Merge pull request 'feat: add Aikido full and PR scan actions' (#4) from feature/aikido into main

Reviewed-on: #4 Reviewed-by: Markus.Opahle@schmalz.de <Markus.Opahle@schmalz.de>
2026-04-30 11:24:03 +00:00 · 2026-04-30 11:24:03 +00:00 · dee0fc4bbb
commit dee0fc4bbb
parent af89d0421c fc82729de8
12 changed files with 184 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -6,6 +6,8 @@ Shared actions for Forgejo CI/CD pipelines.

 | Action | Description |
 |--------|-------------|
+| [aikido-full-scan](aikido-full-scan) | Aikido full scan |
+| [aikido-pr-scan](aikido-pr-scan) | Aikido PR scan |
 | [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
 | [checkout](checkout) | Action for checking out a repository |

@ -19,7 +21,7 @@ Where third-party Forgejo/GitHub Actions are used internally, they are pinned to
 Reference actions from your project's workflow:

 ```yaml
- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@v1
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@<action-name>-v1
  with:
    # see each action's README for inputs
 ```
--- a/aikido-full-scan/README.md
+++ b/aikido-full-scan/README.md
@ -0,0 +1,21 @@
+# aikido-full-scan
+
+Composite wrapper around the Aikido full-release Docker scan. Automatically resolves repository and branch info from the Forgejo context — only the API key needs to be supplied by the caller.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `apikey` | Yes | — | Aikido CI API key |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/aikido-full-scan@aikido-full-scan-v1
+  with:
+    apikey: ${{ secrets.AIKIDO_API_KEY }}
+```
+
+## Notes
+
+- Delegates to `actions/internal-aikido-full-scan` with organization, repository name, and branch name resolved automatically from the Forgejo context.
--- a/aikido-full-scan/action.yml
+++ b/aikido-full-scan/action.yml
@ -0,0 +1,20 @@
+name: Aikido Security Full Scan
+description: >
+  Composite wrapper around the Aikido full-release Docker scan.
+  Automatically resolves repository and branch info from the forgejo context.
+  Only the API key needs to be supplied by the caller.
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: ./actions/internal-aikido-full-scan
+      with:
+        apikey: ${{ inputs.apikey }}
+        organization: ${{ forgejo.repository_owner }}
+        repository-name: ${{ forgejo.event.repository.name }}
+        branch-name: ${{ forgejo.ref_name }}
--- a/aikido-pr-scan/README.md
+++ b/aikido-pr-scan/README.md
@ -0,0 +1,23 @@
+# aikido-pr-scan
+
+Composite wrapper around the Aikido PR Docker scan. Automatically resolves repository, branch, and commit info from the Forgejo context — only the API key needs to be supplied by the caller.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `apikey` | Yes | — | Aikido CI API key |
+| `fail-on` | No | `high` | Minimum severity to fail on: `low`, `medium`, `high`, `critical` |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/aikido-pr-scan@aikido-pr-scan-v1
+  with:
+    apikey: ${{ secrets.AIKIDO_API_KEY }}
+    fail-on: high
+```
+
+## Notes
+
+- Delegates to `actions/internal-aikido-pr-scan` with organization, repository name, branch name, and base/head commit SHAs resolved automatically from the Forgejo context.
--- a/aikido-pr-scan/action.yml
+++ b/aikido-pr-scan/action.yml
@ -0,0 +1,27 @@
+name: Aikido Security PR Scan
+description: >
+  Composite wrapper around the Aikido PR Docker scan.
+  Automatically resolves repository, branch, and commit info from the forgejo context.
+  Only the API key needs to be supplied by the caller.
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+  fail-on:
+    description: 'Minimum severity to fail on: low, medium, high, critical'
+    default: high
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - uses: ./actions/internal-aikido-pr-scan
+      with:
+        apikey: ${{ inputs.apikey }}
+        organization: ${{ forgejo.repository_owner }}
+        repository-name: ${{ forgejo.event.repository.name }}
+        branch-name: ${{ forgejo.head_ref }}
+        base-commit-id: ${{ forgejo.event.pull_request.base.sha }}
+        head-commit-id: ${{ forgejo.event.pull_request.head.sha }}
+        fail-on: ${{ inputs.fail-on }}
--- a/checkout/README.md
+++ b/checkout/README.md
@ -16,7 +16,7 @@ Composite wrapper around actions/checkout pinned to a specific commit SHA to pre
 ## Usage

 ```yaml
- uses: schmalz/shared-actions/.forgejo/actions/checkout@v1
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/checkout@checkout-v1
 ```

 ## Notes
--- a/internal-aikido-full-scan/Dockerfile
+++ b/internal-aikido-full-scan/Dockerfile
@ -0,0 +1,4 @@
+FROM aikidosecurity/local-scanner:latest
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/internal-aikido-full-scan/action.yml
+++ b/internal-aikido-full-scan/action.yml
@ -0,0 +1,31 @@
+name: Aikido Security Release Scan
+description: Run an Aikido local full release scan (scheduled / post-merge)
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+  organization:
+    description: Organization or owner name
+    required: true
+  repository-name:
+    description: Repository name
+    required: true
+  branch-name:
+    description: Branch to scan against
+    default: main
+    required: false
+
+runs:
+  using: docker
+  image: Dockerfile
+  args:
+    - --apikey
+    - ${{ inputs.apikey }}
+    - --repositoryname
+    - ${{ inputs.organization }}/${{ inputs.repository-name }}
+    - --branchname
+    - ${{ inputs.branch-name }}
+    - --force-create-repository-for-branch
+    - --include-dev-deps
+
--- a/internal-aikido-full-scan/entrypoint.sh
+++ b/internal-aikido-full-scan/entrypoint.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+exec aikido-local-scanner scan "${GITHUB_WORKSPACE:-.}" "$@"
--- a/internal-aikido-pr-scan/Dockerfile
+++ b/internal-aikido-pr-scan/Dockerfile
@ -0,0 +1,4 @@
+FROM aikidosecurity/local-scanner:latest
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/internal-aikido-pr-scan/action.yml
+++ b/internal-aikido-pr-scan/action.yml
@ -0,0 +1,46 @@
+name: Aikido Security PR Scan
+description: Run an Aikido local PR diff scan (detects newly introduced issues)
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+  organization:
+    description: Organization or owner name
+    required: true
+  repository-name:
+    description: Repository name
+    required: true
+  base-commit-id:
+    description: Base commit SHA
+    required: true
+  head-commit-id:
+    description: Head commit SHA
+    required: true
+  branch-name:
+    description: Branch name
+    required: true
+  fail-on:
+    description: 'Minimum severity to fail on: low, medium, high, critical'
+    default: high
+    required: false
+
+runs:
+  using: docker
+  image: Dockerfile
+  args:
+    - --apikey
+    - ${{ inputs.apikey }}
+    - --repositoryname
+    - ${{ inputs.organization }}/${{ inputs.repository-name }}
+    - --branchname
+    - ${{ inputs.branch-name }}
+    - --gating-mode
+    - pr
+    - --fail-on
+    - ${{ inputs.fail-on }}
+    - --base-commit-id
+    - ${{ inputs.base-commit-id }}
+    - --head-commit-id
+    - ${{ inputs.head-commit-id }}
+    - --include-dev-deps
--- a/internal-aikido-pr-scan/entrypoint.sh
+++ b/internal-aikido-pr-scan/entrypoint.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+exec aikido-local-scanner scan "${GITHUB_WORKSPACE:-.}" "$@"