From e0b72e037f99b5952dd6b4f0c9ab68bad277ca09 Mon Sep 17 00:00:00 2001 From: Jeremy Dubreil Date: Thu, 11 Jun 2026 07:54:17 +0000 Subject: [PATCH] chore(COD-7131): remove the constant enableScaRunning --- src/index.ts | 85 +++++++++++++++++----------------------------------- src/util.ts | 30 ++++++++----------- 2 files changed, 40 insertions(+), 75 deletions(-) diff --git a/src/index.ts b/src/index.ts index 5a06cdb9..defff7fa 100644 --- a/src/index.ts +++ b/src/index.ts @@ -17,9 +17,6 @@ import { generateCacheKey, } from './util' -// Set to false to disable SCA globally -const enableScaRunning = true - async function runAnalysis() { const target = getInput('target') @@ -61,7 +58,7 @@ async function runAnalysis() { let cacheHit = false let cacheKey: string | undefined if (targetScan === 'old') { - cacheKey = await generateCacheKey(enableIacRunning, enableScaRunning, targetScan, modifiedFiles) + cacheKey = await generateCacheKey(enableIacRunning, targetScan, modifiedFiles) if (cacheKey) { const restored = await cache.restoreCache([resultsPath], cacheKey) if (restored) { @@ -76,23 +73,11 @@ async function runAnalysis() { } if (!cacheHit) { - let success = await runCodesec( - 'scan', - enableIacRunning, - enableScaRunning, - resultsPath, - targetScan, - modifiedFiles - ) + let success = await runCodesec('scan', enableIacRunning, resultsPath, targetScan, modifiedFiles) if (success && targetScan !== 'new') { // Save the analysis results when not scanning the PR source branch if (!cacheKey) { - cacheKey = await generateCacheKey( - enableIacRunning, - enableScaRunning, - targetScan, - modifiedFiles - ) + cacheKey = await generateCacheKey(enableIacRunning, targetScan, modifiedFiles) } if (cacheKey) { try { @@ -106,14 +91,12 @@ async function runAnalysis() { } else { // Cache restored — rename files to match current targetScan if needed const possibleNames = ['old', 'scan'] - if (enableScaRunning) { - const scaDir = path.join(resultsPath, 'sca') - for (const name of possibleNames) { - const existing = path.join(scaDir, `sca-${name}.sarif`) - if (existsSync(existing) && name !== targetScan) { - renameSync(existing, path.join(scaDir, `sca-${targetScan}.sarif`)) - break - } + const scaDir = path.join(resultsPath, 'sca') + for (const name of possibleNames) { + const existing = path.join(scaDir, `sca-${name}.sarif`) + if (existsSync(existing) && name !== targetScan) { + renameSync(existing, path.join(scaDir, `sca-${targetScan}.sarif`)) + break } } if (enableIacRunning) { @@ -129,21 +112,19 @@ async function runAnalysis() { } // Upload SCA SARIF from the returned results path - if (enableScaRunning) { - const scaSarifFile = path.join(resultsPath, 'sca', `sca-${targetScan}.sarif`) - if (existsSync(scaSarifFile)) { - info(`Found SCA SARIF file to upload: ${scaSarifFile}`) - toUpload.push(scaSarifFile) - - // Copy SARIF to code-scanning-path for backward compatibility - const codeScanningPath = getInput('code-scanning-path') - if (codeScanningPath) { - info(`Copying SARIF to code-scanning-path: ${codeScanningPath}`) - copyFileSync(scaSarifFile, codeScanningPath) - } - } else { - info(`SCA SARIF file not found at: ${scaSarifFile}`) + const scaSarifFile = path.join(resultsPath, 'sca', `sca-${targetScan}.sarif`) + if (existsSync(scaSarifFile)) { + info(`Found SCA SARIF file to upload: ${scaSarifFile}`) + toUpload.push(scaSarifFile) + + // Copy SARIF to code-scanning-path for backward compatibility + const codeScanningPath = getInput('code-scanning-path') + if (codeScanningPath) { + info(`Copying SARIF to code-scanning-path: ${codeScanningPath}`) + copyFileSync(scaSarifFile, codeScanningPath) } + } else { + info(`SCA SARIF file not found at: ${scaSarifFile}`) } // Upload IAC JSON from the returned results path @@ -173,34 +154,22 @@ async function displayResults() { const artifactNew = await downloadArtifact('results-new') // Create local scan-results directory for compare - if (enableScaRunning) { - mkdirSync('scan-results/sca', { recursive: true }) - } + mkdirSync('scan-results/sca', { recursive: true }) if (enableIacRunning) { mkdirSync('scan-results/iac', { recursive: true }) } // Check and copy files for each scanner type - const scaAvailable = - enableScaRunning && (await prepareScannerFiles('sca', artifactOld, artifactNew)) - const iacAvailable = - enableIacRunning && (await prepareScannerFiles('iac', artifactOld, artifactNew)) - - // Need at least one scanner to compare - if (!scaAvailable && !iacAvailable) { - info('No scanner files available for comparison. Nothing to compare.') - setOutput('display-completed', true) + if (!(await prepareScannerFiles('sca', artifactOld, artifactNew))) { + error('SCA files not found. Cannot perform compare.') return } + const iacAvailable = + enableIacRunning && (await prepareScannerFiles('iac', artifactOld, artifactNew)) // Run codesec compare mode with available scanners const resultsPath = path.join(process.cwd(), 'scan-results') - await runCodesec( - 'compare', - enableIacRunning && iacAvailable, - enableScaRunning && scaAvailable, - resultsPath - ) + await runCodesec('compare', enableIacRunning && iacAvailable, resultsPath) // Read comparison output - check all possible outputs const outputs = [ diff --git a/src/util.ts b/src/util.ts index b6ef0f15..50d48c07 100644 --- a/src/util.ts +++ b/src/util.ts @@ -143,13 +143,12 @@ export async function getModifiedFiles(): Promise { // 3. action='compare' -> compares new/old results, generates diff markdown for PR comment // // Parameters: -// - runIac/runSca: which scanners to enable (default false - enable when ready to test) +// - runIac: whether to enable the IaC scanner // - scanTarget: 'new', 'old', or 'scan' depending on mode // - computeCacheKey: if true, runs GENERATE_CACHE_KEY mode instead of scanning export async function runCodesec( action: string, runIac: boolean = false, - runSca: boolean = false, reportsDir: string, scanTarget?: string, modifiedFiles?: string, @@ -191,7 +190,7 @@ export async function runCodesec( '-e', `LW_API_SECRET=${lwApiSecret}`, '-e', - `RUN_SCA=${runSca}`, + `RUN_SCA=true`, '-e', `RUN_IAC=${runIac}`, '-e', @@ -224,17 +223,15 @@ export async function runCodesec( } // Copy results out of container to temp dir - if (runSca) { - const scaDir = path.join(reportsDir, 'sca') - mkdirSync(scaDir, { recursive: true }) - await callCommand( - 'docker', - 'container', - 'cp', - `${containerName}:/tmp/scan-results/sca/sca-${scanTarget || 'scan'}.sarif`, - path.join(scaDir, `sca-${scanTarget || 'scan'}.sarif`) - ) - } + const scaDir = path.join(reportsDir, 'sca') + mkdirSync(scaDir, { recursive: true }) + await callCommand( + 'docker', + 'container', + 'cp', + `${containerName}:/tmp/scan-results/sca/sca-${scanTarget || 'scan'}.sarif`, + path.join(scaDir, `sca-${scanTarget || 'scan'}.sarif`) + ) if (runIac) { const iacDir = path.join(reportsDir, 'iac') @@ -285,7 +282,7 @@ export async function runCodesec( '-e', `LW_API_SECRET=${lwApiSecret}`, '-e', - `RUN_SCA=${runSca}`, + `RUN_SCA=true`, '-e', `RUN_IAC=${runIac}`, 'lacework/codesec:latest', @@ -331,14 +328,13 @@ export function readMarkdownFile(filePath: string): string { export async function generateCacheKey( runIac: boolean, - runSca: boolean, scanTarget?: string, modifiedFiles?: string ): Promise { const reportsDir = path.join(os.tmpdir(), `codesec-cache-${Date.now()}`) try { - await runCodesec('scan', runIac, runSca, reportsDir, scanTarget, modifiedFiles, true) + await runCodesec('scan', runIac, reportsDir, scanTarget, modifiedFiles, true) } catch (e) { info(`Cache key generation failed: ${(e as Error).message}`) return undefined