-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaction.yml
More file actions
121 lines (107 loc) · 3.44 KB
/
action.yml
File metadata and controls
121 lines (107 loc) · 3.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# GitHub Action for CryptoDeps
# Analyzes dependencies for quantum-vulnerable cryptographic algorithms
#
# Usage in your workflow:
# - uses: csnp/qramm-cryptodeps@v1
# with:
# path: '.'
# fail-on: 'vulnerable'
# format: 'sarif'
name: 'CryptoDeps'
description: 'Analyze dependencies for quantum-vulnerable cryptographic algorithms'
author: 'CSNP (csnp.org)'
branding:
icon: 'shield'
color: 'blue'
inputs:
path:
description: 'Path to analyze (directory or manifest file)'
required: false
default: '.'
fail-on:
description: 'Fail threshold: vulnerable, partial, any, none'
required: false
default: 'vulnerable'
format:
description: 'Output format: table, json, sarif, cbom, markdown'
required: false
default: 'table'
version:
description: 'CryptoDeps version to use (default: latest)'
required: false
default: 'latest'
sarif-file:
description: 'Path to write SARIF output (for GitHub Security tab)'
required: false
default: ''
outputs:
vulnerable-count:
description: 'Number of quantum-vulnerable dependencies'
value: ${{ steps.analyze.outputs.vulnerable }}
partial-count:
description: 'Number of partial-risk dependencies'
value: ${{ steps.analyze.outputs.partial }}
total-crypto:
description: 'Total dependencies using cryptography'
value: ${{ steps.analyze.outputs.crypto }}
exit-code:
description: 'Exit code (0=clean, 1=vulnerable, 2=error, 3=partial)'
value: ${{ steps.analyze.outputs.exit_code }}
runs:
using: 'composite'
steps:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.22'
cache: false
- name: Install CryptoDeps
shell: bash
run: |
if [ "${{ inputs.version }}" = "latest" ]; then
go install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@latest
else
go install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@${{ inputs.version }}
fi
- name: Run CryptoDeps Analysis
id: analyze
shell: bash
run: |
set +e
# Run analysis
OUTPUT=$(cryptodeps analyze "${{ inputs.path }}" \
--format "${{ inputs.format }}" \
--fail-on "${{ inputs.fail-on }}" \
--offline 2>&1)
EXIT_CODE=$?
echo "$OUTPUT"
# Parse summary for outputs (extract from table or JSON)
if [ "${{ inputs.format }}" = "json" ]; then
VULNERABLE=$(echo "$OUTPUT" | jq -r '.summary.quantumVulnerable // 0')
PARTIAL=$(echo "$OUTPUT" | jq -r '.summary.quantumPartial // 0')
CRYPTO=$(echo "$OUTPUT" | jq -r '.summary.withCrypto // 0')
else
# Default counts if not parseable
VULNERABLE=0
PARTIAL=0
CRYPTO=0
fi
echo "vulnerable=$VULNERABLE" >> $GITHUB_OUTPUT
echo "partial=$PARTIAL" >> $GITHUB_OUTPUT
echo "crypto=$CRYPTO" >> $GITHUB_OUTPUT
echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
exit $EXIT_CODE
- name: Generate SARIF Report
if: inputs.sarif-file != ''
shell: bash
run: |
cryptodeps analyze "${{ inputs.path }}" \
--format sarif \
--fail-on none \
--offline > "${{ inputs.sarif-file }}"
- name: Upload SARIF to GitHub Security
if: inputs.sarif-file != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ inputs.sarif-file }}
category: cryptodeps