action.yml
| 1 | name: 'PQC Lint' |
| 2 | description: 'Scan code for classical (quantum-vulnerable) cryptography and suggest PQC replacements' |
| 3 | author: 'Dyber PQC' |
| 4 | |
| 5 | branding: |
| 6 | icon: 'shield' |
| 7 | color: 'blue' |
| 8 | |
| 9 | inputs: |
| 10 | path: |
| 11 | description: 'Directory or file path to scan (relative to repo root)' |
| 12 | required: false |
| 13 | default: '.' |
| 14 | fail-on: |
| 15 | description: 'Minimum severity that causes the action to fail. One of: low, medium, high, critical' |
| 16 | required: false |
| 17 | default: 'high' |
| 18 | format: |
| 19 | description: 'Output format: text, json, sarif, github' |
| 20 | required: false |
| 21 | default: 'github' |
| 22 | output-file: |
| 23 | description: 'Optional file path to write formatted output to' |
| 24 | required: false |
| 25 | default: '' |
| 26 | exclude: |
| 27 | description: 'Comma-separated glob patterns to exclude from scan' |
| 28 | required: false |
| 29 | default: '**/node_modules/**,**/.git/**,**/dist/**,**/build/**,**/.venv/**,**/venv/**' |
| 30 | languages: |
| 31 | description: 'Comma-separated list of languages to scan (python,javascript,go,rust,java,c). Empty = auto-detect all.' |
| 32 | required: false |
| 33 | default: '' |
| 34 | upload-sarif: |
| 35 | description: 'Upload SARIF results to GitHub code scanning (requires security-events: write permission)' |
| 36 | required: false |
| 37 | default: 'false' |
| 38 | |
| 39 | outputs: |
| 40 | total-findings: |
| 41 | description: 'Total number of findings' |
| 42 | value: ${{ steps.scan.outputs.total-findings }} |
| 43 | critical: |
| 44 | description: 'Number of critical findings' |
| 45 | value: ${{ steps.scan.outputs.critical }} |
| 46 | high: |
| 47 | description: 'Number of high findings' |
| 48 | value: ${{ steps.scan.outputs.high }} |
| 49 | medium: |
| 50 | description: 'Number of medium findings' |
| 51 | value: ${{ steps.scan.outputs.medium }} |
| 52 | low: |
| 53 | description: 'Number of low findings' |
| 54 | value: ${{ steps.scan.outputs.low }} |
| 55 | sarif-path: |
| 56 | description: 'Path to the SARIF file (if generated)' |
| 57 | value: ${{ steps.scan.outputs.sarif-path }} |
| 58 | |
| 59 | runs: |
| 60 | using: 'composite' |
| 61 | steps: |
| 62 | - name: Set up Python |
| 63 | uses: actions/setup-python@v5 |
| 64 | with: |
| 65 | python-version: '3.11' |
| 66 | cache: 'pip' |
| 67 | |
| 68 | - name: Install pqc-lint |
| 69 | shell: bash |
| 70 | run: | |
| 71 | python -m pip install --upgrade pip |
| 72 | python -m pip install "pqc-lint==0.1.0" || python -m pip install "${{ github.action_path }}" |
| 73 | |
| 74 | - name: Run pqc-lint scan |
| 75 | id: scan |
| 76 | shell: bash |
| 77 | env: |
| 78 | PQC_LINT_PATH: ${{ inputs.path }} |
| 79 | PQC_LINT_FAIL_ON: ${{ inputs.fail-on }} |
| 80 | PQC_LINT_FORMAT: ${{ inputs.format }} |
| 81 | PQC_LINT_OUTPUT: ${{ inputs.output-file }} |
| 82 | PQC_LINT_EXCLUDE: ${{ inputs.exclude }} |
| 83 | PQC_LINT_LANGUAGES: ${{ inputs.languages }} |
| 84 | GITHUB_TOKEN: ${{ github.token }} |
| 85 | run: | |
| 86 | python -m pqc_lint.action_runner |
| 87 | |
| 88 | - name: Upload SARIF to GitHub code scanning |
| 89 | if: inputs.upload-sarif == 'true' && steps.scan.outputs.sarif-path != '' |
| 90 | uses: github/codeql-action/upload-sarif@v3 |
| 91 | with: |
| 92 | sarif_file: ${{ steps.scan.outputs.sarif-path }} |
| 93 | continue-on-error: true |
| 94 | |