Merge pull request #5 from mobb-dev/fix-mobb-url

Fix mobb url

Author: antonychiu2

README.md

@@ -2,25 +2,32 @@
 
 ## Overview
 
-This action is used alongside the native CodeQL Code Scanning feature to monitor for the completion of a CodeQL scan within a Pull Request. Once the code scanning is complete, the analysis results (.sarif files) are downloaded and provided to Mobb to generate auto-remediation fixes. 
+This action is used alongside the native CodeQL Code Scanning feature to monitor for the completion of a CodeQL scan within a Pull Request or on commits. Once the code scanning is complete, the analysis results (.sarif files) are downloaded and provided to Mobb to generate auto-remediation fixes.
+
+## Supported Triggers
+
+This action supports two types of CodeQL scans:
+
+1. **Pull Request Scans**: Triggered when CodeQL runs on pull requests
+2. **Commit Scans**: Triggered when CodeQL runs on push events to branches
 
 ## Example usage
 
 Create a file under the path `.github/workflow/mobb.yml`. 
 
-A sample content of the workflow file: 
+### For Pull Requests and Commits (Recommended)
 
 ```yaml
 name: Mobb fix from CodeQL reports
 on:
   workflow_run:
-    workflows: ["CodeQL"] # This workflow is triggered when the name specified here is triggered. In CodeQL Default Code Scanning Setup, this name is "CodeQL", if you are using CodeQL Advanced Setup, you may need to change this if you have a different workflow name. 
+    workflows: ["CodeQL"] # This workflow is triggered when the name specified here is triggered. In CodeQL Default Code Scanning Setup, this name is "CodeQL", if you are using CodeQL Advanced Setup, you may need to change this if you have a different workflow name.
     types:
       - completed
 jobs:
   handle_codeql_scan:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' && (contains(github.event.workflow_run.head_branch, 'refs/pull') || github.event.workflow_run.event == 'pull_request') }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     permissions:
       pull-requests: write
       security-events: write
@@ -30,9 +37,37 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Dump github.event
-        run: cat $GITHUB_EVENT_PATH
+      - uses: mobb-dev/codeql-mobb-fixer-action@v1.1
+        with:
+          mobb-api-token: ${{ secrets.MOBB_API_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Optional: specify organization and project
+          # organization-id: "your-org-id"
+          # mobb-project-name: "Your Project Name"
+```
 
+### For Pull Requests Only (Legacy)
+
+```yaml
+name: Mobb fix from CodeQL reports
+on:
+  workflow_run:
+    workflows: ["CodeQL"] 
+    types:
+      - completed
+jobs:
+  handle_codeql_scan:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' && (contains(github.event.workflow_run.head_branch, 'refs/pull') || github.event.workflow_run.event == 'pull_request') }}
+    permissions:
+      pull-requests: write
+      security-events: write
+      statuses: write
+      contents: write
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
       - uses: mobb-dev/codeql-mobb-fixer-action@v1.1
         with:
           mobb-api-token: ${{ secrets.MOBB_API_TOKEN }}
@@ -49,15 +84,35 @@ jobs:
 
 **Optional** The Mobb Project Name. If unspecified, it will go to "My First Project". 
 
+## `organization-id`
+
+**Optional** The Mobb Organization ID. If specified, the analysis will be associated with the specified organization.
+
 ## `github-token`
 
 **Required** The GitHub api token to use with the action. Usually available as `${{ secrets.GITHUB_TOKEN }}`.
 
 ## Results
-The fixes are presented in 2 formats: 
-1. **Selected fixes in the pull request comments** - The fixes presented here only contain a subset of all available fixes that are only  relevant to the context of the current pull request based on what has been changed in the diff.
+
+The fixes are presented differently depending on the trigger type:
+
+### For Pull Requests
+The fixes are presented in 2 formats:
+1. **Selected fixes in the pull request comments** - The fixes presented here only contain a subset of all available fixes that are only relevant to the context of the current pull request based on what has been changed in the diff.
 2. **Full fix report** - A full fix analysis report is available via the "Mobb Fix Report Link" in the status section. The fix report here contains all fixes relevant to the entire repository.
 
+### For Commits
+For commit-triggered scans, the full fix report URL is available in the action output. Since there's no pull request context, the fixes include all vulnerabilities found in the scanned commit.
+
+## Behavior Differences
+
+| Feature | Pull Request Scans | Commit Scans |
+|---------|-------------------|--------------|
+| PR Comments | ✅ Yes | ❌ No |
+| Status Checks | ✅ Yes | ❌ No |
+| Fix Report URL | ✅ Yes (in status + output) | ✅ Yes (in output only) |
+| Scope | PR diff context | Full repository |
+
 ### Fixes shown in the PR comments 
 ![image](https://github.com/mobb-dev/codeql-mobb-fixer-action/assets/5158535/46161a99-4010-4ef1-90be-a06860f755a9)
 

action.yml

@@ -1,5 +1,5 @@
 name: "codeql-mobb-fixer-action"
-description: "Mobb automatic vulnerability fixer action for GitHub CodeQL analysis"
+description: "Mobb automatic vulnerability fixer action for GitHub CodeQL analysis on pull requests and commits"
 branding:
   icon: aperture
   color: blue
@@ -10,6 +10,9 @@ inputs:
   mobb-project-name:
     description: "Mobb Project Name"
     required: false
+  organization-id:
+    description: "Mobb Organization ID"
+    required: false
   github-token:
     description: "GitHub token"
     required: true
@@ -46,30 +49,70 @@ runs:
         echo "triggering_event=$triggering_event"
         echo "head_branch=$head_branch"
 
+        # Initialize variables
+        PR_NUMBER=""
+        GITHUB_HEAD_REF=""
+        IS_COMMIT_RUN=false
+
         if [[ "$triggering_event" == "pull_request" ]]; then
           echo "Triggering event is a pull request, extracting PR Number from github.event.pull_request.number"
           PR_NUMBER=$(jq -r '.workflow_run.pull_requests[0].number' "$GITHUB_EVENT_PATH")
-
-
           echo PR_NUMBER: $PR_NUMBER
+          
+          #Getting the head-ref for PR
+          GITHUB_HEAD_REF=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.workflow_run.repository.url}}/pulls/${PR_NUMBER} | jq -r '.head.ref')
+          echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
+          
         elif [[ "$triggering_event" == "dynamic" && $head_branch == refs/pull/* ]]; then
           # Extract the PR number from the head_branch
           echo "Triggering event is a dynamic event, head_branch also contains */pull/* field, extracting PR Number from github.event.workflow_run.head_branch"
           PR_NUMBER=$(echo $head_branch | cut --delimiter='/' --fields=3 )
           echo PR_NUMBER: $PR_NUMBER
+          
+          #Getting the head-ref for PR
+          GITHUB_HEAD_REF=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.workflow_run.repository.url}}/pulls/${PR_NUMBER} | jq -r '.head.ref')
+          echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
+          
+        elif [[ "$triggering_event" == "push" ]]; then
+          echo "Triggering event is a push/commit, using commit SHA and branch"
+          IS_COMMIT_RUN=true
+          PR_NUMBER=""
+          
+          # For push events, use the head_branch directly
+          if [[ "$head_branch" == refs/heads/* ]]; then
+            GITHUB_HEAD_REF=$(echo $head_branch | sed 's/refs\/heads\///')
+          else
+            GITHUB_HEAD_REF=$head_branch
+          fi
+          echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
+          
         else
-          echo "Error: Unable to determine PR number from the triggering event. Please check if the triggering event is a PR."
-          exit 1
+          echo "Warning: Triggering event '$triggering_event' is not explicitly handled. Attempting to proceed as commit run."
+          IS_COMMIT_RUN=true
+          PR_NUMBER=""
+          
+          # For other events, try to extract branch from head_branch
+          if [[ "$head_branch" == refs/heads/* ]]; then
+            GITHUB_HEAD_REF=$(echo $head_branch | sed 's/refs\/heads\///')
+          else
+            GITHUB_HEAD_REF=$head_branch
+          fi
+          echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
         fi
 
-        #Getting the pr-number
-        echo PR_NUMBER: $PR_NUMBER
+        #Setting outputs
         echo "pr-number=$PR_NUMBER" >> $GITHUB_OUTPUT
-        
-        #Getting the head-ref
-        GITHUB_HEAD_REF=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.workflow_run.repository.url}}/pulls/${PR_NUMBER} | jq -r '.head.ref')
-        echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
         echo "github-head-ref=$GITHUB_HEAD_REF" >> $GITHUB_OUTPUT
+        echo "is-commit-run=$IS_COMMIT_RUN" >> $GITHUB_OUTPUT
+        
+        # Log the run type for clarity
+        if [[ "$IS_COMMIT_RUN" == "true" ]]; then
+          echo "🔨 Running Mobb analysis for COMMIT on branch: $GITHUB_HEAD_REF"
+          echo "📝 Commit SHA: $head_sha"
+        else
+          echo "🔀 Running Mobb analysis for PULL REQUEST #$PR_NUMBER"
+          echo "📝 Branch: $GITHUB_HEAD_REF, SHA: $head_sha"
+        fi
 
       shell: bash -l {0}
 
@@ -79,8 +122,9 @@ runs:
         ref: ${{ steps.env.outputs.github-head-ref }}
 
 
-    # Displays status in the PR that this action is in 'pending' status
+    # Displays status in the PR that this action is in 'pending' status (PR only)
     - uses: guibranco/github-status-action-v2@v1.1.13
+      if: steps.env.outputs.is-commit-run != 'true'
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Analysis"
@@ -98,16 +142,28 @@ runs:
         URL=$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/code-scanning/analyses
         echo "analyses list URL=$URL"
         response=$(curl -H "Authorization: Bearer ${{ inputs.github-token }}" $URL)
-        echo length of code-scanning analyses list=$#{response}
+        echo length of code-scanning analyses list=${#response}
         echo "analyses list: $response"
-        # Extract all CodeQL Analyses IDs that has a matching ^refs/pull/ to the PR Number
-        echo "Extract all CodeQL Analyses IDs that has a matching ^refs/pull/ to the PR Number"
-        ids=$(echo "$response" | jq -r --arg pr "${{ steps.env.outputs.pr-number }}" '.[] | select(.ref | test("^refs/pull/" + $pr + "/")) | .id')
-
+        
+        # Different filtering logic based on whether this is a PR or commit run
+        if [[ "${{ steps.env.outputs.is-commit-run }}" == "true" ]]; then
+          echo "Filtering CodeQL analyses for commit run - matching SHA: ${{steps.env.outputs.head-sha}}"
+          # For commit runs, filter by commit SHA
+          ids=$(echo "$response" | jq -r --arg sha "${{steps.env.outputs.head-sha}}" '.[] | select((.commit_sha == $sha) and (.tool.name == "CodeQL")) | .id')
+        else
+          echo "Filtering CodeQL analyses for PR run - matching refs/pull/${{ steps.env.outputs.pr-number }}/"
+          # For PR runs, filter by PR ref pattern
+          ids=$(echo "$response" | jq -r --arg pr "${{ steps.env.outputs.pr-number }}" '.[] | select((.ref | test("^refs/pull/" + $pr + "/")) and (.tool.name == "CodeQL")) | .id')
+        fi
+  
         echo "Matching analyses ids=$ids"
 
         if [ -z "$ids" ]; then
-          echo "Error: No matching IDs found for the given head SHA ${{steps.env.outputs.head-sha}}." >&2
+          if [[ "${{ steps.env.outputs.is-commit-run }}" == "true" ]]; then
+            echo "Error: No matching CodeQL analyses found for commit SHA ${{steps.env.outputs.head-sha}}." >&2
+          else
+            echo "Error: No matching CodeQL analyses found for PR ${{ steps.env.outputs.pr-number }}." >&2
+          fi
           exit 1
         fi
 
@@ -160,21 +216,38 @@ runs:
         GITHUB_SHA=${{steps.env.outputs.head-sha}}
         PR_NUMBER=${{ steps.env.outputs.pr-number }}
         GITHUB_HEAD_REF=${{ steps.env.outputs.github-head-ref }}
-        
+        IS_COMMIT_RUN=${{ steps.env.outputs.is-commit-run }}
         
         echo "github.event.workflow_run.head_branch = "${{github.event.workflow_run.head_branch}}
         echo REPO: $REPO
         echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
         echo GITHUB_SHA: $GITHUB_SHA
         echo PR_NUMBER: $PR_NUMBER
-        MobbExecString="npx --yes mobbdev@latest review  -r $REPO --ref $GITHUB_HEAD_REF --ch $GITHUB_SHA --api-key ${{ inputs.mobb-api-token }} -f sarif_output.json  --pr $PR_NUMBER --github-token ${{ inputs.github-token }} --scanner $SCANNER"
+        echo IS_COMMIT_RUN: $IS_COMMIT_RUN
+        
+        # Build the Mobb command based on run type
+        if [[ "$IS_COMMIT_RUN" != "true" && -n "$PR_NUMBER" ]]; then
+          echo "Building PR review command for PR #$PR_NUMBER"
+          # For PR runs, use 'review' command with --scanner and --pr parameters
+          MobbExecString="npx --yes mobbdev@latest review -r $REPO --ref $GITHUB_HEAD_REF --ch $GITHUB_SHA --api-key ${{ inputs.mobb-api-token }} -f sarif_output.json --github-token ${{ inputs.github-token }} --scanner $SCANNER --pr $PR_NUMBER"
+        else
+          echo "Building commit analyze command - no PR parameters"
+          # For commit runs, use 'analyze' command without --scanner and --pr parameters
+          MobbExecString="npx --yes mobbdev@latest analyze -r $REPO --ref $GITHUB_HEAD_REF --api-key ${{ inputs.mobb-api-token }} -f sarif_output.json --ci"
+        fi
         
         # Check if mobb-project-name exists and append it
         if [ -n "${{ inputs.mobb-project-name }}" ]; then
           echo "mobb-project-name specified: ${{ inputs.mobb-project-name }}"
           MobbExecString+=" --mobb-project-name \"${{ inputs.mobb-project-name }}\""
         fi
         
+        # Check if organization-id exists and append it
+        if [ -n "${{ inputs.organization-id }}" ]; then
+          echo "organization-id specified: ${{ inputs.organization-id }}"
+          MobbExecString+=" --organization-id \"${{ inputs.organization-id }}\""
+        fi
+        
         # Output the final command string for debugging
         echo "Mobb Command: $MobbExecString"
         OUT=$(eval $MobbExecString)
@@ -185,17 +258,19 @@ runs:
           exit $RETVAL
         fi
         
-        # Process the output
+        # Process the output - extract just the URL from any surrounding status messages
         OUT=$(echo $OUT | tr '\n' ' ')
-        echo "fix-report-url=$OUT" >> $GITHUB_OUTPUT
-        echo "Mobb URL: $OUT"
+        MOBB_URL=$(echo "$OUT" | grep -oE 'https://[^ ]+' | head -1)
+        echo "fix-report-url=$MOBB_URL" >> $GITHUB_OUTPUT
+        echo "Mobb URL: $MOBB_URL"
 
       shell: bash -l {0}
       env:
         PR_CONTEXT: ${{ toJson(github.event.workflow_run.pull_requests) }}
 
-    # Publish the Mobb fix report link in the PR
+    # Publish the Mobb fix report link in the PR (PR only)
     - uses: guibranco/github-status-action-v2@v1.1.13
+      if: steps.env.outputs.is-commit-run != 'true'
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Report Link"
@@ -205,21 +280,21 @@ runs:
         description: "Click \"Details\" to access the full fix analysis report" 
 
 
-    # Displays status in the PR that this action is in 'complete' status
+    # Displays status in the PR that this action is in 'complete' status (PR only)
     - uses: guibranco/github-status-action-v2@v1.1.13
-      if: success()
+      if: success() && steps.env.outputs.is-commit-run != 'true'
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Analysis"
         state: "success"
         target_url: ${{ steps.env.outputs.action-run-path }}
         sha: ${{steps.env.outputs.head-sha}}
-        description: "Mobb fix analysis completed. See comment in the PR for results" 
+        description: "Mobb fix analysis completed. See comment in the PR for results"
 
 
-    # Displays status in the PR that this action is in 'failure' status
+    # Displays status in the PR that this action is in 'failure' status (PR only)
     - uses: guibranco/github-status-action-v2@v1.1.13
-      if: failure()
+      if: failure() && steps.env.outputs.is-commit-run != 'true'
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Analysis"