isnad-scan-action/action.yml at main · counterspec/isnad-scan-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: 'ISNAD Scan'
description: 'Security scanner for AI agent skills - detect dangerous patterns before they reach production'
author: 'ISNAD Protocol'
branding:
  icon: 'shield'
  color: 'green'

inputs:
  path:
    description: 'Path to scan (default: current directory)'
    required: false
    default: '.'
  fail-on:
    description: 'Fail the check on this trust level or worse (WARN, DANGER, or never)'
    required: false
    default: 'DANGER'
  verbose:
    description: 'Show verbose output'
    required: false
    default: 'false'
  version:
    description: 'isnad-scan version to install (default: latest)'
    required: false
    default: ''

outputs:
  trust-level:
    description: 'Trust level result (SAFE, WARN, DANGER)'
  findings-count:
    description: 'Number of findings'
  report:
    description: 'Full scan report'

runs:
  using: 'composite'
  steps:
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.11'

    - name: Install isnad-scan
      shell: bash
      run: |
        VERSION="${{ inputs.version }}"
        if [ -n "$VERSION" ]; then
          pip install "isnad-scan==$VERSION"
        else
          pip install isnad-scan
        fi

    - name: Run scan
      id: scan
      shell: bash
      run: |
        set +e

        VERBOSE_FLAG=""
        if [ "${{ inputs.verbose }}" = "true" ]; then
          VERBOSE_FLAG="-v"
        fi

        SCAN_PATH="${{ inputs.path }}"
        OUTPUT=$(isnad-scan "$SCAN_PATH" $VERBOSE_FLAG 2>&1)
        EXIT_CODE=$?

        echo "$OUTPUT"

        # Parse trust level
        if echo "$OUTPUT" | grep -q "DANGER"; then
          TRUST_LEVEL="DANGER"
        elif echo "$OUTPUT" | grep -q "WARN"; then
          TRUST_LEVEL="WARN"
        else
          TRUST_LEVEL="SAFE"
        fi

        # Count findings
        FINDINGS=$(echo "$OUTPUT" | grep -c "^\[" || echo "0")

        echo "trust-level=$TRUST_LEVEL" >> $GITHUB_OUTPUT
        echo "findings-count=$FINDINGS" >> $GITHUB_OUTPUT

        # Save report for output
        echo "report<<EOF" >> $GITHUB_OUTPUT
        echo "$OUTPUT" >> $GITHUB_OUTPUT
        echo "EOF" >> $GITHUB_OUTPUT

        # Determine if we should fail
        FAIL_ON="${{ inputs.fail-on }}"
        SHOULD_FAIL=0

        if [ "$FAIL_ON" = "WARN" ] && [ "$TRUST_LEVEL" != "SAFE" ]; then
          SHOULD_FAIL=1
        elif [ "$FAIL_ON" = "DANGER" ] && [ "$TRUST_LEVEL" = "DANGER" ]; then
          SHOULD_FAIL=1
        fi

        if [ $SHOULD_FAIL -eq 1 ]; then
          echo "::error::ISNAD Scan failed with trust level: $TRUST_LEVEL"
          exit 1
        fi