Github Action Scan executing in incorrect directory
escudev opened this issue · comments
Situation
When I run the GitHub Action scan to execute the Sechub scan (without changes in my configuration files), I notice that the scan is now executing under its own directory instead of the workdir where the code of my app is located.
It seems that the scan is being executed in its own working-directory.
Steps to Reproduce
- Run the GitHub Action scan with Sechub.
- Observe that the scan executes in its own directory instead of the intended workdir.
Debugging showed that the SecHub action creates the zip to analyze with its own code:
2024-10-03 14:06:45 (Z) DEBUG: Loading config file: '/home/runner/actions-runner/_work/mono/mono/generated-sechub.json'
2024-10-03 14:06:45 (Z) DEBUG: appendToSourceCodeZipFile - 1 folders defined: [.]
2024-10-03 14:06:45 (Z) DEBUG: appendToSourceCodeZipFile - 0 files defined: []
2024-10-03 14:06:45 (Z) DEBUG: appendToSourceCodeZipFile - Excludes: [prism bruno certs **/test/** **/node_modules/** **/.gradle/** **/.idea/** **/.vscode/** **/.git/** sechub-false-positives-*.json sechub_report_*.json *.a *.so *.class *.jar *.gif *.jpeg *.jpg *.png .svg *.tar *.xz *.zip]
2024-10-03 14:06:45 (Z) DEBUG: appendToSourceCodeZipFile - SourceCodePatterns: []
2024-10-03 14:06:45 (Z) Zipping folder: . (/home/runner/actions-runner/_work/mono/mono/sechub/github-actions/scan)
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/.eslintrc.json
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/.gitignore
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/.prettierrc.json
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/README.adoc
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/__test__/client-version-helper.test.ts
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/__test__/configuration-builder.test.ts
...
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/action.yml
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/dist/exec-child.js
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/dist/index.js
2024-10-03 14:06:45 (Z) DEBUG: Adding __data__/reference-data-1/jest.config.js
2024-10-03 14:06:45 (Z) DEBUG: "node_modules/.bin/acorn" matches exclude pattern "**/node_modules/**" -> skip
2024-10-03 14:06:45 (Z) DEBUG: "node_modules/.bin/browserslist" matches exclude pattern "**/node_modules/**" -> skip
...
2024-10-03 14:06:46 (Z) DEBUG: Adding __data__/reference-data-1/package-lock.json
2024-10-03 14:06:46 (Z) DEBUG: Adding __data__/reference-data-1/package.json
2024-10-03 14:06:46 (Z) DEBUG: "sourcecode-***.zip" matches exclude pattern "*.zip" -> skip
2024-10-03 14:06:46 (Z) DEBUG: Adding __data__/reference-data-1/src/action-helper.ts
2024-10-03 14:06:46 (Z) DEBUG: Adding __data__/reference-data-1/src/client-download.ts
I have tried running the scan with previous versions of the client, but the same behavior always occurs.
After reviewing this PR , I noticed that you are setting the working-directory: ${{ github.workspace }}/sechub/github-actions/scan in the step name: Run SecHub Scan. Could this be related?
Could you please provide support on whether we need to change something in our configuration, or take a look at this issue?
Thank you!
Hello @escudev,
thank you for bringing this issue to our attention. It has been fixed and a new release of the Github Action has been published (https://github.com/mercedes-benz/sechub/releases/tag/v2.2.0-gha).
Kind regards
Rouven