scanner-inc/validate-detection-rules

# Detection Rule Validator Action A GitHub Action that validates detection rules by scanning YAML files in a repository using the scanner-cli tool. ## Usage name: Validate Detection Rules on: [push, pull_request] jobs: validate: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: scanner-inc/validate-detection-rules@v0.2.0 with: check_action: "validate_and_run_tests" scanner_api_url: "${{ secrets.SCANNER_API_URL }}" scanner_api_key: "${{ secrets.SCANNER_API_KEY }}" ## Inputs | Input | Description | Required | Default | | ----------------- | -------------------------------------------------------------- | -------- | --------------- | | `check_action` | Action to perform: `validate_only` or `validate_and_run_tests` | No | `validate_only` | | `scanner_api_url` | The API URL of your Scanner instance | Yes | - | | `scanner_api_key` | Scanner API key | Yes | - | | `file` | Detection rule file(s) - comma separated list | No | - | | `dir` | Directory of detection rule files | No | - | | `recursive` | Recursively search directory for valid YAML files | No | `true` | ### Check Action Modes - **`validate_only`** (default): Runs `scanner-cli validate` to check that detection rules are valid YAML and conform to the expected schema. - **`validate_and_run_tests`**: Runs `scanner-cli run-tests` to validate rules and also execute any embedded tests defined in the detection rules. If neither `file` nor `dir` is specified, the action will recursively scan the current directory (`.`). We recommend using this behavior by default, as it matches the behavior of Scanner's Github sync logic. See the [Scanner.dev CLI documentation](https://docs.scanner.dev/scanner/using-scanner/beta-features/detection-rules-as-code/cli) for details on obtaining your API URL and key. ## How it works The action installs the scanner-cli tool and runs either `scanner-cli validate` or `scanner-cli run-tests` (depending on the `check_action` input) with the specified files, directories, and options. The CLI is run with `--json` in both modes and the structured response is parsed to surface a GitHub annotation on each failing file (and a warning annotation on each file with a non-fatal advisory). For `validate_and_run_tests`, individual failing tests are also surfaced as annotations on the rule's YAML file. ## Development This repo uses Yarn 4 (managed via Corepack). To prepare a release: 1. Install dependencies: `yarn install` 2. Build the bundled distribution: `yarn build` 3. Commit the `dist/` folder: `git add dist && git commit -m "Build dist"` 4. Tag the release: `git tag v{$VERSION} && git push --tags` The bundled `dist/index.js` contains all dependencies, so users don't need to install anything. ### Regenerating the schema bundle To regenerate, install [`gh`](https://cli.github.com/) and authenticate it (`gh auth login`), then: yarn gen_schema

标签：自动化攻击