Allow input parameter output-format and output report to be used

action.yml

@@ -17,6 +17,10 @@ inputs:
  description: "Set to false to avoid failing based on severity-cutoff. Default is to fail when severity-cutoff is reached (or surpassed)"
  required: false
  default: "true"
+ output-format:
+ description: 'Set the output parameter after successful action execution. Valid choices are "json" and "sarif".'
+ required: false
+ default: "sarif"
  acs-report-enable:
  description: "Generate a SARIF report and set the `sarif` output parameter after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report."
  required: false
@@ -28,6 +32,8 @@ inputs:
 outputs:
  sarif:
  description: "Path to a SARIF report file for the image"
+ report:
+ description: "Path to a JSON report file for the image"
 runs:
  using: "node16"
  main: "dist/index.js"

dist/index.js

@@ -103,12 +103,14 @@ async function run() {
  const source = sourceInput();
  const failBuild = core.getInput("fail-build") || "true";
  const acsReportEnable = core.getInput("acs-report-enable") || "true";
+ const outputFormat = core.getInput("output-format") || "sarif";
  const severityCutoff = core.getInput("severity-cutoff") || "medium";
  const out = await runScan({
  source,
  failBuild,
  acsReportEnable,
  severityCutoff,
+ outputFormat,
  });
  Object.keys(out).map((key) => {
  core.setOutput(key, out[key]);
@@ -118,7 +120,13 @@ async function run() {
  }
 }
 
-async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
+async function runScan({
+ source,
+ failBuild,
+ acsReportEnable,
+ severityCutoff,
+ outputFormat,
+}) {
  const out = {};
 
  const env = {
@@ -139,6 +147,7 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  }
 
  const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
+ const FORMAT_LIST = ["sarif", "json"];
  let cmdArgs = [];
 
  if (core.isDebug()) {
@@ -149,10 +158,16 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
 
  acsReportEnable = acsReportEnable.toLowerCase() === "true";
 
+ if (outputFormat !== "sarif" && acsReportEnable) {
+ throw new Error(
+ `Invalid output-format selected. If acs-report-enabled is true (which is the default if it is omitted), the output-format parameter must be sarif or must be omitted`
+ );
+ }
+
  if (acsReportEnable) {
  cmdArgs.push("-o", "sarif");
  } else {
- cmdArgs.push("-o", "json");
+ cmdArgs.push("-o", outputFormat);
  }
 
  if (
@@ -166,6 +181,17 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  `Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`
  );
  }
+ if (
+ !FORMAT_LIST.some(
+ (item) =>
+ typeof outputFormat.toLowerCase() === "string" &&
+ item === outputFormat.toLowerCase()
+ )
+ ) {
+ throw new Error(
+ `Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`
+ );
+ }
 
  core.debug(`Installing grype version ${grypeVersion}`);
  await installGrype(grypeVersion);
@@ -174,6 +200,7 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  core.debug("Fail Build: " + failBuild);
  core.debug("Severity Cutoff: " + severityCutoff);
  core.debug("ACS Enable: " + acsReportEnable);
+ core.debug("Output Format: " + outputFormat);
 
  core.debug("Creating options for GRYPE analyzer");
 
@@ -225,6 +252,10 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  const SARIF_FILE = "./results.sarif";
  fs.writeFileSync(SARIF_FILE, cmdOutput);
  out.sarif = SARIF_FILE;
+ } else {
+ const REPORT_FILE = "./results.report";
+ fs.writeFileSync(REPORT_FILE, cmdOutput);
+ out.report = REPORT_FILE;
  }
 
  if (failBuild === true && exitCode > 0) {

index.js

@@ -88,12 +88,14 @@ async function run() {
  const source = sourceInput();
  const failBuild = core.getInput("fail-build") || "true";
  const acsReportEnable = core.getInput("acs-report-enable") || "true";
+ const outputFormat = core.getInput("output-format") || "sarif";
  const severityCutoff = core.getInput("severity-cutoff") || "medium";
  const out = await runScan({
  source,
  failBuild,
  acsReportEnable,
  severityCutoff,
+ outputFormat,
  });
  Object.keys(out).map((key) => {
  core.setOutput(key, out[key]);
@@ -103,7 +105,13 @@ async function run() {
  }
 }
 
-async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
+async function runScan({
+ source,
+ failBuild,
+ acsReportEnable,
+ severityCutoff,
+ outputFormat,
+}) {
  const out = {};
 
  const env = {
@@ -124,6 +132,7 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  }
 
  const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
+ const FORMAT_LIST = ["sarif", "json"];
  let cmdArgs = [];
 
  if (core.isDebug()) {
@@ -134,10 +143,16 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
 
  acsReportEnable = acsReportEnable.toLowerCase() === "true";
 
+ if (outputFormat !== "sarif" && acsReportEnable) {
+ throw new Error(
+ `Invalid output-format selected. If acs-report-enabled is true (which is the default if it is omitted), the output-format parameter must be sarif or must be omitted`
+ );
+ }
+
  if (acsReportEnable) {
  cmdArgs.push("-o", "sarif");
  } else {
- cmdArgs.push("-o", "json");
+ cmdArgs.push("-o", outputFormat);
  }
 
  if (
@@ -151,6 +166,17 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  `Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`
  );
  }
+ if (
+ !FORMAT_LIST.some(
+ (item) =>
+ typeof outputFormat.toLowerCase() === "string" &&
+ item === outputFormat.toLowerCase()
+ )
+ ) {
+ throw new Error(
+ `Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`
+ );
+ }
 
  core.debug(`Installing grype version ${grypeVersion}`);
  await installGrype(grypeVersion);
@@ -159,6 +185,7 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  core.debug("Fail Build: " + failBuild);
  core.debug("Severity Cutoff: " + severityCutoff);
  core.debug("ACS Enable: " + acsReportEnable);
+ core.debug("Output Format: " + outputFormat);
 
  core.debug("Creating options for GRYPE analyzer");
 
@@ -210,6 +237,10 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
  const SARIF_FILE = "./results.sarif";
  fs.writeFileSync(SARIF_FILE, cmdOutput);
  out.sarif = SARIF_FILE;
+ } else {
+ const REPORT_FILE = "./results.report";
+ fs.writeFileSync(REPORT_FILE, cmdOutput);
+ out.report = REPORT_FILE;
  }
 
  if (failBuild === true && exitCode > 0) {

tests/grype_command.test.js

@@ -29,6 +29,7 @@ describe("Grype command", () => {
  debug: "false",
  failBuild: "false",
  acsReportEnable: "true",
+ outputFormat: "sarif",
  severityCutoff: "high",
  version: "0.6.0",
  });
@@ -40,6 +41,7 @@ describe("Grype command", () => {
  source: "asdf",
  failBuild: "false",
  acsReportEnable: "false",
+ outputFormat: "json",
  severityCutoff: "low",
  version: "0.6.0",
  });

tests/sarif_output.test.js

@@ -18,6 +18,7 @@ const testSource = async (source, vulnerabilities) => {
  debug: "false",
  failBuild: "false",
  acsReportEnable: "true",
+ outputFormat: "sarif",
  severityCutoff: "medium",
  });