feat(githubaction): adapt for use as a github action (#65)

Uses the existing docker container The 'scan-url' GitHub workflow argument is explicitly mapped to the SCAN_URL environment variable already expected&handled by the docker container. This enables the Dockerfile to remain agnostic to the fact that it is running as a Github action, rather than depending on the 'INPUT_' GitHub Action variable naming.
lirantal · Feb 3, 2020 · b2355a3 · b2355a3
1 parent d0c8cfe
commit b2355a3
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -71,6 +71,23 @@ docker run --rm -e SCAN_URL="https://www.google.com/" lirantal/is-website-vulner
 
 :warning: A modern version of Chrome is assumed to be available when using `is-website-vulnerable`. It may not be safe to assume that this is satisfied automatically on some CI services. For example, [additional configuration](https://docs.travis-ci.com/user/chrome#selecting-a-chrome-version) is necessary for [Travis CI](https://travis-ci.com/).
 
+# Github Action
+Create .github/workflows/is-website-vulnerable.yml with the url that you want scanned:
+
+```
+name: Test site for publicly known js vulnerabilities
+
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test for public javascript library vulnerabilities 
+        uses: lirantal/is-website-vulnerable@master
+        with:
+          scan-url: "https://yoursite.com"
+```
+
 # Install
 
 You can install globally via:

diff --git a/action.yml b/action.yml
@@ -0,0 +1,11 @@
+name: 'Is Website vulnerable'
+description: 'Scans a url for public javascript library vulnerabilities'
+inputs:
+  scan-url:
+    description: 'Website url to scan'
+    required: true
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  env:
+    SCAN_URL: ${{ inputs.scan-url }}
diff --git a/bin/is-website-vulnerable.js b/bin/is-website-vulnerable.js
@@ -59,6 +59,10 @@ function getLighthouseOptions() {
       : new RenderConsole(results, argv.jsLib)
     renderer.print()
 
+    if (audit.hasVulnerabilities(results)) {
+      process.exit(2)
+    }
+
     process.exit(0)
   } catch (error) {
     console.error(`\nError: ${error.message}\n`)

diff --git a/src/Audit.js b/src/Audit.js
@@ -23,6 +23,20 @@ module.exports = class Audit {
     }
   }
 
+  hasVulnerabilities(scanResult) {
+    const vulnerableAudit = scanResult.lhr.audits['no-vulnerable-libraries']
+
+    if (
+      vulnerableAudit.details &&
+      vulnerableAudit.details.items &&
+      vulnerableAudit.details.items.length > 0
+    ) {
+      return true
+    }
+
+    return false
+  }
+
   async scanUrl(url, options = { lighthouseOpts: {}, chromeOpts: {} }, progress = false) {
     const optflags = options.lighthouseOpts
     const chromePath = (options.chromeOpts || {}).chromePath