
+    "defects.log" > output.sarif
+echo "sarif=output.sarif" >> "${GITHUB_OUTPUT}"
+
 $result