From feaeeedd7a8726aa7cb94d57f6e886e9be8581f0 Mon Sep 17 00:00:00 2001
From: Michael Seele <michael.seele@schmalz.de>
Date: Thu, 30 Apr 2026 13:05:30 +0200
Subject: [PATCH] feat: add Aikido full and PR scan actions

Co-authored-by: Copilot <copilot@github.com>
---
 README.md                               |  4 ++-
 aikido-full-scan/README.md              | 21 +++++++++++
 aikido-full-scan/action.yml             | 20 +++++++++++
 aikido-pr-scan/README.md                | 23 +++++++++++++
 aikido-pr-scan/action.yml               | 27 +++++++++++++++
 internal-aikido-full-scan/Dockerfile    |  4 +++
 internal-aikido-full-scan/action.yml    | 31 +++++++++++++++++
 internal-aikido-full-scan/entrypoint.sh |  2 ++
 internal-aikido-pr-scan/Dockerfile      |  4 +++
 internal-aikido-pr-scan/action.yml      | 46 +++++++++++++++++++++++++
 internal-aikido-pr-scan/entrypoint.sh   |  2 ++
 11 files changed, 183 insertions(+), 1 deletion(-)
 create mode 100644 aikido-full-scan/README.md
 create mode 100644 aikido-full-scan/action.yml
 create mode 100644 aikido-pr-scan/README.md
 create mode 100644 aikido-pr-scan/action.yml
 create mode 100644 internal-aikido-full-scan/Dockerfile
 create mode 100644 internal-aikido-full-scan/action.yml
 create mode 100644 internal-aikido-full-scan/entrypoint.sh
 create mode 100644 internal-aikido-pr-scan/Dockerfile
 create mode 100644 internal-aikido-pr-scan/action.yml
 create mode 100644 internal-aikido-pr-scan/entrypoint.sh

diff --git a/README.md b/README.md
index 0a7e0d0..2a39498 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,8 @@ Shared actions for Forgejo CI/CD pipelines.
 
 | Action | Description |
 |--------|-------------|
+| [aikido-full-scan](aikido-full-scan) | Aikido full scan |
+| [aikido-pr-scan](aikido-pr-scan) | Aikido PR scan |
 | [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
 | [checkout](checkout) | Action for checking out a repository |
 
@@ -19,7 +21,7 @@ Where third-party Forgejo/GitHub Actions are used internally, they are pinned to
 Reference actions from your project's workflow:
 
 ```yaml
-- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@v1
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@<action-name>-v1
   with:
     # see each action's README for inputs
 ```
diff --git a/aikido-full-scan/README.md b/aikido-full-scan/README.md
new file mode 100644
index 0000000..27edbf6
--- /dev/null
+++ b/aikido-full-scan/README.md
@@ -0,0 +1,21 @@
+# aikido-full-scan
+
+Composite wrapper around the Aikido full-release Docker scan. Automatically resolves repository and branch info from the Forgejo context — only the API key needs to be supplied by the caller.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `apikey` | Yes | — | Aikido CI API key |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.forgejo/actions/aikido-full-scan@v1
+  with:
+    apikey: ${{ secrets.AIKIDO_API_KEY }}
+```
+
+## Notes
+
+- Delegates to `actions/internal-aikido-full-scan` with organization, repository name, and branch name resolved automatically from the Forgejo context.
\ No newline at end of file
diff --git a/aikido-full-scan/action.yml b/aikido-full-scan/action.yml
new file mode 100644
index 0000000..b7856be
--- /dev/null
+++ b/aikido-full-scan/action.yml
@@ -0,0 +1,20 @@
+name: Aikido Security Full Scan
+description: >
+  Composite wrapper around the Aikido full-release Docker scan.
+  Automatically resolves repository and branch info from the forgejo context.
+  Only the API key needs to be supplied by the caller.
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: ./actions/internal-aikido-full-scan
+      with:
+        apikey: ${{ inputs.apikey }}
+        organization: ${{ forgejo.repository_owner }}
+        repository-name: ${{ forgejo.event.repository.name }}
+        branch-name: ${{ forgejo.ref_name }}
diff --git a/aikido-pr-scan/README.md b/aikido-pr-scan/README.md
new file mode 100644
index 0000000..4f6cd31
--- /dev/null
+++ b/aikido-pr-scan/README.md
@@ -0,0 +1,23 @@
+# aikido-pr-scan
+
+Composite wrapper around the Aikido PR Docker scan. Automatically resolves repository, branch, and commit info from the Forgejo context — only the API key needs to be supplied by the caller.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `apikey` | Yes | — | Aikido CI API key |
+| `fail-on` | No | `high` | Minimum severity to fail on: `low`, `medium`, `high`, `critical` |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.forgejo/actions/aikido-pr-scan@v1
+  with:
+    apikey: ${{ secrets.AIKIDO_API_KEY }}
+    fail-on: high
+```
+
+## Notes
+
+- Delegates to `actions/internal-aikido-pr-scan` with organization, repository name, branch name, and base/head commit SHAs resolved automatically from the Forgejo context.
\ No newline at end of file
diff --git a/aikido-pr-scan/action.yml b/aikido-pr-scan/action.yml
new file mode 100644
index 0000000..4dd36c8
--- /dev/null
+++ b/aikido-pr-scan/action.yml
@@ -0,0 +1,27 @@
+name: Aikido Security PR Scan
+description: >
+  Composite wrapper around the Aikido PR Docker scan.
+  Automatically resolves repository, branch, and commit info from the forgejo context.
+  Only the API key needs to be supplied by the caller.
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+  fail-on:
+    description: 'Minimum severity to fail on: low, medium, high, critical'
+    default: high
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - uses: ./actions/internal-aikido-pr-scan
+      with:
+        apikey: ${{ inputs.apikey }}
+        organization: ${{ forgejo.repository_owner }}
+        repository-name: ${{ forgejo.event.repository.name }}
+        branch-name: ${{ forgejo.head_ref }}
+        base-commit-id: ${{ forgejo.event.pull_request.base.sha }}
+        head-commit-id: ${{ forgejo.event.pull_request.head.sha }}
+        fail-on: ${{ inputs.fail-on }}
diff --git a/internal-aikido-full-scan/Dockerfile b/internal-aikido-full-scan/Dockerfile
new file mode 100644
index 0000000..cf2ffb0
--- /dev/null
+++ b/internal-aikido-full-scan/Dockerfile
@@ -0,0 +1,4 @@
+FROM aikidosecurity/local-scanner:latest
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/internal-aikido-full-scan/action.yml b/internal-aikido-full-scan/action.yml
new file mode 100644
index 0000000..d2241ee
--- /dev/null
+++ b/internal-aikido-full-scan/action.yml
@@ -0,0 +1,31 @@
+name: Aikido Security Release Scan
+description: Run an Aikido local full release scan (scheduled / post-merge)
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+  organization:
+    description: Organization or owner name
+    required: true
+  repository-name:
+    description: Repository name
+    required: true
+  branch-name:
+    description: Branch to scan against
+    default: main
+    required: false
+
+runs:
+  using: docker
+  image: Dockerfile
+  args:
+    - --apikey
+    - ${{ inputs.apikey }}
+    - --repositoryname
+    - ${{ inputs.organization }}/${{ inputs.repository-name }}
+    - --branchname
+    - ${{ inputs.branch-name }}
+    - --force-create-repository-for-branch
+    - --include-dev-deps
+
diff --git a/internal-aikido-full-scan/entrypoint.sh b/internal-aikido-full-scan/entrypoint.sh
new file mode 100644
index 0000000..51235de
--- /dev/null
+++ b/internal-aikido-full-scan/entrypoint.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec aikido-local-scanner scan "${GITHUB_WORKSPACE:-.}" "$@"
diff --git a/internal-aikido-pr-scan/Dockerfile b/internal-aikido-pr-scan/Dockerfile
new file mode 100644
index 0000000..cf2ffb0
--- /dev/null
+++ b/internal-aikido-pr-scan/Dockerfile
@@ -0,0 +1,4 @@
+FROM aikidosecurity/local-scanner:latest
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/internal-aikido-pr-scan/action.yml b/internal-aikido-pr-scan/action.yml
new file mode 100644
index 0000000..6c5e0c4
--- /dev/null
+++ b/internal-aikido-pr-scan/action.yml
@@ -0,0 +1,46 @@
+name: Aikido Security PR Scan
+description: Run an Aikido local PR diff scan (detects newly introduced issues)
+
+inputs:
+  apikey:
+    description: Aikido CI API key
+    required: true
+  organization:
+    description: Organization or owner name
+    required: true
+  repository-name:
+    description: Repository name
+    required: true
+  base-commit-id:
+    description: Base commit SHA
+    required: true
+  head-commit-id:
+    description: Head commit SHA
+    required: true
+  branch-name:
+    description: Branch name
+    required: true
+  fail-on:
+    description: 'Minimum severity to fail on: low, medium, high, critical'
+    default: high
+    required: false
+
+runs:
+  using: docker
+  image: Dockerfile
+  args:
+    - --apikey
+    - ${{ inputs.apikey }}
+    - --repositoryname
+    - ${{ inputs.organization }}/${{ inputs.repository-name }}
+    - --branchname
+    - ${{ inputs.branch-name }}
+    - --gating-mode
+    - pr
+    - --fail-on
+    - ${{ inputs.fail-on }}
+    - --base-commit-id
+    - ${{ inputs.base-commit-id }}
+    - --head-commit-id
+    - ${{ inputs.head-commit-id }}
+    - --include-dev-deps
diff --git a/internal-aikido-pr-scan/entrypoint.sh b/internal-aikido-pr-scan/entrypoint.sh
new file mode 100644
index 0000000..51235de
--- /dev/null
+++ b/internal-aikido-pr-scan/entrypoint.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec aikido-local-scanner scan "${GITHUB_WORKSPACE:-.}" "$@"