Skip to content
OWASP PR Scanner

fixing yarn.lock? maybe? #24

Sign in to view logs

fixing yarn.lock? maybe?

fixing yarn.lock? maybe? #24

Workflow file for this run

.github/workflows/owasp.yml at fea72f4
name: OWASP PR Scanner
on:
pull_request_target:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout PR HEAD
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install deps
run: |
python -m pip install -U pip
if [ -f scanner/requirements.txt ]; then
pip install -r scanner/requirements.txt
elif [ -f requirements.txt ]; then
pip install -r requirements.txt
fi
- name: Determine changed files for this PR
id: diff
run: |
BASE_SHA="${{ github.event.pull_request.base.sha }}"
HEAD_SHA="${{ github.event.pull_request.head.sha }}"
RAW="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" || true)"
APP_CHANGED="$(echo "$RAW" \
| grep -E '\.(js|jsx|ts|tsx|py|java|go|rb|php|html|css|md|conf|yml|yaml|json)$' \
|| true)"
if [ -z "$APP_CHANGED" ]; then
APP_CHANGED="$(git ls-files)"
fi
echo "changed_files<<EOF" >> $GITHUB_OUTPUT
echo "$APP_CHANGED" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Run OWASP scanner
id: owasp
run: |
CHANGED_FILES="${{ steps.diff.outputs.changed_files }}"
if [ -z "$CHANGED_FILES" ]; then
echo "Nothing to scan." | tee owasp-results.txt
echo "vulnerabilities_found=false" >> $GITHUB_OUTPUT
exit 0
fi
if [ ! -d "scanner" ]; then
echo "::error::Scanner module not found (scanner/)."
exit 1
fi
: > owasp-results.txt
EXIT=0
while IFS= read -r file; do
[ -z "$file" ] && continue
echo "### File: $file" >> owasp-results.txt
echo '```' >> owasp-results.txt
python -m scanner.main "$file" >> owasp-results.txt 2>&1 || EXIT=1
echo '```' >> owasp-results.txt
echo "" >> owasp-results.txt
done <<< "$CHANGED_FILES"
if [ $EXIT -ne 0 ]; then
echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
else
echo "vulnerabilities_found=false" >> $GITHUB_OUTPUT
fi
- name: Create PR comment body
if: always()
run: |
RESULTS=$(cat owasp-results.txt || echo "No results.")
if [ "${{ steps.owasp.outputs.vulnerabilities_found }}" == "true" ]; then
echo 'comment_body<<EOF' >> $GITHUB_ENV
echo '## 🔒 OWASP Scanner Results' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'Vulnerabilities were detected:' >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo "$RESULTS" >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo '⛔ Please address these before merging.' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
else
echo 'comment_body<<EOF' >> $GITHUB_ENV
echo '## 🔒 OWASP Scanner Results' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'No vulnerabilities detected.' >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo "$RESULTS" >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo '✅ Good to go.' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
fi
- name: Comment PR
uses: peter-evans/create-or-update-comment@v4
with:
issue-number: ${{ github.event.pull_request.number }}
body: ${{ env.comment_body }}
- name: Upload scan artifact
uses: actions/upload-artifact@v4
with:
name: owasp-scan-results
path: owasp-results.txt
retention-days: 5
- name: Fail if vulnerabilities found
if: steps.owasp.outputs.vulnerabilities_found == 'true'
run: |
echo "::error::❌ Vulnerabilities detected! Merge blocked."
exit 1
- name: Safe to merge
if: steps.owasp.outputs.vulnerabilities_found == 'false'
run: |
echo "✅ No vulnerabilities found. Safe to merge."