noseyparker icon indicating copy to clipboard operation
noseyparker copied to clipboard

Published 20 hours ago verified publisher icon praetorian-inc

Add a Nosey Parker GitHub Action

Open bradlarsen opened this issue 2 years ago • 5 comments

Truffle Hog has a GitHub Action: https://github.com/marketplace/actions/trufflehog-oss GitLeaks has a GitHub Action: https://github.com/gitleaks/gitleaks-action

Why not Nosey Parker?

bradlarsen avatar Feb 09 '23 19:02 bradlarsen

Another GitHub Action that uses SARIF to share its findings: https://github.com/redhat-plumbers-in-action/differential-shellcheck

bradlarsen avatar Mar 01 '23 13:03 bradlarsen

Hey @bradlarsen

I've created https://github.com/bpsizemore/noseyparker-action - we have just started integrating it into our private CI/CD flows. I'm happy to work with the Praetorian team to make any improvements or changes that make sense. I've tried to make it as flexible as possible and create a straightforward way to use custom rulesets to reduce noise.

bpsizemore avatar Mar 04 '24 02:03 bpsizemore

@bpsizemore That's great! Thanks for the pointer; I will take a closer look at what you've built.

Is this GitHub integration something you have any interest in incorporating upstream, or would you like to maintain it separately?

bradlarsen avatar Mar 04 '24 20:03 bradlarsen

Happy to incorporate it upstream if you guys want to move it into the noseyparker repo or into a separate Praetorian repo.

The docs on Github recommend keeping actions in a separate repository for readability and maintenance and if you want to publish it to the actions marketplace I believe you must have only one action per repository. I had toyed around with the idea of a "scan_local_repo" "scan_github_user" etc but if you wanted to build out more then you'd need to have a different repository per.

If you're developing an action for other people to use, we recommend keeping the action in its own repository instead of bundling it with other application code. This allows you to version, track, and release the action just like any other software.

Storing an action in its own repository makes it easier for the GitHub community to discover the action, narrows the scope of the code base for developers fixing issues and extending the action, and decouples the action's versioning from the versioning of other application code.

https://docs.github.com/en/actions/creating-actions/about-custom-actions#choosing-a-location-for-your-action

bpsizemore avatar Mar 04 '24 21:03 bpsizemore

@bpsizemore thanks for the pointer about GitHub Actions constraints — I wasn't aware of those restrictions.

Longer-term I am interested in making a GitHub Actions such as what you've written an official part of Nosey Parker. But no rush on that, as I'm currently backlogged with some other work.

bradlarsen avatar Mar 22 '24 15:03 bradlarsen