Allow for additional 'mapi run' arguments (#257)

* Allow for additional 'mapi run' arguments * Additional arguments may now be passed to `mapi run` by setting the `run-args` `inputs` variable. Each argument must be separated by a new line (`\n`). * snake-case the input arg * Rename archive steps These better reflect what is being archived * More archive step naming improvements Co-authored-by: Sheldon Warkentin <[email protected]>
ForAllSecure · Jan 26, 2022 · dff9115 · dff9115
1 parent a0b264f
commit dff9115
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 16 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -25,8 +25,17 @@ jobs:
           api-url: https://demo-api.mayhem4api.forallsecure.com/api/v3
           api-spec: https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json
           html-report: mapi.html
-      - name: Archive code coverage results
+          run-args: |
+            --warnaserror
+            --junit
+            junit.xml
+      - name: Archive HTML report
         uses: actions/upload-artifact@v2
         with:
           name: mapi-report
           path: mapi.html
+      - name: Archive JUnit results
+        uses: actions/upload-artifact@v2
+        with:
+          name: mapi-junit
+          path: junit.xml
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -34,8 +34,17 @@ jobs:
           api-url: https://demo-api.mayhem4api.forallsecure.com/api/v3
           api-spec: https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json
           html-report: mapi.html
-      - name: Archive code coverage results
+          run-args: |
+            --warnaserror
+            --junit
+            junit.xml
+      - name: Archive HTML report
         uses: actions/upload-artifact@v2
         with:
           name: mapi-report
           path: mapi.html
+      - name: Archive JUnit results
+        uses: actions/upload-artifact@v2
+        with:
+          name: mapi-junit
+          path: junit.xml
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 [![Mayhem for API](https://mayhem4api.forallsecure.com/downloads/img/mapi-logo-full-color.svg)](http://mayhem4api.forallsecure.com/signup)
 
 A GitHub Action for using Mayhem for API to check for reliability,
-performance and security issues in your APIs. 
+performance and security issues in your APIs.
 
 ## About Mayhem for API
 
@@ -14,7 +14,7 @@ production.
 🧑‍💻 For Developers, by developers: The engineers building
 software are the best equipped to fix bugs, including security bugs. As
 engineers ourselves, we're building tools that we wish existed to make
-our job easier! 
+our job easier!
 
 🤖 Simple to Automate in CI: Tests belong in CI, running on every commit
 and PRs. We make it easy, and provide results right in your PRs where
@@ -35,9 +35,9 @@ Want to try it? [Sign up for free](http://mayhem4api.forallsecure.com/signup) to
         mapi organization service-account create <your-org> <service-account-name>
       ```
 
-    c. Add your service account token with name `MAPI_TOKEN` on your repository's GitHub page at   
+    c. Add your service account token with name `MAPI_TOKEN` on your repository's GitHub page at
        `Settings` → `Secrets` → `New repository secret`
-   
+
 2. Create a file in _your_ GitHub repository at:
 ```
     .github/workflows/ForAllSecure-Mayhem-for-API.yml
@@ -79,12 +79,13 @@ The action accepts the follow inputs:
 
 | Required | Input Name | Type | Description | Default
 | --- | --- | --- | --- | ---
-| ✔️ | `mapi-token` | string | Mayhem for API service account token | 
-| ✔️ | `api-url` | string | URL to your running API. *Example:* http://localhost:8000/api/v1 | 
-| ✔️ | `api-spec` | string | Path or URL to your Swagger spec, OpenAPI spec, or Postman collection.| 
-|   | `duration` | number | Duration of scan, in seconds | 60 
-|   | `html-report` | string | Path to the generated SARIF report | 
-|   | `sarif-report` | string | Path to the generated HTML report | 
+| ✔️ | `mapi-token` | string | Mayhem for API service account token |
+| ✔️ | `api-url` | string | URL to your running API. *Example:* http://localhost:8000/api/v1 |
+| ✔️ | `api-spec` | string | Path or URL to your Swagger spec, OpenAPI spec, or Postman collection.|
+|   | `duration` | number | Duration of scan, in seconds | 60
+|   | `html-report` | string | Path to the generated SARIF report |
+|   | `sarif-report` | string | Path to the generated HTML report |
+|   | `run-args` | string | Additional arguments to provide to the `mapi run` command. |
 
 ### Continuing on error
 
@@ -111,6 +112,14 @@ jobs:
         mapi-token: ${{ secrets.MAPI_TOKEN }}
         api-url: http://localhost:8000 # <- update this
         api-spec: your-openapi-spec-or-postman-collection.json
+        # Additional 'mapi run' arguments
+        run-args:|
+          # Do not fuzz the '/logout' endpoint
+          --ignore-endpoint
+          /logout
+          # Treat all warnings as errors
+          --warnaserror
+
 ```
 
 # Reports

diff --git a/action.yml b/action.yml
@@ -13,7 +13,7 @@ inputs:
     required: true
   duration:
     description: Scan duration
-    default: 60
+    default: 60sec
   sarif-report:
     description: SARIF output path. You can upload ot to GitHub using the 'github/codeql-action/upload-sarif@v1' action
   html-report:
@@ -22,6 +22,8 @@ inputs:
     description: --experimental-rewrite-plugin option value
   experimental-classify-plugin:
     description: --experimental-classify-plugin option value
+  run-args:
+    description: A list of additional arguments (separated by '\n') to include in the call to 'mapi run'. Run 'mapi run --help' for a complete list of arguments.
 runs:
   using: 'node12'
   main: 'dist/index.js'

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/main.ts b/src/main.ts
@@ -69,6 +69,7 @@ async function run(): Promise<void> {
     const experimentalClassifyPlugin: string | undefined = core.getInput(
       'experimental-classify-plugin'
     )
+    const runArgs: string[] = core.getMultilineInput('run-args')
 
     // Auto-generate target name
     const repo = process.env['GITHUB_REPOSITORY']
@@ -93,6 +94,8 @@ async function run(): Promise<void> {
     if (experimentalClassifyPlugin) {
       args.push('--experimental-classify-plugin', experimentalClassifyPlugin)
     }
+    args.push(...runArgs)
+
     core.debug(args.join(' '))
 
     process.env['MAPI_TOKEN'] = mapiToken

diff --git a/workflow.yml b/workflow.yml
@@ -49,11 +49,13 @@ jobs:
         continue-on-error: true
         with:
           mapi-token: ${{ secrets.MAPI_TOKEN }}
-          api-url: "http://localhost:8080" # <- update this
+          api-url: "http://localhost:8080"               # <- update this
           api-spec: "http://localhost:8080/openapi.json" # <- update this
-          duration: 60
+          duration: 60sec
           sarif-report: mapi.sarif
           html-report: mapi.html
+          run-args: |                                   # <- Additional run args
+          #  # --warnaserror                             #    split by \n
 
       # Archive HTML report
       - name: Archive Mayhem for API report