Skip to content

Home

Jump to bottom
Diogo Gaspar edited this page Mar 2, 2025 · 4 revisions

dirty-waters-action

Welcome to the dirty-waters-action wiki!

Here you'll find the resources you need in order to run the action in your project and find smells in its software supply chain.

You can find it in the GitHub Actions Marketplace as well!

Getting started

This repository includes an example workflow, which can serve as a basis for what you may include in your own repo.

Example Workflow 
name: Dirty Waters Analysis

on:
  pull_request:
  push:
    branches:
      - main
      - master
    paths:
      # Include the one(s) relevant for your use case
      - "**/package.json"
      - "**/package-lock.json"
      - "**/yarn.lock"
      - "**/pnpm-lock.yaml"
      - "**/pom.xml"
  workflow_dispatch:
    inputs:
      ignore_cache:
        description: "Ignore the repository cache for this run"
        required: false
        default: "false"

permissions: read-all

jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Run Static Dirty Waters analysis
        id: static-analysis
        if: steps.check-first-run.outputs.is_first_run == 'true'
        uses: chains-project/dirty-waters-action@91ab1fc990743b6fe522158dc808358d9f225e0a
        with:
          # example args, change as needed
          github_token: ${{ secrets.GITHUB_TOKEN }}
          package_manager: npm # Change this according to your project
          allow_pr_comment: true # Optional: comments on PRs if high severity issues are found
          comment_on_commit: false # Optional: comments on commits (if not PR/if above is false) if high severity issues are found
          gradual_report: false
          ignore_cache: ${{ github.event.inputs.ignore_cache }}

Let's break down each of its components.

When to run the workflow

By default, the workflow runs in commits made in Pull Requests; it can also be ran manually (workflow_dispatch), and/or in the main and master branches, if any dependency-related fields see changes.

Caching

dirty-waters requires a lot of GitHub API calls and further processing, which makes standalone runs take quite a bit of time. As such, the first time you run the action, it'll take some time! However, under-the-hood, the action uses caching, which makes it so that subsequent runs should be fast.

Tool Inputs

The action receives quite a few input parameters for the tool to run, which are listed in this project's README.

Questions & Feedback

If you have any questions regarding the action, feel free to contact us, by e-mail or by using a GitHub Issue.

Furthermore, we also provide a form for you to provide more detailed feedback on the tool's usage!

Clone this wiki locally