initial commit

.envrc

@@ -0,0 +1,2 @@
+use flake
+dotenv_if_exists .env

.github/workflows/ci.yml

@@ -0,0 +1,48 @@
+name: "CI"
+on:
+  pull_request:
+  push:
+  create:
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v20
+      with:
+        github_access_token: ${{ secrets.GITHUB_TOKEN }}
+        extra_nix_config: |
+          system-features = nixos-test benchmark big-parallel kvm
+    - uses: docker/setup-buildx-action@v2
+    - run: nix build -L
+    - run: nix build -L '.#packages.x86_64-linux.wgithub-action-scan-image'
+    - run: nix flake check
+  publish:
+    needs: tests
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v20
+      with:
+        github_access_token: ${{ secrets.GITHUB_TOKEN }}
+        extra_nix_config: |
+          system-features = nixos-test benchmark big-parallel kvm
+    - uses: docker/setup-buildx-action@v2
+    - name: Extract tag name
+      shell: bash
+      run: echo "##[set-output name=tag;]$(echo ${GITHUB_REF##*/})"
+      id: extract_tag
+    - run: nix build -L '.#packages.x86_64-linux.github-action-scan-image'
+    - run: docker load -i result
+    - name: Log in to the Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - run: docker tag blackheaven/haskell-security-action ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.extract_tag.outputs.tag }}
+    - run: docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.extract_tag.outputs.tag }}

.gitignore

@@ -0,0 +1,30 @@
+##### Haskell
+dist
+dist-*
+cabal-dev
+*.o
+*.hi
+*.hie
+*.chi
+*.chs.h
+*.dyn_o
+*.dyn_hi
+.hpc
+.hsenv
+.cabal-sandbox/
+cabal.sandbox.config
+*.prof
+*.aux
+*.hp
+*.eventlog
+.stack-work/
+cabal.project.local
+cabal.project.local~
+.HTF/
+.ghc.environment.*
+build
+bin-*
+
+result
+.direnv
+.env

CONTRIBUTING.md

@@ -0,0 +1,53 @@
+# Contributing
+
+Every feedback is welcome!
+
+Do not hesitate to:
+
+- Report bugs
+- Open discussions around the current state of the code
+- Request new features
+- Submit fixes/improvments
+
+everything happen through Github, use Issues/Pull requests features.
+
+See the [Github Flow](https://guides.github.com/introduction/flow/index.html).
+
+## Pull requests
+
+The best way to have a pull requested accepted is to:
+
+1. Fork the repo and create your branch from `master`
+2. If you've added code that should be tested, add tests
+3. If you've changed APIs, update the documentation
+4. Ensure the test suite passes
+5. Make sure your code lints ---------------------------------
+6. Issue that pull request!
+
+## Any contributions you make will be under the ISC Software License
+In short, when you submit code changes, your submissions are understood to be under the same [ISC License](http://choosealicense.com/licenses/isc/) that covers the project. 
+eel free to contact the maintainers if that's a concern.
+
+## Report bugs using Github's issues
+We use GitHub issues to track public bugs. Report a bug by opening a new issue it's that easy!
+
+## Write bug reports with detail, background, and sample code
+[This is an example](http://stackoverflow.com/q/12488905/180626) of a bug report I wrote, and I think it's not a bad model. Here's [another example from Craig Hockenberry](http://www.openradar.me/11905408), an app developer whom I greatly respect.
+
+**Great Bug Reports** tend to have:
+
+- A quick summary and/or background
+- Steps to reproduce
+  - Be specific!
+  - Give sample code if you can. [My stackoverflow question](http://stackoverflow.com/q/12488905/180626) includes sample code that *anyone* with a base R setup can run to reproduce what I was seeing
+- What you expected would happen
+- What actually happens
+- Notes (possibly including why you think this might be happening, or stuff you tried that didn't work)
+
+People *love* thorough bug reports. I'm not even kidding.
+
+## Use a Consistent Coding Style
+Try to mimic the codebase style and run [`ormolu`](https://github.com/tweag/ormolu) on each commit.
+
+## License
+By contributing, you agree that your contributions will be licensed under its ISC License.

LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2024 Gautier DI FOLCO
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

README.md

@@ -0,0 +1,34 @@
+# haskell-security-action
+
+Scan for vulnerabilities and create advisories on GitHub.
+
+## Usage
+
+```yaml
+name: security scan
+
+name: Scan for vulnerabilities
+on:
+  # Scan for each push event on your protected branch
+  # push:
+    # branches: [ "main" ]
+  # Scan for pull requests
+  # pull_request:
+    # branches: [ "main" ]
+  # Schedule a daily scan at midnight
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  haskell-security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Haskell Security Action
+        uses: blackheaven/haskell-security-action
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+```

action.yaml

@@ -0,0 +1,47 @@
+name: Scan code security advisories
+description: Scan Haskell code for possible security advisories.
+
+inputs:
+  path:
+    description: Path of file or directory that will be scanned.
+    required: false
+    default: .
+  token:
+    description: Access token to fetch the repository and write the code scanning results from github-action-scan to GitHub code scanning.
+    required: false
+    default: ${{ github.token }}
+  repository:
+    description: The name of the repository without the .git extension. The name is not case sensitive.
+    required: false
+    default: ${{ github.repository }}
+  ref:
+    description: The full Git reference, formatted as refs/heads/<branch name>, refs/tags/<tag>, refs/pull/<number>/merge, or refs/pull/<number>/head.
+    required: false
+    default: ${{ github.ref }}
+  commitSha:
+    description: The SHA of the commit to which the analysis you are uploading relates.
+    required: false
+    default: ${{ github.sha }}
+
+outputs:
+  sarif-id:
+    description: The ID of the uploaded SARIF file.
+    value: ${{ steps.upload-sarif.outputs.sarif-id }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Run Haskell Security Action"
+      run: |
+        docker run --rm \
+          -v ${{ inputs.path }}:/repository \
+          ghcr.io/blackheaven/haskell-security-action:latest \
+          --token ${{ inputs.token }} \
+          --owner-repository ${{ inputs.repository }} \
+          --ref ${{ inputs.ref }} \
+          --commit-sha ${{ inputs.commitSha }}
+      shell: bash
+
+branding:
+  icon: 'search'
+  color: 'purple'