Skip to content

Including files to Marketplace GA #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Including files to Marketplace GA #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4b0f476
Create index.js
giozadi Aug 22, 2025
90a68ee
Create action.yml
giozadi Aug 22, 2025
841e084
Create action_package.json
giozadi Aug 22, 2025
79561c8
Create test-action.yml
giozadi Aug 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
261 changes: 261 additions & 0 deletions .github/workflows/test-action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,261 @@
name: Test Vulnify Action

on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
workflow_dispatch:

jobs:
test-action:
runs-on: ubuntu-latest
name: Test Vulnify Security Scanner Action

strategy:
matrix:
test-case:
- name: "Basic npm scan"
ecosystem: "npm"
file: "package.json"
fail-on: "critical"
- name: "Python requirements scan"
ecosystem: "pypi"
file: "requirements.txt"
fail-on: "high"
- name: "Auto-detect scan"
ecosystem: ""
file: ""
fail-on: "medium"

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Create test dependency files
run: |
# Create package.json with known vulnerable packages for testing
cat > package.json << 'EOF'
{
"name": "test-project",
"version": "1.0.0",
"dependencies": {
"lodash": "4.17.19",
"axios": "0.21.1",
"express": "4.17.1"
}
}
EOF

# Create requirements.txt with known vulnerable packages
cat > requirements.txt << 'EOF'
django==2.2.0
requests==2.20.0
pillow==6.2.0
EOF

# Create pom.xml for Maven testing
cat > pom.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>test-project</artifactId>
<version>1.0.0</version>
<dependencies>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.3.20</version>
</dependency>
</dependencies>
</project>
EOF

- name: Test Vulnify Action - ${{ matrix.test-case.name }}
id: vulnify-test
uses: ./
continue-on-error: true
with:
ecosystem: ${{ matrix.test-case.ecosystem }}
file: ${{ matrix.test-case.file }}
fail-on: ${{ matrix.test-case.fail-on }}
output: 'table'
generate-report: true
report-filename: 'test-report-${{ strategy.job-index }}.json'
timeout: '45000'

- name: Display test results
run: |
echo "## Test Results for: ${{ matrix.test-case.name }}"
echo "Vulnerabilities found: ${{ steps.vulnify-test.outputs.vulnerabilities-found }}"
echo "Critical: ${{ steps.vulnify-test.outputs.critical-count }}"
echo "High: ${{ steps.vulnify-test.outputs.high-count }}"
echo "Medium: ${{ steps.vulnify-test.outputs.medium-count }}"
echo "Low: ${{ steps.vulnify-test.outputs.low-count }}"
echo "Scan result: ${{ steps.vulnify-test.outputs.scan-result }}"
echo "Report path: ${{ steps.vulnify-test.outputs.report-path }}"

- name: Verify report generation
run: |
if [ -f "test-report-${{ strategy.job-index }}.json" ]; then
echo "✅ Report file generated successfully"
echo "Report size: $(wc -c < test-report-${{ strategy.job-index }}.json) bytes"
echo "Report preview:"
head -20 "test-report-${{ strategy.job-index }}.json"
else
echo "❌ Report file not found"
ls -la
fi

- name: Upload test reports
uses: actions/upload-artifact@v4
if: always()
with:
name: vulnify-test-reports-${{ strategy.job-index }}
path: |
test-report-*.json
vulnify-report.json
retention-days: 7

test-different-fail-conditions:
runs-on: ubuntu-latest
name: Test Different Fail Conditions

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Create vulnerable package.json
run: |
cat > package.json << 'EOF'
{
"name": "vulnerable-test",
"version": "1.0.0",
"dependencies": {
"lodash": "4.17.19"
}
}
EOF

- name: Test fail-on critical (should pass)
uses: ./
with:
fail-on: 'critical'
output: 'summary'

- name: Test fail-on any (should fail)
uses: ./
continue-on-error: true
with:
fail-on: 'any'
output: 'json'

test-with-api-key:
runs-on: ubuntu-latest
name: Test with API Key
if: github.event_name != 'pull_request' # Only run on push/manual

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Create test package.json
run: |
cat > package.json << 'EOF'
{
"name": "api-key-test",
"version": "1.0.0",
"dependencies": {
"express": "4.17.1"
}
}
EOF

- name: Test with API key
uses: ./
with:
api-key: ${{ secrets.VULNIFY_API_KEY }}
fail-on: 'high'
timeout: '60000'

test-working-directory:
runs-on: ubuntu-latest
name: Test Working Directory

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Create subdirectory with dependencies
run: |
mkdir -p frontend backend

cat > frontend/package.json << 'EOF'
{
"name": "frontend-app",
"version": "1.0.0",
"dependencies": {
"react": "17.0.2",
"lodash": "4.17.19"
}
}
EOF

cat > backend/requirements.txt << 'EOF'
django==2.2.0
requests==2.20.0
EOF

- name: Test frontend scan
uses: ./
with:
working-directory: './frontend'
ecosystem: 'npm'
fail-on: 'critical'

- name: Test backend scan
uses: ./
with:
working-directory: './backend'
ecosystem: 'pypi'
fail-on: 'critical'

integration-test:
runs-on: ubuntu-latest
name: Integration Test with Real Project

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Test on actual CLI project
uses: ./
with:
file: 'package.json'
ecosystem: 'npm'
fail-on: 'critical'
generate-report: true
report-filename: 'cli-security-report.json'

- name: Validate CLI scan results
run: |
if [ -f "cli-security-report.json" ]; then
echo "✅ CLI project scan completed successfully"

# Parse and display key metrics
if command -v jq &> /dev/null; then
echo "Project dependencies scanned: $(jq -r '.results.total_dependencies // .total_dependencies // "unknown"' cli-security-report.json)"
echo "Vulnerabilities found: $(jq -r '.results.vulnerabilities_found // .vulnerabilities_found // "unknown"' cli-security-report.json)"
fi
else
echo "❌ CLI project scan failed"
exit 1
fi

- name: Upload CLI scan report
uses: actions/upload-artifact@v4
with:
name: cli-security-report
path: cli-security-report.json

85 changes: 85 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: 'Vulnify Security Scanner'
description: 'Scan your project dependencies for security vulnerabilities using Vulnify SCA - similar to Snyk CLI'
author: 'Vulnify Team'

branding:
icon: 'shield'
color: 'red'

inputs:
file:
description: 'Path to dependency file (package.json, requirements.txt, etc.)'
required: false
default: ''

ecosystem:
description: 'Force specific ecosystem (npm, pypi, maven, nuget, rubygems, composer, go, cargo)'
required: false
default: ''

output:
description: 'Output format (table, json, summary)'
required: false
default: 'table'

severity:
description: 'Filter by severity level (critical, high, medium, low)'
required: false
default: ''

api-key:
description: 'Vulnify API key for increased rate limits'
required: false
default: ''

timeout:
description: 'Request timeout in milliseconds'
required: false
default: '30000'

fail-on:
description: 'Fail the build on vulnerabilities (critical, high, medium, low, any)'
required: false
default: 'high'

working-directory:
description: 'Working directory to run the scan'
required: false
default: '.'

generate-report:
description: 'Generate JSON report file'
required: false
default: 'true'

report-filename:
description: 'Name of the generated report file'
required: false
default: 'vulnify-report.json'

outputs:
vulnerabilities-found:
description: 'Total number of vulnerabilities found'

critical-count:
description: 'Number of critical vulnerabilities'

high-count:
description: 'Number of high severity vulnerabilities'

medium-count:
description: 'Number of medium severity vulnerabilities'

low-count:
description: 'Number of low severity vulnerabilities'

report-path:
description: 'Path to the generated JSON report'

scan-result:
description: 'Overall scan result (pass/fail)'

runs:
using: 'node20'
main: 'dist/index.js'

41 changes: 41 additions & 0 deletions action_package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"name": "vulnify-action",
"version": "1.0.0",
"description": "GitHub Action for Vulnify Security Scanner",
"main": "dist/index.js",
"scripts": {
"build": "ncc build index.js -o dist --source-map --license licenses.txt",
"package": "npm run build",
"test": "jest",
"lint": "eslint index.js",
"all": "npm run lint && npm run build && npm test"
},
"repository": {
"type": "git",
"url": "git+https://github.com/vulnify/vulnify-cli.git"
},
"keywords": [
"security",
"vulnerability",
"scanner",
"github-action",
"sca",
"dependencies",
"audit"
],
"author": "Vulnify Team",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1",
"@actions/io": "^1.1.3"
},
"devDependencies": {
"@vercel/ncc": "^0.38.1",
"eslint": "^8.57.0",
"jest": "^29.7.0"
},
"engines": {
"node": ">=20"
}
}
Loading
Loading