diff --git a/script.sh b/script.sh index 7973d99..2bc0f27 100755 --- a/script.sh +++ b/script.sh @@ -69,8 +69,9 @@ echo '::group:: Running tfsec with reviewdog 🐶 ...' set +Eeuo pipefail # shellcheck disable=SC2086 - "${TFSEC_PATH}/tfsec" --format=checkstyle ${INPUT_TFSEC_FLAGS:-} . \ - | "${REVIEWDOG_PATH}/reviewdog" -f=checkstyle \ + "${TFSEC_PATH}/tfsec" --format=json ${INPUT_TFSEC_FLAGS:-} . \ + | jq -r -f "${GITHUB_ACTION_PATH}/to-rdjson.jq" \ + | "${REVIEWDOG_PATH}/reviewdog" -f=rdjson \ -name="tfsec" \ -reporter="${INPUT_REPORTER}" \ -level="${INPUT_LEVEL}" \ @@ -78,7 +79,7 @@ echo '::group:: Running tfsec with reviewdog 🐶 ...' -filter-mode="${INPUT_FILTER_MODE}" \ ${INPUT_FLAGS} - tfsec_return="${PIPESTATUS[0]}" reviewdog_return="${PIPESTATUS[1]}" exit_code=$? + tfsec_return="${PIPESTATUS[0]}" reviewdog_return="${PIPESTATUS[2]}" exit_code=$? echo "::set-output name=tfsec-return-code::${tfsec_return}" echo "::set-output name=reviewdog-return-code::${reviewdog_return}" echo '::endgroup::' diff --git a/to-rdjson.jq b/to-rdjson.jq new file mode 100644 index 0000000..df18334 --- /dev/null +++ b/to-rdjson.jq @@ -0,0 +1,32 @@ +# Convert TFsec JSON output to Reviewdog Diagnostic Format (rdjson) +# https://github.com/reviewdog/reviewdog/blob/f577bd4b56e5973796eb375b4205e89bce214bd9/proto/rdf/reviewdog.proto +{ + source: { + name: "tfsec", + url: "https://github.com/aquasecurity/tfsec" + }, + diagnostics: .results | map({ + message: .description, + code: { + value: .rule_id, + url: .links[0], + } , + location: { + path: .location.filename, + range: { + start: { + line: .location.start_line, + }, + } + }, + severity: (if .severity | startswith("HIGH") then + "ERROR" + elif .severity | startswith("MEDIUM") then + "WARNING" + elif .severity | startswith("LOW") then + "INFO" + else + null + end), + }) +}