ai-bom/action.yml at main · Trusera/ai-bom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: "AI-BOM Scan"
description: "Discover and inventory AI/LLM agents, models, and API integrations in your codebase. Generates SBOM-style reports in CycloneDX, SARIF, SPDX, and more."
author: "Trusera"

# Required permissions in calling workflow:
#   permissions:
#     security-events: write   # For SARIF upload to GitHub Code Scanning
#     contents: read           # For checkout

branding:
  icon: "shield"
  color: "blue"

inputs:
  path:
    description: "Directory to scan"
    required: false
    default: "."
  format:
    description: "Output format (cyclonedx, sarif, spdx, table, html, markdown, csv)"
    required: false
    default: "table"
  output:
    description: "Output file path (optional — prints to stdout if not set)"
    required: false
    default: ""
  fail-on:
    description: "Fail the pipeline if any component meets or exceeds this severity (critical, high, medium, low)"
    required: false
    default: ""
  scan-level:
    description: "Scanning depth: quick (pattern-matching only), standard (all scanners), deep (standard + AST analysis)"
    required: false
    default: "standard"
  cedar-policy-file:
    description: "Path to a Cedar policy file for policy evaluation (optional)"
    required: false
    default: ""
  cedar-entities-file:
    description: "Path to a Cedar entities file for additional entity context (optional)"
    required: false
    default: ""
  policy-gate:
    description: "Enable Cedar policy gate evaluation (requires cedar-policy-file)"
    required: false
    default: "false"
  fail-on-severity:
    description: "Cedar gate: only fail on violations at or above this severity (critical, high, medium, low)"
    required: false
    default: ""

runs:
  using: "composite"
  steps:
    - name: Set up Python
      uses: actions/setup-python@v6.2.0
      with:
        python-version: "3.12"
        cache: "pip"

    - name: Install ai-bom
      shell: bash
      run: pip install ai-bom

    - name: Run ai-bom scan
      id: scan
      shell: bash
      run: |
        # Build the base command
        ARGS="scan ${{ inputs.path }} --format ${{ inputs.format }} --quiet"

        # Output file
        if [ -n "${{ inputs.output }}" ]; then
          ARGS="$ARGS -o ${{ inputs.output }}"
        elif [ "${{ inputs.format }}" = "sarif" ]; then
          # Default SARIF output path for upload step
          ARGS="$ARGS -o ai-bom-results.sarif"
          echo "sarif_file=ai-bom-results.sarif" >> "$GITHUB_OUTPUT"
        fi

        # Scan level
        if [ "${{ inputs.scan-level }}" = "deep" ]; then
          ARGS="$ARGS --deep"
        fi

        # Fail-on severity threshold
        if [ -n "${{ inputs.fail-on }}" ]; then
          ARGS="$ARGS --fail-on ${{ inputs.fail-on }}"
        fi

        echo "Running: ai-bom $ARGS"
        ai-bom $ARGS

    - name: Upload SARIF to GitHub Code Scanning
      if: ${{ inputs.format == 'sarif' && (steps.scan.outputs.sarif_file != '' || inputs.output != '') }}
      uses: github/codeql-action/upload-sarif@v4.35.1
      with:
        sarif_file: ${{ steps.scan.outputs.sarif_file || inputs.output }}

    # ── Cedar Policy Gate ───────────────────────────
    - name: Generate JSON for policy evaluation
      id: policy-scan
      if: ${{ inputs.policy-gate == 'true' && inputs.cedar-policy-file != '' }}
      shell: bash
      run: |
        echo "Running supplementary JSON scan for Cedar policy evaluation..."
        ARGS="scan ${{ inputs.path }} --format json --quiet -o ai-bom-policy-results.json"

        if [ "${{ inputs.scan-level }}" = "deep" ]; then
          ARGS="$ARGS --deep"
        fi

        ai-bom $ARGS
        echo "policy_results=ai-bom-policy-results.json" >> "$GITHUB_OUTPUT"

    - name: Evaluate Cedar policy gate
      if: ${{ inputs.policy-gate == 'true' && inputs.cedar-policy-file != '' }}
      shell: bash
      run: |
        echo "Evaluating Cedar policy: ${{ inputs.cedar-policy-file }}"

        GATE_ARGS="${{ steps.policy-scan.outputs.policy_results }} ${{ inputs.cedar-policy-file }}"
        GATE_ARGS="$GATE_ARGS --annotations"

        # Cedar-specific severity threshold
        if [ -n "${{ inputs.fail-on-severity }}" ]; then
          GATE_ARGS="$GATE_ARGS --fail-on-severity ${{ inputs.fail-on-severity }}"
        fi

        # Cedar entities file
        if [ -n "${{ inputs.cedar-entities-file }}" ]; then
          GATE_ARGS="$GATE_ARGS --entities ${{ inputs.cedar-entities-file }}"
        fi

        # Write violations to GitHub Actions job summary
        if [ -n "$GITHUB_STEP_SUMMARY" ]; then
          GATE_ARGS="$GATE_ARGS --summary $GITHUB_STEP_SUMMARY"
        fi

        python3 "${{ github.action_path }}/scripts/cedar-gate.py" $GATE_ARGS