Skip to content
Shellcheck

Feature: Checkmarx Cxflow SAST parser #4351

Sign in to view logs

Feature: Checkmarx Cxflow SAST parser

Feature: Checkmarx Cxflow SAST parser #4351

Workflow file for this run

.github/workflows/shellcheck.yml at 8f430c9
---
name: Shellcheck
on:
pull_request:
env:
SHELLCHECK_REPO: 'koalaman/shellcheck'
SHELLCHECK_VERSION: 'v0.9.0'
SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71'
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Grab shellcheck
run: |
set -e
SHELLCHECK_TARBALL_URL="https://github.com/${SHELLCHECK_REPO}/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz"
SHELLCHECK_TARBALL_LOC="shellcheck.tar.xz"
curl -L "${SHELLCHECK_TARBALL_URL}" -o "${SHELLCHECK_TARBALL_LOC}"
tarball_sha=$(shasum ${SHELLCHECK_TARBALL_LOC} | awk '{print $1}')
if [ "${tarball_sha}" != "${SHELLCHECK_SHA}" ]; then
echo "Got invalid SHA for shellcheck: ${tarball_sha}"
exit 1
fi
tar -xvf "${SHELLCHECK_TARBALL_LOC}"
cd "shellcheck-${SHELLCHECK_VERSION}" || exit 1
mv shellcheck "${GITHUB_WORKSPACE}/shellcheck"
- name: Run shellcheck
shell: bash
run: |
set -o pipefail
# Make sure we already put the proper shellcheck binary in place
if [ ! -f "./shellcheck" ]; then
echo "shellcheck not found"
exit 1
fi
# Make sure we know what to compare the PR's changes against
if [ -z "${GITHUB_BASE_REF}" ]; then
echo "No base reference supplied"
exit 1
fi
num_findings=0
# Execute shellcheck and add errors based on the output
run_shellcheck() {
local modified_shell_script="${1}"
local findings_file="findings.txt"
# Remove leftover findings file from previous iterations
if [ -f "${findings_file}" ]; then
rm "${findings_file}"
fi
echo "Running shellcheck against ${modified_shell_script}..."
# If shellcheck reported no errors (exited with 0 status code), return
if ./shellcheck -f json -S warning "${modified_shell_script}" | jq -c '.[]' > "${findings_file}"; then
return 0
fi
# Walk each of the individual findings
while IFS= read -r finding; do
num_findings=$((num_findings+1))
line=$(echo "${finding}" | jq '.line')
end_line=$(echo "${finding}" | jq '.endLine')
column=$(echo "${finding}" | jq '.column')
end_column=$(echo "${finding}" | jq '.endColumn')
code=$(echo "${finding}" | jq '.code')
title="SC${code}"
message="$(echo "${finding}" | jq -r '.message') See https://github.com/koalaman/shellcheck/wiki/${title}"
echo "Line: ${line}"
echo "End line: ${end_line}"
echo "Column: ${column}"
echo "End column: ${end_column}"
echo "Title: ${title}"
echo "Message: ${message}"
# Raise an error with the file/line/etc
echo "::error file=${modified_shell_script},line=${line},endLine=${end_line},column=${column},endColumn=${end_column},title=${title}::${message}"
done < ${findings_file}
}
# Find the shell scripts that were created or modified by this PR
find_modified_shell_scripts() {
shell_scripts="shell_scripts.txt"
modified_files="modified_files.txt"
modified_shell_scripts="modified_shell_scripts.txt"
find . -name "*.sh" -or -name "*.bash" | sed 's#^\./##' > "${shell_scripts}"
git diff --name-only "origin/${GITHUB_BASE_REF}" HEAD > "${modified_files}"
if [ ! -s "${shell_scripts}" ] || [ ! -s "${modified_files}" ]; then
echo "No modified shell scripts detected"
exit 0
fi
if ! grep -Fxf "${shell_scripts}" "${modified_files}" > "${modified_shell_scripts}"; then
echo "No modified shell scripts detected"
exit 0
fi
}
git fetch origin "${GITHUB_BASE_REF}" || exit 1
find_modified_shell_scripts
# Loop through the modified shell scripts
while IFS= read -r modified_shell_script; do
run_shellcheck "${modified_shell_script}"
done < ${modified_shell_scripts}
# If shellcheck reported any findings, fail the workflow
if [ ${num_findings} -gt 0 ]; then
echo "shellcheck reported ${num_findings} findings."
exit 1
fi