Update security-checks.yml

olokotoh · Sep 19, 2024 · 3bd1bb4 · 3bd1bb4
1 parent 57bf2f9
commit 3bd1bb4
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml
@@ -21,10 +21,19 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3  
         with:
-          languages: 'javascript' # Adjust languages as needed
+          languages: 'javascript'
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3 
+        with:
+          output: "./codeql-results.sarif" # Save the SARIF report to the workspace
+
+      - name: Generate Markdown from SARIF
+        run: |
+          echo "# CodeQL Analysis Report" > codeql-report.md
+          echo "## Detected Vulnerabilities" >> codeql-report.md
+          vulnerabilities=$(jq -r '.runs[].results[] | "\n### \(.ruleId)\n**File:** \(.locations[].physicalLocation.artifactLocation.uri)\n**Line:** \(.locations[].physicalLocation.region.startLine)\n**Message:** \(.message.text)"' codeql-results.sarif)
+          echo "$vulnerabilities" >> codeql-report.md
 
   gitleaks-scan:
     name: "Gitleaks Secrets Scan"
@@ -35,14 +44,27 @@ jobs:
 
       - name: Run Gitleaks scan
         uses: gitleaks/gitleaks-action@v2
+        with:
+          args: '--report-format=json --report-path=gitleaks-report.json'
+
+      - name: Convert Gitleaks JSON Report to Markdown
+        run: |
+          echo "# Gitleaks Secrets Report" > gitleaks-report.md
+          echo "## Detected Secrets" >> gitleaks-report.md
+          secrets=$(jq -r '.[] | "\n### \(.Description)\n**File:** \(.File)\n**Line:** \(.StartLine)\n**Secret:** \(.Secret)"' gitleaks-report.json)
+          echo "$secrets" >> gitleaks-report.md
 
   create-issue-on-failure:
     if: ${{ failure() }}
     name: "Create GitHub Issue if Security Check Fails"
     runs-on: ubuntu-latest
     steps:
       - name: Create failure log file
-        run: echo "Security check failed in one of the previous jobs. Please investigate." > failure_log.txt
+        run: |
+          echo "# Security Check Failure" > failure_log.txt
+          echo "One or more security checks failed. Please review the following reports for more details:" >> failure_log.txt
+          cat codeql-report.md >> failure_log.txt || true
+          cat gitleaks-report.md >> failure_log.txt || true
 
       - name: Create GitHub issue on failure
         uses: peter-evans/create-issue-from-file@v4