|
47 | 47 | exit 1 |
48 | 48 | fi |
49 | 49 |
|
| 50 | + e2e-sarif: |
| 51 | + runs-on: ubuntu-latest |
| 52 | + steps: |
| 53 | + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 |
| 54 | + with: |
| 55 | + fetch-depth: 0 |
| 56 | + |
| 57 | + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 |
| 58 | + with: |
| 59 | + python-version: '3.12' |
| 60 | + |
| 61 | + - name: Install CLI from local repo |
| 62 | + run: | |
| 63 | + python -m pip install --upgrade pip |
| 64 | + pip install . |
| 65 | +
|
| 66 | + - name: Verify --sarif-reachable-only without --reach exits non-zero |
| 67 | + run: | |
| 68 | + if socketcli --sarif-reachable-only --api-token dummy 2>&1; then |
| 69 | + echo "FAIL: Expected non-zero exit" |
| 70 | + exit 1 |
| 71 | + else |
| 72 | + echo "PASS: Exited non-zero as expected" |
| 73 | + fi |
| 74 | +
|
| 75 | + - name: Run Socket CLI scan with --sarif-file |
| 76 | + env: |
| 77 | + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} |
| 78 | + run: | |
| 79 | + set -o pipefail |
| 80 | + socketcli \ |
| 81 | + --target-path tests/e2e/fixtures/simple-npm \ |
| 82 | + --sarif-file /tmp/results.sarif \ |
| 83 | + --disable-blocking \ |
| 84 | + 2>&1 | tee /tmp/sarif-output.log |
| 85 | +
|
| 86 | + - name: Verify SARIF file is valid |
| 87 | + run: | |
| 88 | + python3 -c " |
| 89 | + import json, sys |
| 90 | + with open('/tmp/results.sarif') as f: |
| 91 | + data = json.load(f) |
| 92 | + assert data['version'] == '2.1.0', f'Invalid version: {data[\"version\"]}' |
| 93 | + assert '\$schema' in data, 'Missing \$schema' |
| 94 | + count = len(data['runs'][0]['results']) |
| 95 | + print(f'PASS: Valid SARIF 2.1.0 with {count} result(s)') |
| 96 | + " |
| 97 | +
|
50 | 98 | e2e-reachability: |
51 | 99 | runs-on: ubuntu-latest |
52 | 100 | steps: |
@@ -107,3 +155,41 @@ jobs: |
107 | 155 | cat /tmp/reach-output.log |
108 | 156 | exit 1 |
109 | 157 | fi |
| 158 | +
|
| 159 | + - name: Run scan with --sarif-file (all results) |
| 160 | + env: |
| 161 | + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} |
| 162 | + run: | |
| 163 | + socketcli \ |
| 164 | + --target-path tests/e2e/fixtures/simple-npm \ |
| 165 | + --reach \ |
| 166 | + --sarif-file /tmp/sarif-all.sarif \ |
| 167 | + --disable-blocking \ |
| 168 | + 2>/dev/null || true |
| 169 | +
|
| 170 | + - name: Run scan with --sarif-file --sarif-reachable-only (filtered results) |
| 171 | + env: |
| 172 | + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} |
| 173 | + run: | |
| 174 | + socketcli \ |
| 175 | + --target-path tests/e2e/fixtures/simple-npm \ |
| 176 | + --reach \ |
| 177 | + --sarif-file /tmp/sarif-reachable.sarif \ |
| 178 | + --sarif-reachable-only \ |
| 179 | + --disable-blocking \ |
| 180 | + 2>/dev/null || true |
| 181 | +
|
| 182 | + - name: Verify reachable-only results are a subset of all results |
| 183 | + run: | |
| 184 | + python3 -c " |
| 185 | + import json |
| 186 | + with open('/tmp/sarif-all.sarif') as f: |
| 187 | + all_data = json.load(f) |
| 188 | + with open('/tmp/sarif-reachable.sarif') as f: |
| 189 | + reach_data = json.load(f) |
| 190 | + all_count = len(all_data['runs'][0]['results']) |
| 191 | + reach_count = len(reach_data['runs'][0]['results']) |
| 192 | + print(f'All results: {all_count}, Reachable-only results: {reach_count}') |
| 193 | + assert reach_count <= all_count, f'FAIL: reachable ({reach_count}) > all ({all_count})' |
| 194 | + print('PASS: Reachable-only results is a subset of all results') |
| 195 | + " |
0 commit comments