This action runs Vorpal
with reviewdog on pull requests to improve code review experience.
Vorpal is an ultra-fast engine, specifically designed to empower developers by enabling them to identify and address security best coding practices early in the development process, known as "shifting left." By catching potential issues at the initial stages, Vorpal helps developers proactively prevent costly security reviews and critical security issues later in the development cycle.
Unlike traditional SAST engines that scan entire projects and analyze complex source code flows, Vorpal focuses on individual files and short code snippets, including AI-generated code. It empowers developers with clear, actionable feedback on detected issues, complete with descriptions and remediation advice, enabling them to quickly enhance the security of their codebases. While Vorpal doesn't delve into specific attack vectors, it emphasizes proactive security measures early in the development process, which not only strengthens code security but also reduces and refines findings in later SAST scans, making them more precise and manageable.
Vorpal currently supports Java
, JavaScript (Node.js)
, C#
, and Python
.
By default, with reporter: github-pr-check an annotation is added to the line:
With reporter: github-pr-review a comment is added to the Pull Request Conversation:
Description: GITHUB_TOKEN.
Required: true
Default: ${{ github.token }}
Description: Specify the source paths to analyze (comma-separated).
Required: true
Description: Specify the folders to ignore on Vorpal scan (comma-separated).
Required: false
Description: Report level for reviewdog [info, warning, error].
Default: error
Description: Reporter of reviewdog command [github-pr-check, github-pr-review].
Default: github-pr-review
Description: Filtering mode for the reviewdog command [added, diff_context, file, nofilter].
Default: added
Description: Exit code for reviewdog when errors are found [true, false].
Default: false
Description: Additional reviewdog flags.
Default: ``
name: vorpal-reviewdog
on: [pull_request]
jobs:
vorpal:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Vorpal with reviewdog
uses: checkmarx/[email protected]
with:
source_path: testdata/samples/FileA.java,testdata/samples/FileB.java
filter_mode: file
github_token: ${{ secrets.github_token }}
reporter: github-pr-check
level: error
fail_on_error: false
In the example bellow we use the tj-action/changed-files with vorpal-reviewdog-github-action so we do not need to specify files in the source_path field.
name: vorpal-reviewdog-changeFiles
on: [pull_request]
jobs:
vorpal:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v44
with:
separator: ','
- name: Vorpal with reviewdog
if: ${{ steps.changed-files.outputs.all_changed_files != '' }}
uses: checkmarx/[email protected]
with:
source_path: "${{ steps.changed-files.outputs.all_changed_files }}"
filter_mode: file
github_token: ${{ secrets.github_token }}
reporter: github-pr-check
level: error
fail_on_error: false
Apache License Version 2.0