Fix #19 - enable security analysis

psalm · Nov 17, 2020 · 0b419a6 · 0b419a6
1 parent 863ed13
commit 0b419a6
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -20,6 +20,8 @@ jobs:
 
 ```
 
+## Specify Psalm version
+
 You can also specify a version (after 3.14.2).
 
 ```diff
@@ -28,12 +30,45 @@ You can also specify a version (after 3.14.2).
 +        uses: docker://vimeo/psalm-github-actions:3.14.2
 ```
 
-Specify `REQUIRE_DEV=true` to install dev dependencies and `CHECK_PLATFORM_REQUIREMENTS=false` in order to ignore platform requirements.
+## Use Security Analysis
+
+Psalm supports [Security Analysis](https://psalm.dev/docs/security_analysis/). You can use this config to show security analysis reports:
+
+```diff
+       - name: Psalm
+         uses: docker://vimeo/psalm-github-actions
++        with:
++          security_analysis: true
+```
+
+### Send security output to GitHub Security tab
+
+GitHub also allows you to [send security issues to a separate part of the site](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning) that can be restricted to members of your team.
+
+Use the following config:
+
+```diff
+       - name: Psalm
+         uses: docker://vimeo/psalm-github-actions
++        with:
++          security_analysis: true
++          report_file: results.sarif
++      - name: Upload Security Analysis results to GitHub
++        uses: github/codeql-action/upload-sarif@v1
++        with:
++          sarif_file: results.sarif
+```
+
+## Customising Composer
+
+Specify `composer_require_dev: true` to install dev dependencies and `composer_ignore_platform_reqs: true` in order to ignore platform requirements.
+
+These are both set to false by default.
 
 ```diff
        - name: Psalm
          uses: docker://vimeo/psalm-github-actions
-+        env:
-+          REQUIRE_DEV: "true"
-+          CHECK_PLATFORM_REQUIREMENTS: "false"
++        with:
++          composer_require_dev: true
++          composer_ignore_platform_reqs: true
 ```
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -2,19 +2,29 @@
 set -e
 
 IGNORE_PLATFORM_REQS=""
-if [ "$CHECK_PLATFORM_REQUIREMENTS" = "false" ]; then
+if [ "$CHECK_PLATFORM_REQUIREMENTS" = "false" ] || [ "$INPUT_COMPOSER_CHECK_PLATFORM_REQUIREMENTS" = "false" ]; then
     IGNORE_PLATFORM_REQS="--ignore-platform-reqs"
 fi
 
 NO_DEV="--no-dev"
-if [ "$REQUIRE_DEV" = "true" ]; then
+if [ "$REQUIRE_DEV" = "true" ] || [ "$INPUT_COMPOSER_REQUIRE_DEV" = "true"  ]; then
     NO_DEV=""
 fi
 
+TAINT_ANALYSIS=""
+if [ "$INPUT_SECURITY_ANALYSIS" = "true" ]; then
+    TAINT_ANALYSIS="--taint-analysis"
+fi
+
+REPORT=""
+if [ ! -z "$INPUT_REPORT_FILE" ]; then
+    REPORT="--report=$INPUT_REPORT_FILE"
+fi
+
 COMPOSER_COMMAND="composer install --no-scripts --no-progress $NO_DEV $IGNORE_PLATFORM_REQS"
 echo "::group::$COMPOSER_COMMAND"
 $COMPOSER_COMMAND
 echo "::endgroup::"
 
 /composer/vendor/bin/psalm --version
-/composer/vendor/bin/psalm --output-format=github $*
+/composer/vendor/bin/psalm --output-format=github $TAINT_ANALYSIS $REPORT $*