Skip to content

feat: add audit-report input for SARIF report generation#14

Merged
danielmeppiel merged 4 commits into
mainfrom
feat/audit-report
Mar 17, 2026
Merged

feat: add audit-report input for SARIF report generation#14
danielmeppiel merged 4 commits into
mainfrom
feat/audit-report

Conversation

@danielmeppiel

@danielmeppiel danielmeppiel commented Mar 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Related to microsoft/apm#329

Adds audit-report input and audit-report-path output to the APM action, enabling SARIF audit report generation for GitHub Code Scanning integration.

Changes

action.yml

  • New audit-report input: set to true for default path (apm-audit.sarif), or provide a custom file path
  • New audit-report-path output: path to the generated SARIF report

src/runner.ts

  • New runAuditReport() helper that runs apm audit -f sarif -o <path> after install/unpack
  • Called in both install flow and bundle-restore flow
  • Uses ignoreReturnCode: true — audit exit codes (1=critical, 2=warning) are informational, not action failures
  • Emits core.warning() for critical findings and when APM is unavailable in restore mode

README.md

  • Documented new input/output
  • Added Code Scanning usage example

Usage

- uses: microsoft/apm-action@v1
  id: apm
  with:
    audit-report: true
- uses: github/codeql-action/upload-sarif@v3
  if: always() && steps.apm.outputs.audit-report-path
  with:
    sarif_file: ${{ steps.apm.outputs.audit-report-path }}
    category: apm-audit

Depends on

Requires apm audit --format sarif --output support in apm-cli (microsoft/apm#330).

Tests

42 tests passing (4 new: default path resolution, custom path, critical findings warning, no-op when empty).

@danielmeppiel
feat: add audit-report input for SARIF audit report generation
3cc0aed 
- Add audit-report input (true for default path, or custom path)
- Add audit-report-path output for downstream SARIF upload
- Run apm audit -f sarif after install and bundle restore
- Emit core.warning() for critical findings and apm-unavailable fallback
- Update README with usage example

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 16, 2026 22:26
Copilot AI reviewed Mar 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an audit-report input to the APM GitHub Action that generates SARIF audit reports via apm audit, with output path exposed for upload to GitHub Code Scanning.

Changes:

  • New audit-report input (accepts true or custom path) and audit-report-path output in action.yml
  • New runAuditReport() helper in src/runner.ts that runs apm audit -f sarif -o <path> after install/unpack, with graceful handling of exit codes and missing APM
  • Documentation and tests for the new feature

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
action.yml Adds audit-report input and audit-report-path output
src/runner.ts Adds audit report path resolution and runAuditReport() helper
src/tests/runner.test.ts 4 new tests covering default path, custom path, critical findings, and no-op
dist/index.js Compiled bundle reflecting source changes
README.md Documents new input/output with Code Scanning usage example

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

danielmeppiel and others added 3 commits March 16, 2026 23:57
@danielmeppiel
feat: add markdown step summary to audit report
5937189 
Write a collapsible markdown summary to $GITHUB_STEP_SUMMARY when
audit-report is enabled. The summary is best-effort and wrapped in a
<details> section so it stays collapsed in the Actions UI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel
fix: add missing test mocks for audit report feature
25f0044 
Add core.debug, core.summary, and exec.getExecOutput mocks to
runner.test.ts — runAuditReport() uses these and their absence
caused 3 test failures (core.debug is not a function).

Also add tsconfig.test.json to include test files in TypeScript
compilation and suppress ESM-related TS diagnostics in jest.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel
fix: resolve TS2345 type error in runner test mock
c81e6d2 
Type jest.fn() for summary.write mock to avoid strict-mode
'never' inference — mockResolvedValue needs explicit return type.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel danielmeppiel merged commit 6a17a7c into main Mar 17, 2026
11 checks passed
@danielmeppiel danielmeppiel mentioned this pull request May 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielmeppiel