-
Notifications
You must be signed in to change notification settings - Fork 106
Expand file tree
/
Copy pathbroken-access-control-full-scan.yml
More file actions
94 lines (79 loc) · 3.04 KB
/
Copy pathbroken-access-control-full-scan.yml
File metadata and controls
94 lines (79 loc) · 3.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Broken Access Control Full Scan
on:
workflow_dispatch:
inputs:
target_paths:
description: Space-delimited tracked paths to scan for Python BAC patterns.
required: false
default: application scripts
fail_on_findings:
description: Fail the workflow when findings are detected. Keep false for baseline/advisory runs.
required: true
type: boolean
default: false
run_self_tests:
description: Run the BAC checker regression tests before the audit.
required: true
type: boolean
default: true
jobs:
broken-access-control-full-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Run Broken Access Control guardrail self-test
if: inputs.run_self_tests
run: |
python functional_tests/test_broken_access_control_guardrails_checker.py
- name: Collect tracked Python files
id: python-files
env:
TARGET_PATHS: ${{ inputs.target_paths }}
run: |
set -euo pipefail
: > bac-python-files.txt
for target_path in $TARGET_PATHS; do
git ls-files "$target_path" | grep -E '\.py$' >> bac-python-files.txt || true
done
sort -u bac-python-files.txt -o bac-python-files.txt
file_count=$(wc -l < bac-python-files.txt | tr -d ' ')
echo "file_count=$file_count" >> "$GITHUB_OUTPUT"
if [[ "$file_count" == "0" ]]; then
echo "No tracked Python files found for target paths: $TARGET_PATHS"
exit 0
fi
echo "Collected $file_count Python file(s) for BAC full scan."
- name: Run Broken Access Control full scan
id: bac-scan
if: steps.python-files.outputs.file_count != '0'
env:
FAIL_ON_FINDINGS: ${{ inputs.fail_on_findings }}
run: |
set +e
mapfile -t python_files < bac-python-files.txt
python scripts/check_broken_access_control.py --full-file "${python_files[@]}" 2>&1 | tee broken-access-control-full-scan-report.txt
checker_status=${PIPESTATUS[0]}
echo "checker_status=$checker_status" >> "$GITHUB_OUTPUT"
if [[ "$checker_status" -ne 0 ]]; then
echo "Broken Access Control full scan found findings. Review broken-access-control-full-scan-report.txt."
if [[ "$FAIL_ON_FINDINGS" == "true" ]]; then
exit "$checker_status"
fi
fi
exit 0
- name: Upload Broken Access Control full scan report
if: always() && steps.python-files.outputs.file_count != '0'
uses: actions/upload-artifact@v4
with:
name: broken-access-control-full-scan-report
path: |
bac-python-files.txt
broken-access-control-full-scan-report.txt
if-no-files-found: ignore