mirror of
https://github.com/n8n-io/n8n
synced 2026-04-21 15:47:20 +00:00
44 lines
1.3 KiB
YAML
44 lines
1.3 KiB
YAML
name: 'Sec: Poutine Scan'
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
workflow_call:
|
|
inputs:
|
|
ref:
|
|
description: GitHub ref to scan.
|
|
required: false
|
|
type: string
|
|
default: ''
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
poutine_scan:
|
|
name: Poutine Security Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ inputs.ref }}
|
|
|
|
- name: Run Poutine Security Scanner
|
|
uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
|
|
|
|
- name: Fail on error-level findings
|
|
run: |
|
|
# Check SARIF for error-level findings
|
|
if jq -e '.runs[].results[] | select(.level == "error")' results.sarif > /dev/null 2>&1; then
|
|
echo "::error::Poutine found error-level security findings:"
|
|
jq -r '.runs[].results[] | select(.level == "error") | " - \(.ruleId): \(.message.text)"' results.sarif
|
|
exit 1
|
|
fi
|
|
echo "No error-level findings detected"
|
|
|
|
- name: Upload SARIF results
|
|
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
|
|
if: github.repository == 'n8n-io/n8n'
|
|
with:
|
|
sarif_file: results.sarif
|