Provide a webhook/HTTP callback for results?

[woodruffw]

This was just a random thought I had: some users might want to integrate the results of this action's workflow run(s) into other alerting systems, like a Slack channel.

Supporting every possible integration would be tedious, so we could instead allow a user to specify a URL that the action would perform an HTTP POST to if one or more vulnerabilities were found. For example:

with:
  webhook: https://some.custom.domain.example.com/pip-audit

Not sure if this is a good idea or not, but wanted to record it.

[felixogg-britned]

It's a great idea, but I am mostly looking to just commit the results to a file in the same github action execution, so it gets tracked as a repo file. I could not work out how to send output in markdown format to a local file.

[woodruffw]

You can currently use outputs.internal-be-careful-ouput for that. That may or may not be idea for your case, however, since that output is the human-readable column format and not JSON.

See:

gh-action-pip-audit/action.yml

Lines 53 to 56 in 1220774

	outputs:
	internal-be-careful-output:
	description: "the column-formatted output from pip-audit, wrapped as base64"
	value: "${{ steps.pip-audit.outputs.output }}"

#4 is a related issue for providing machine-readable outputs.

[felixogg-britned]

Learned a lot of new things trying to tend to this one. I copied the code I managed to blend this into below for anyone like myself who is less familiar with GitHub Actions configuration.

    - id: gen-cve-output
      uses: pypa/gh-action-pip-audit@v1.1.0
      with:
        inputs: $GITHUB_WORKSPACE/tmp/requirements.txt

    # Store results of the run to $GITHUB_WORKSPACE/security_scans.md
    - name: store_to_markdown
      run: |
        echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}"
        echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md
        echo "saved."

    - name: create_pr
      uses: peter-evans/create-pull-request@v7
      with:
        commit-message: "Pip-audit found issues"
        branch-suffix: timestamp
        branch: pip-audit-issues
        title: "Pip-audit found CVE security issues 🚨"

So,

1. thanks!
2. furthermore, the output generated is plain empty string in case of no issues. I would have liked a way to output the literal output I also get from running pip-audit on the command line, which is more explicit "There is no security risk known now." It would be great if you can take that on as feedback.