Supply Chain Security Scanner
Supply Chain Security Scanner - Reusable Workflow
Runs the supply-chain scanner via the argus Python CLI. Equivalent to: python -m argus scan supply-chain
For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/all-scanners.yml
uses: huntridge-labs/argus/.github/workflows/scanner-supply-chain.yml@1.8.1
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
post_pr_comment |
Whether to post PR comments boolean | No | True |
enable_code_security |
Whether GitHub Code Security is enabled for this repository boolean | No | False |
scan_path |
Path to scan for GitHub Actions workflows and actions string | No | . |
fail_on_severity |
Fail if findings at or above this severity. Options: none, low, medium, high. string | No | none |
persona |
Zizmor audit strictness: regular (default), pedantic, or auditor string | No | regular |
zizmor_config |
Path to zizmor configuration file string | No | โ |
Jobs
supply-chain-scan โ Supply Chain Security Scan
Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - Set up Python โ
actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 - Install Argus โ
huntridge-labs/argus/.github/actions/setup-argus@1.8.1 - Run scan
- Upload artifacts โ
actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a - Upload SARIF โ
github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a - Comment PR with results โ
huntridge-labs/argus/.github/actions/comment-pr@1.8.1