Initial commit

Dockerfile

@@ -0,0 +1,6 @@
+FROM composer:latest
+
+COPY entrypoint.sh /entrypoint.sh
+COPY jsonToOutput.php /jsonToOutput.php
+
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -0,0 +1,34 @@
+# Composer Audit action
+
+This action run `composer audit` command and print user-friendly summary.
+
+## Inputs
+
+## Outputs
+
+## Example usage
+
+```yaml
+jobs:
+  composer-audit:
+    runs-on: ubuntu-latest
+    name: Composer audit
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+
+      - name: Install PHP with extensions
+        uses: shivammathur/[email protected]
+        with:
+          coverage: "none"
+          php-version: 8.2
+          tools: composer:v2
+
+      - name: "Composer install"
+        uses: "ramsey/[email protected]"
+        with:
+          composer-options: "--prefer-dist"
+
+      - name: Run composer audit
+        uses: alamirault/composer-audit-action@v1
+```

action.yml

@@ -0,0 +1,5 @@
+name: 'Composer Audit'
+description: 'Github Actions for Composer audit'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'

entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/sh -l
+
+composer audit --format=json --no-scripts --no-plugins --no-interaction > composer-audit-output.json
+status=$?
+
+cat composer-audit-output.json
+
+php /jsonToOutput.php composer-audit-output.json >> $GITHUB_STEP_SUMMARY
+
+exit $status;

jsonToOutput.php

@@ -0,0 +1,89 @@
+<?php
+
+renderFlavoredMarkdown($argv[1]);
+
+function renderFlavoredMarkdown(string $filename): void
+{
+    $json = file_get_contents($filename);
+    $data = json_decode($json, true);
+
+    echo renderAdvisories($data['advisories']);
+    echo "\n\n";
+    echo renderAbandonedPackages($data['abandoned'] ?? []);
+    echo "\n";
+}
+
+/**
+ * @param array<string, array<array{advisoryId: string, packageName: string, affectedVersions: string, title: string, cve: string, link: string, reportedAt: string}>> $advisories
+ * @return string
+ */
+function renderAdvisories(array $advisories): string
+{
+    $output = <<<MARKDOWN
+## :exclamation: Security vulnerability advisories :exclamation:
+
+MARKDOWN;
+
+    if (empty($advisories)) {
+        $output .= 'No security vulnerability advisories found.';
+        return $output;
+    }
+
+    $output .= <<<MARKDOWN
+| Package | CVE | Affected versions | Reported at |
+| ------- | --- | ----------------- | ----------- |
+MARKDOWN;
+
+    foreach ($advisories as $issues) {
+        foreach ($issues as $issue){
+            $cve = sprintf(
+                '[%s](%s): %s',
+                $issue['cve'],
+                $issue['link'],
+                $issue['title'],
+            );
+
+            $output .= sprintf(
+                "\n| %s | %s | %s | %s |",
+                $issue['packageName'],
+                $cve,
+                $issue['affectedVersions'],
+                DateTime::createFromFormat(DATE_ATOM, $issue['reportedAt'])->format('Y-m-d H:i:s'),
+            );
+        }
+    }
+
+    return $output;
+}
+
+/**
+ * @param array<string, string> $abandonedPackages
+ * @return string
+ */
+function renderAbandonedPackages(array $abandonedPackages): string
+{
+    $output = <<<MARKDOWN
+## :warning: Abandoned :warning:
+
+MARKDOWN;
+
+    if (empty($abandonedPackages)) {
+        $output .= 'No abandoned packages';
+        return $output;
+    }
+
+    $output .= <<<MARKDOWN
+| Abandoned Package | Suggested Replacement |
+| ----------------- | --------------------- |
+MARKDOWN;
+
+    foreach ($abandonedPackages as $abandoned => $replacement) {
+        $output .= sprintf(
+            "\n| %s | %s |",
+            $abandoned,
+            $replacement
+        );
+    }
+
+    return $output;
+}