chore(ci): configurable failure mode for semgrep (#55)

* chore(ci): configurable failure mode for semgrep

chore(ci): document action outcome for linters

* Fix semgrep error msg text

.github/workflows/semgrep.yml

@@ -34,4 +34,5 @@ jobs:
         with:
           additional_config: '--config p/rust'
           codeql_upload: false
+          fail_on_findings: true
 

code-check-actions/lua-lint/README.md

@@ -6,12 +6,6 @@ This action analyzes all changed lua files using [lunarmodules/luacheck](https:/
 
 This action looks for any `cli` arguments and a deafult `.luacheckrc` config to derive the final configuaration as mentioned in [docs](https://luacheck.readthedocs.io/en/stable/cli.html#command-line-options)
 
-## User tracking
-
-Currently, these repos are using this action:
-
-[]
-
 ## Inputs
 
 ```yaml
@@ -24,8 +18,9 @@ additional_args:
 ## Outputs
 - Depending on the event, refer [publishing](https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results)
 
-## Action status
+## Action Output
 - Always exit with 0 even when there are warnings / errors and be non-blocking
+- The failure mode of build is not configurable based on shared action outcome
 
 ## Example usage
 

code-check-actions/rust-lint/README.md

@@ -17,9 +17,15 @@ manifest_dir:
 ```
 
 ## Outputs:
-- Push: Commit check summary
-- PR: Github check Summary and PR annotations
 
+- All Clippy Findings are reported as `Warnings` on the github check `Rust Clippy Report`
+
+- On Push: Commit check summary
+- On PR: Github check Summary and PR annotations
+
+## Action Output
+- Report findings as warnings and be non-blocking
+- The failure mode of build is not configurable based on shared action outcome
 
 ## Detailed example
 

security-actions/semgrep/README.md

@@ -4,6 +4,15 @@ This action uses Semgrep CI command to scan all supported platforms on a specifi
 
 The action runs the following:
 - Self detects config rules from semgrep registry
+- Applies any additional arguments / configuration rules passed to semgrep
+- Provides a optional input to fail downstream builds based on semgrep findings
+
+## Action Output
+- Report Semgrep Finding Summary as Console output
+- Report Findings 
+  - Private repositories: workflow artifact file
+  - Public repositories: Github Security tab 
+- The failure mode of build is configurable based on shared action outcome
 ## Detailed example
 
 ```yaml

security-actions/semgrep/action.yml

@@ -14,15 +14,24 @@ inputs:
     options:
     - 'true'
     - 'false'
+  fail_on_findings:
+    description: 'Fail build / job on semgrep findings/errors'
+    required: false
+    default: false
+    type: choice
+    options:
+    - 'true'
+    - 'false'
 runs:
   using: 'composite'
   steps:
 
     - name: SAST Scan
       uses: docker://returntocorp/semgrep
+      id: semgrep
       continue-on-error: true
       with:
-        args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --suppress-errors --no-autofix ${{ inputs.additional_config }}"
+        args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --no-autofix ${{ inputs.additional_config }}"
 
     # Upload grype cve reports
     - name: Upload Semgrep SARIF to Workflow
@@ -44,7 +53,9 @@ runs:
         # Used to differentiate multiple results for one commit
         category: sast_semgrep
 
-    # - name: Print SAST results - SARIF
-    #   shell: bash
-    #   run: |
-    #     cat semgrep_${{github.sha}}.sarif
+    - name: Fail on findings
+      if: ${{ always() && inputs.fail_on_findings == 'true' && steps.semgrep.outcome == 'failure' }}
+      shell: bash
+      run: |
+        echo "::error::Semgrep has detected findings. For findings, check workflow artifact: semgrep_sast.zip / Github Security analysis"
+        exit 1