Google Git
Sign in
apache / infrastructure-gha-workflow-scanner

Apache infrastructure

Mirrored from https://github.com/apache/infrastructure-gha-workflow-scanner.git
Clone this repo:

Branches

  1. 550729a Merge pull request #9 from apache/dfoulks/msgcache by dfoulks1 · 9 weeks ago main
  2. af42f10 PEP8 linter, fixed up tests by Drew Foulks · 3 months ago dfoulks/msgcache
  3. 907ebf7 Message Cache config added, renamed the scanner config file and added yaml files to the gitignore list by Drew Foulks · 3 months ago
  4. d25ce45 Message pesterwait function working by Drew Foulks · 3 months ago
  5. 30dbced Merge pull request #8 from apache/dependabot/pip/aiohttp-3.10.11 by dfoulks1 · 4 months ago

ASF GitHub Actions Workflow Scanner

Setting up

pipenv install

REQUIRES: a Read-Only GitHub token

Copy the gha-workflow-scanner.example file to gha-workflow-scanner.yaml Edit gha-workflow-scanner.yaml Optionally, use a different file with these values and pass it to scanner.py with -c/--config.

Testing

This product uses pytest. Ensure that checks run after modification. e.g.: pytest tests/checks.py

will test the configured checks.

Starting

pipenv run python3 ./scanner.py

Logging

The policy scanner logs to logs/gha_scanner.log by default.

Description

When started as a service, the scanner will check GitHub Actions Workflows for compliance with our policy checks. If a workflow in the scanned repository is found to be non-compliant, an email will be sent to the owning PMC and infrastructure.