Release: v0.1.1 (#40)

## What's Changed * security: bump undici from 5.28.3 to 5.28.4 by @dependabot in #28 * Add note field in response of the IaC Validation API by @pankhurisaxena28 in #32 * Update SCAN_FILE_MAX_SIZE_BYTES to 2MB by @pankhurisaxena28 in #33 * Update deps and switch to actions-gen-readme for autodoc by @sethvargo in #34 * Added iac scan information uri by @sanyam803 in #36 * update default scan timeout to 3 minutes by @pankhurisaxena28 in #37 * Update README.md by @pankhurisaxena28 in #38 ## New Contributors * @pankhurisaxena28 made their first contribution in #32 **Full Changelog**: v0.1.0...1874879
google-github-actions · Jun 27, 2024 · e89e82e · e89e82e
1 parent 1874879
commit e89e82e
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -86,7 +86,7 @@ jobs:
 <!-- BEGIN_AUTOGEN_INPUTS -->
 
 -   <a name="organization_id"></a><a href="#user-content-organization_id"><code>organization_id</code></a>: _(Required)_ Google Cloud organization ID for the organization which includes the
-    resources that you want to modify.
+    resources that you want to modify. For example, '1234'.
 
 -   <a name="scan_file_ref"></a><a href="#user-content-scan_file_ref"><code>scan_file_ref</code></a>: _(Required)_ Path to a file, relative to the local workspace, for the IaC file to scan.
     For example:
@@ -97,25 +97,31 @@ jobs:
 
         ./artifacts/tf_plan.json
 
--   <a name="iac_type"></a><a href="#user-content-iac_type"><code>iac_type</code></a>: _(Required, default: `terraform`)_ IaC template type. Currently only `terraform` is supported.
+-   <a name="iac_type"></a><a href="#user-content-iac_type"><code>iac_type</code></a>: _(Required, default: `terraform`)_ The IaC template type. Currently only Terraform is supported.
 
--   <a name="scan_timeout"></a><a href="#user-content-scan_timeout"><code>scan_timeout</code></a>: _(Optional, default: `1m`)_ Maximum time before the scanning stops. This is specified as a time
-    duration value, such as "1m" or "5s". The value must be between "1m" and
-    "10m".
+-   <a name="scan_timeout"></a><a href="#user-content-scan_timeout"><code>scan_timeout</code></a>: _(Optional, default: `3m`)_ The maximum time before the scanning stops. The value must be between "1m"
+    and `10m`.
 
 -   <a name="ignore_violations"></a><a href="#user-content-ignore_violations"><code>ignore_violations</code></a>: _(Optional)_ Whether violations found in IaC file should be ignored when determining
-    the build status. This input does not apply to violations that are related
+    the build status. This input doesn't apply to violations that are related
     to generating SARIF reports and determining the `iac_scan_result`.
 
--   <a name="failure_criteria"></a><a href="#user-content-failure_criteria"><code>failure_criteria</code></a>: _(Optional, default: `Critical:1, High:1, Medium:1, Low:1, Operator:OR`)_ Ffailure criteria that determines the workflow build status. You can set a
-    threshold for the number of critical, high, medium, and low severity
+-   <a name="failure_criteria"></a><a href="#user-content-failure_criteria"><code>failure_criteria</code></a>: _(Optional, default: `Critical:1, High:1, Medium:1, Low:1, Operator:OR`)_ The failure criteria that determines the workflow build status. You can
+    set a threshold for the number of critical, high, medium, and low severity
     issues and use an aggregator (either `and` or `or`) to evaluate the
     criteria.
 
     To determine whether a build has failed, the threshold for each severity
     is evaluated against the count of issues with that severity in the IaC
     scan results and then severity level evaluations are aggregated using
-    `AND` or `OR` to arrive at `failure_criteria` value.
+    `AND` or `OR` to arrive at `failure_criteria` value. You must include an
+    aggregator in the string. The aggregator value is case-sensitive.
+
+    For example, if you set the failure criteria to `HIGH:1,LOW:1,OPERATOR:OR`,
+    the workflow fails if there is 1 or more HIGH severity findings or 1 or
+    more LOW severity findings. If you set the failure criteria to
+    `HIGH:1,LOW:1,OPERATOR:AND`, the workflow fails if there is 1 or more HIGH
+    severity findings and 1 or more LOW severity findings.
 
     If the `failure_criteria` evaluates to `true`, the workflow is marked as
     `FAILED`. Otherwise, the workflow is marked as `SUCCESS`.
@@ -137,12 +143,12 @@ jobs:
 -   `iac_scan_result`: The result of the security scan. One of:
 
     - `passed`: No violations were found or the `failure_criteria` was not
-      satisfied.
+    satisfied.
 
     - `failed`: The `failure_criteria` was satisfied.
 
     - `error`: The action ran into an execution error, generally due to a
-      misconfiguration or invalid credentials.
+    misconfiguration or invalid credentials.
 
 -   `iac_scan_result_sarif_path`: Path for the SARIF report file. This file is only available when
     violations are found in the scan file.

diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@google-github-actions/analyze-code-security-scc",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Provides functionality to scan code for vulnerability during the build step of the project.",
   "main": "dist/main/index.js",
   "scripts": {