zizmor 1.24.1

Static analysis for GitHub Actions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

//! GitHub workflow command-formatted output.
//!
//! See: <https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions>

use std::io;

use anyhow::Result;

use crate::{Severity, finding::Finding};

impl Severity {
    /// Converts a `Severity` to a GitHub Actions command command.
    fn as_github_command(&self) -> &str {
        // TODO: Does this mapping make sense?
        match self {
            Severity::Informational => "notice",
            Severity::Low => "warning",
            Severity::Medium => "warning",
            Severity::High => "error",
        }
    }
}

impl Finding<'_> {
    fn format_command(&self, sink: &mut impl io::Write) -> Result<()> {
        let primary = self.primary_location();

        // NOTE: We intentionally only use the start line, since our spans
        // sometimes end at EOF and GitHub's annotations don't handle that
        // gracefully.
        let filepath = primary.symbolic.key.sarif_path();
        let start_line = primary.concrete.location.start_point.row + 1;
        let title = self.ident;

        let message = format!(
            "{filename}:{start_line}: {desc}: {annotation}",
            filename = primary.symbolic.key.filename(),
            desc = self.desc,
            annotation = primary.symbolic.annotation,
        );

        writeln!(
            sink,
            "::{} file={filepath},line={start_line},title={title}::{message}",
            self.determinations.severity.as_github_command()
        )?;

        Ok(())
    }
}

pub(crate) fn output(sink: impl io::Write, findings: &[Finding]) -> Result<()> {
    let mut sink = sink;

    for finding in findings {
        finding.format_command(&mut sink)?;
    }

    Ok(())
}