Merge pull request #30 from AikidoSec/feat/expose-scan-result-url

Expose scan result URL

Author: willem-delbare

.github/workflows/test.yaml

@@ -1,16 +1,20 @@
 name: Test action
 on:
   pull_request:
-  push:
     branches:
-      - main
+        - '*'
 
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+
       - name: Test action on current repository
+        id: scan
         uses: ./
         with:
           secret-key: ${{ secrets.AIKIDO_SECRET_KEY }}
+          minimum-severity: 'MEDIUM'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          post-scan-status-comment: true

README.md

@@ -30,6 +30,8 @@ jobs:
             fail-on-iac-scan: false
             minimum-severity: 'CRITICAL'
             timeout-seconds: 180
+            post-scan-status-comment: true
+            github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 The action has 3 possible outcomes: 
@@ -46,6 +48,9 @@ Optional fields:
 - `fail-on-dependency-scan`: Determines wether Aikido should block on new dependency issues (CVEs).
 - `fail-on-sast-scan`: Determines wether Aikido should block on new SAST issues. This is available in all [paid plans](https://www.aikido.dev/pricing).
 - `fail-on-iac-scan`: Determines wether Aikido should block on new Infrastructure as Code issues. This is available in all [paid plans](https://www.aikido.dev/pricing).
+- `post-scan-status-comment`: Let Aikido post a comment on the PR (when in PR context) with the latest scan status and a link to the scan results.
+- `github-token`: Optional. If the default `${{ secrets.GITHUB_TOKEN }}` environment token does not have write capabilities, Aikido needs a PAT with specific permissions to read and write comments in a PR.
+
 
 ## Contributing
 

action.yaml

@@ -29,12 +29,22 @@ inputs:
     description: 'Provide a number of seconds the action will wait for scans to complete.'
     required: false
     default: "120"
+  post-scan-status-comment:
+    description: 'Let Aikido post a comment on the PR with a summary of the status, this comment will be updated for each scan.'
+    required: false
+    default: "false"
+  github-token:
+    description: 'A token that the action can use to post the status comment, this can be the default GITHUB_TOKEN from the environment with permissions to list and post comments, or a custom PAT.'
+    required: false
+    default: ""
 outputs:
   outcome:
     description: |
       'The outcome of the scan. This will return `SUCCESS` in case we managed to do a scan and no new critical issues were found.\n
       When we did not get results back in time, within 2 minutes, we will return a `TIMEOUT` status but not let the action fail. 
       In case we did detect a new critical issue, the action will fail and outcome will be `FAILED`'
+  scanResultUrl:
+    description: 'A link to the scan results in Aikido.'
 runs:
   using: 'node16'
   main: 'dist/index.js'