-
-
Notifications
You must be signed in to change notification settings - Fork 17
117 lines (112 loc) · 3.59 KB
/
audit.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
name: Audit Dependencies 🕵️♀️
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
branches:
- main
workflow_dispatch:
workflow_call:
inputs:
package-subdirectory:
description: Subdirectory in the repository, where the R package is located.
required: false
type: string
default: "."
allow-failure:
description: Allow workflow to fail if one or more vulnerabilities are found.
required: false
type: boolean
default: false
jobs:
audit:
runs-on: ubuntu-latest
container:
image: ghcr.io/insightsengineering/rstudio:latest
name: oysteR scan 🦪
if: >
!contains(github.event.commits[0].message, '[skip audit]')
&& github.event.pull_request.draft == false
steps:
- name: Checkout repo 🛎
uses: actions/checkout@v3
- name: Normalize inputs 🛠️
id: normalizer
run: |
ALLOW_FAILURE="${{ inputs.allow-failure }}"
if [ "$ALLOW_FAILURE" == "" ]
then {
ALLOW_FAILURE=false
}
fi
echo "allow-failure=$ALLOW_FAILURE" >> "$GITHUB_ENV"
shell: bash
- name: Run oysteR scan on dependencies 🔍
run: |
tryCatch(
expr = {
dependencies_scan = oysteR::audit_description(
dir = ".",
fields = c("Depends", "Imports", "Suggests"),
verbose = TRUE
)
print(as.data.frame(
dependencies_scan[c(
"package",
"version",
"vulnerabilities",
"no_of_vulnerabilities"
)]
))
Sys.sleep(1)
deps_with_vulnerabilities = subset(dependencies_scan, no_of_vulnerabilities > 0)
if(nrow(deps_with_vulnerabilities) > 0) {
message("❗ Vulnerabilities found in the following dependencies:")
message(deps_with_vulnerabilities["package"])
if ("${{ env.allow-failure }}" == "true") quit(status=1)
}
},
error = function(e) {
message('🚨 Caught an error!')
print(e)
}
)
shell: Rscript {0}
working-directory: ${{ inputs.package-subdirectory }}
- name: Run oysteR scan on renv.lock 🔒
run: |
tryCatch(
expr = {
if (file.exists("renv.lock")) {
renv_lock_scan = oysteR::audit_renv_lock(dir = ".", verbose = TRUE)
print(as.data.frame(
renv_lock_scan[c(
"package",
"version",
"vulnerabilities",
"no_of_vulnerabilities"
)]
))
Sys.sleep(1)
deps_with_vulnerabilities = subset(renv_lock_scan, no_of_vulnerabilities > 0)
if(nrow(deps_with_vulnerabilities) > 0) {
message("❗ Vulnerabilities found in the following dependencies:")
message(deps_with_vulnerabilities["package"])
if ("${{ env.allow-failure }}" == "true") quit(status=1)
}
} else {
print("No renv.lock file, not scanning.")
}
},
error = function(e) {
message('🚨 Caught an error!')
print(e)
}
)
shell: Rscript {0}