Skip to content

Upload puppet-lint output in SARIF format #33

Open
Open
Upload puppet-lint output in SARIF format#33
@ekohl

Description

@ekohl
ekohl
opened on Aug 22, 2023

You can set up puppet-lint and GHA to upload in SARIF format. The explore workflows suggests the following workflow:

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
# https://puppet.com/docs/puppet/7/style_guide.html
# Puppet Lint validates only code style; it does not validate syntax.
# To test syntax, use Puppet's puppet parser validate command.
# More details at https://github.com/puppetlabs/puppet-lint/

name: puppet-lint

on:
  push:
    branches: [ "master" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "master" ]
  schedule:
    - cron: '41 13 * * 2'

permissions:
  contents: read

jobs:
  puppet-lint:
    name: Run puppet-lint scanning
    runs-on: ubuntu-latest
    permissions:
      contents: read # for checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Setup Ruby
        uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
        with:
          ruby-version: 2.7
          bundler-cache: true

      - name: Install puppet-lint
        run: gem install puppet-lint

      - name: Run puppet-lint
        run: puppet-lint . --sarif > puppet-lint-results.sarif
        continue-on-error: true

      - name: Upload analysis results to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: puppet-lint-results.sarif
          wait-for-processing: true

Obviously we only care about the last 2 steps, but the permissions are also useful.

This may be nicer than annotations because it also shows up in code scans when run on the cron schedule.

Perhaps this is something that belongs in voxpupuli-test, perhaps somewhere in between.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions