feat: Update options with latest enhancements

.github/workflows/ci.yml

@@ -18,8 +18,10 @@ jobs:
         include:
           - repo: spring-projects/spring-petclinic
             sha: 30aab0ae764ad845b5eedd76028756835fec771f
+            java-version: 17
           - repo: WebGoat/WebGoat
             sha: 06c0be257f3ec5b02521368b030018816ac94090
+            java-version: 23
 
     runs-on: ubuntu-latest
     container: buildpack-deps:jammy-scm
@@ -39,10 +41,10 @@ jobs:
           SANITIZED_NAME=$(echo "${{ matrix.repo }}" | tr '/' '_')
           echo "SANITIZED_NAME=${SANITIZED_NAME}" >> $GITHUB_OUTPUT
 
-      - name: Set up JDK 17
+      - name: Set up JDK
         uses: actions/setup-java@v3
         with:
-          java-version: '17'
+          java-version: '${{ matrix.java-version }}'
           distribution: 'temurin'
           server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
           settings-path: ${{ github.workspace }} # location for the settings.xml file
@@ -54,3 +56,4 @@ jobs:
           project-root: project-root
           token: ${{ secrets.SEQRA_GITHUB_TOKEN }}
           artifact-name: ${{ steps.sanitize.outputs.SANITIZED_NAME }}
+          verbosity: 'debug'

CHANGELOG.md

@@ -1,3 +1,6 @@
+## v2.1.0
+### feat: Update options with latest enhancements
+- feat: Update options
 ## v2.0.2
 ### fix: Bump version
 ## v2.0.1

README.md

@@ -84,17 +84,24 @@ jobs:
             upload-sarif: 'false'
 
             # Tag of seqra release
-            seqra-version: 'v2.0.2'
+            seqra-version: 'v2.1.0'
 
-            # Relative path under $GITHUB_WORKSPACE to your rules
-            # By default it is empty, so seqra wil use builtin rules
+            # Paths to custom rules directories (comma-separated)
+            # By default it is empty, so seqra will use builtin rules
             rules-path: 'security/myrules'
 
             # Name of uploaded artifact
             artifact-name: 'sarif'
 
-            #Scan timeout
+            # Log level
+            verbosity: 'info'
+
+            # Scan timeout
             timeout: '15m'
+
+            # Severity levels to report (comma-separated)
+            # Valid values: note, warning, error
+            severity: 'warning,error'
 ```
 
 

action.yml

@@ -1,5 +1,9 @@
-name: "Seqra code analysis"
-description: "Run seqra analysis"
+name: "Seqra security code analysis"
+description: "Security-focused static analyzer for Java and Kotlin"
+
+branding:
+  icon: "target"
+  color: "purple"
 
 inputs:
   project-root:
@@ -10,23 +14,29 @@ inputs:
     default: 'false'
   seqra-version:
     description: 'Tag of seqra release'
-    default: 'v2.0.2'
+    default: 'v2.1.0'
   rules-path:
-    description: 'Relative path under $GITHUB_WORKSPACE to rules. If set rules-repository not used'
-    default: ''
+    description: 'Paths to rules directories (comma-separated)'
+    default: 'builtin'
   token:
     description: 'Token for download rules from private repository'
     required: false
-    default: ${{ github.token }}
+    default: ""
   artifact-name:
     description: 'Name of uploaded artifact'
     default: 'sarif'
+  upload-artifact:
+    description: 'Should seqra-action upload sarif artifact'
+    default: 'true'
   verbosity:
     description: 'Log level'
     default: 'info'
   timeout:
     description: 'Scan timeout'
     default: '15m'
+  severity:
+    description: 'Severity levels to report (comma-separated). Valid values: note, warning, error'
+    default: 'warning,error'
 
 runs:
   using: 'composite'
@@ -41,13 +51,11 @@ runs:
         echo "SEQRA_BIN=$GITHUB_WORKSPACE/$SEQRA_ARTIFACTS/seqra" >> "${GITHUB_OUTPUT}"
         echo "SEQRA_PROJECT=$RUNNER_TEMP/$SEQRA_ARTIFACTS/project" >> "${GITHUB_OUTPUT}"
         echo "SEQRA_SARIF=$RUNNER_TEMP/$SEQRA_ARTIFACTS/seqra.sarif" >> "${GITHUB_OUTPUT}"
-        echo "FLAGS=$FLAGS" >> "${GITHUB_OUTPUT}"
-
-    - name: Copy rules to 
-      if: ${{ inputs.rules-path != '' }}
-      shell: bash
-      run: |
-        cp -R ${{ inputs.rules-path }} ${{ steps.globals.outputs.SEQRA_ARTIFACTS }}/rules
+        TOKEN_FLAG=""
+        if [ -n "${{ inputs.token }}" ]; then
+          TOKEN_FLAG="--github-token ${{ inputs.token }}"
+        fi
+        echo "TOKEN_FLAG=$TOKEN_FLAG" >> "${GITHUB_OUTPUT}"
 
     - name: Download seqra
       uses: robinraju/release-downloader@v1
@@ -57,31 +65,39 @@ runs:
         fileName: 'seqra_linux_amd64.tar.gz'
         out-file-path: ${{ steps.globals.outputs.SEQRA_ARTIFACTS }}
         extract: true
-        token: ${{ inputs.token }}
+        token: ${{ inputs.token || github.token }}
 
     - name: Compile project
       shell: bash
       run: |
-           ${{ steps.globals.outputs.SEQRA_BIN }} --quiet --github-token ${{ inputs.token }} compile \
+           ${{ steps.globals.outputs.SEQRA_BIN }} --quiet ${{ steps.globals.outputs.TOKEN_FLAG }} compile \
              --verbosity ${{ inputs.verbosity }} \
              --output ${{ steps.globals.outputs.SEQRA_PROJECT }} ${{ inputs.project-root }}
 
     - name: Run analysis
       shell: bash
       run: |
-           cmd="${{ steps.globals.outputs.SEQRA_BIN }} --quiet --github-token ${{ inputs.token }} scan"
+           cmd="${{ steps.globals.outputs.SEQRA_BIN }} --quiet ${{ steps.globals.outputs.TOKEN_FLAG }} scan"
 
-           if [ -n "${{ inputs.rules-path }}" ]; then
-             cmd="$cmd --ruleset ${{ steps.globals.outputs.SEQRA_ARTIFACTS }}/rules"
-           fi
+           IFS=',' read -ra RULESETS <<< "${{ inputs.rules-path }}"
+           for ruleset in "${RULESETS[@]}"; do
+             cmd="$cmd --ruleset $ruleset"
+           done
 
            cmd="$cmd --timeout ${{ inputs.timeout }}"
            cmd="$cmd --verbosity ${{ inputs.verbosity }}"
+
+           IFS=',' read -ra SEVERITIES <<< "${{ inputs.severity }}"
+           for sev in "${SEVERITIES[@]}"; do
+             cmd="$cmd --severity $sev"
+           done
+
            cmd="$cmd --output ${{ steps.globals.outputs.SEQRA_SARIF }} ${{ steps.globals.outputs.SEQRA_PROJECT }}"
 
            eval "$cmd"
 
     - name: Upload sarif artifact
+      if: ${{ inputs.upload-artifact == 'true' }}
       uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}