@@ -6,13 +6,17 @@ inputs:
66 description : " Whether to also run 'snyk monitor'"
77 required : false
88 default : " false"
9- projectPrefix :
10- description : " Project prefix for Snyk dashboard and SARIF naming (e.g., 'strimzi')"
9+ scanName :
10+ description : " Name used for SARIF file naming, upload category, and tool display name (e.g., 'strimzi')"
1111 required : true
1212 uploadToCodeScanning :
1313 description : " Whether to upload SARIF results to GitHub Code Scanning"
1414 required : false
1515 default : " true"
16+ exclude :
17+ description : " Comma-separated list of directories to exclude from scanning (e.g., 'mockkube,test')"
18+ required : false
19+ default : " "
1620
1721runs :
1822 using : " composite"
@@ -24,38 +28,46 @@ runs:
2428 shell : bash
2529 continue-on-error : true
2630 run : |
31+ EXCLUDE_FLAG=""
32+ if [ -n "${{ inputs.exclude }}" ]; then
33+ EXCLUDE_FLAG="--exclude=${{ inputs.exclude }}"
34+ fi
2735 snyk test \
2836 --all-projects \
29- --sarif-file-output=snyk-maven-${{ inputs.projectPrefix }}.sarif \
37+ $EXCLUDE_FLAG \
38+ --sarif-file-output=snyk-maven-${{ inputs.scanName }}.sarif \
3039 --json-file-output=snyk-results.json
3140
3241 # This is used to set severity score to 0.0 for those results that has empty value for it.
3342 # Empty value is not supported by GitHub Code Scanning page
43+ # It also set tool.driver.name to distinguish between different tools within UI
3444 - name : Sanitize SARIF security-severity values
3545 shell : bash
3646 run : |
37- SARIF_FILE="snyk-maven-${{ inputs.projectPrefix }}.sarif"
47+ SARIF_FILE="snyk-maven-${{ inputs.scanName }}.sarif"
3848 if [ -f "$SARIF_FILE" ]; then
39- jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |=
40- if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0"
41- else .
42- end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE"
49+ jq --arg name "Snyk Maven (${{ inputs.scanName }})" '
50+ (.runs[].tool.driver.name) = $name |
51+ (.runs[].tool.driver.rules[]?.properties."security-severity") |=
52+ if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0"
53+ else .
54+ end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE"
4355 fi
4456
4557 - name : Upload SARIF to GitHub Code Scanning
4658 uses : github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
4759 if : ${{ always() && inputs.uploadToCodeScanning == 'true' }}
4860 with :
49- sarif_file : snyk-maven-${{ inputs.projectPrefix }}.sarif
50- category : snyk-maven-${{ inputs.projectPrefix }}
61+ sarif_file : snyk-maven-${{ inputs.scanName }}.sarif
62+ category : snyk-maven-${{ inputs.scanName }}
5163 wait-for-processing : true
5264
5365 - name : Upload SARIF as workflow artifact
5466 uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
5567 if : always()
5668 with :
57- name : snyk-maven-${{ inputs.projectPrefix }}.sarif
58- path : snyk-maven-${{ inputs.projectPrefix }}.sarif
69+ name : snyk-maven-${{ inputs.scanName }}.sarif
70+ path : snyk-maven-${{ inputs.scanName }}.sarif
5971 retention-days : 30
6072
6173 # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
6476 shell : bash
6577 continue-on-error : true
6678 run : |
67- snyk monitor --all-projects --target-reference="${GITHUB_REF_NAME}"
79+ EXCLUDE_FLAG=""
80+ if [ -n "${{ inputs.exclude }}" ]; then
81+ EXCLUDE_FLAG="--exclude=${{ inputs.exclude }}"
82+ fi
83+ snyk monitor --all-projects $EXCLUDE_FLAG --target-reference="${GITHUB_REF_NAME}"
0 commit comments