Google Git
Sign in
apache / infrastructure-gha-workflow-scanner

Apache infrastructure

Mirrored from https://github.com/apache/infrastructure-gha-workflow-scanner.git
Clone this repo:

Branches

  1. 9609e85 Merge pull request #16 from apache/sebbASF-patch-1 by Gavin McDonald · 2 days ago main
  2. bc9e0a8 Update test_workflow_deleteme.yml by dfoulks1 · 7 days ago
  3. 4fb1176 Update test_workflow_deleteme.yml by dfoulks1 · 7 days ago
  4. cc8a9f6 Update test_workflow_deleteme.yml by dfoulks1 · 7 days ago
  5. b29c79a Update test_workflow_deleteme.yml by dfoulks1 · 7 days ago

ASF GitHub Actions Workflow Scanner

Setting up

pipenv install

REQUIRES: a Read-Only GitHub token

Copy the gha-workflow-scanner.example file to gha-workflow-scanner.yaml Edit gha-workflow-scanner.yaml Optionally, use a different file with these values and pass it to scanner.py with -c/--config.

Testing

This product uses pytest. Ensure that checks run after modification. e.g.: pytest tests/checks.py

will test the configured checks.

Starting

pipenv run python3 ./scanner.py

Logging

The policy scanner logs to logs/gha_scanner.log by default.

Description

When started as a service, the scanner will check GitHub Actions Workflows for compliance with our policy checks. If a workflow in the scanned repository is found to be non-compliant, an email will be sent to the owning PMC and infrastructure.