agent-security-action/action.yml at main · empowered-humanity/agent-security-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: 'Agent Security Scan'
description: 'Scan for AI agent security vulnerabilities with 190+ detection patterns covering OWASP ASI Top 10, MCP security, and credential exposure'
author: 'Empowered Humanity'

inputs:
  path:
    description: 'Path to scan (relative to repository root)'
    required: false
    default: '.'
  severity:
    description: 'Minimum severity to report (critical, high, medium, low)'
    required: false
    default: 'medium'
  format:
    description: 'Output format (console, json, sarif)'
    required: false
    default: 'sarif'
  fail-on:
    description: 'Fail if findings at or above this severity (critical, high, medium, low)'
    required: false
    default: 'high'
  upload-sarif:
    description: 'Upload SARIF results to GitHub Code Scanning'
    required: false
    default: 'true'
  version:
    description: 'Version of @empowered-humanity/agent-security to use'
    required: false
    default: 'latest'

outputs:
  findings-count:
    description: 'Total number of findings'
    value: ${{ steps.scan.outputs.findings-count }}
  risk-level:
    description: 'Overall risk level (critical, high, moderate, low)'
    value: ${{ steps.scan.outputs.risk-level }}
  sarif-file:
    description: 'Path to SARIF output file (if format is sarif)'
    value: ${{ steps.scan.outputs.sarif-file }}

runs:
  using: 'composite'
  steps:
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '20'

    - name: Run Agent Security Scan
      id: scan
      shell: bash
      run: |
        SARIF_FILE="${{ runner.temp }}/agent-security-results.sarif"
        SCAN_EXIT=0

        npx --yes @empowered-humanity/agent-security@${{ inputs.version }} scan \
          ${{ inputs.path }} \
          --severity ${{ inputs.severity }} \
          --format ${{ inputs.format }} \
          --fail-on ${{ inputs.fail-on }} \
          --output "$SARIF_FILE" \
          || SCAN_EXIT=$?

        if [ -f "$SARIF_FILE" ]; then
          FINDINGS=$(node -e "
            const fs = require('fs');
            const data = JSON.parse(fs.readFileSync('$SARIF_FILE', 'utf8'));
            console.log(data.runs[0].results.length);
          ")
          echo "findings-count=$FINDINGS" >> $GITHUB_OUTPUT
          echo "sarif-file=$SARIF_FILE" >> $GITHUB_OUTPUT
        else
          echo "findings-count=0" >> $GITHUB_OUTPUT
          echo "sarif-file=" >> $GITHUB_OUTPUT
        fi

        if [ $SCAN_EXIT -ne 0 ]; then
          echo "risk-level=failed" >> $GITHUB_OUTPUT
        else
          echo "risk-level=passed" >> $GITHUB_OUTPUT
        fi

        exit $SCAN_EXIT

    - name: Upload SARIF to GitHub Code Scanning
      if: ${{ inputs.upload-sarif == 'true' && always() && steps.scan.outputs.sarif-file != '' }}
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: ${{ steps.scan.outputs.sarif-file }}
        category: agent-security

branding:
  icon: 'shield'
  color: 'blue'