-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yaml
104 lines (97 loc) · 3.72 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: "Accuknox IaC"
description: "Run Scan against infrastructure as code."
inputs:
file:
description: 'Specify a file for scanning; cannot be used with directory input. Filter runners by file type, e.g., ".tf" for Terraform.'
required: false
directory:
default: "."
description: "Directory with infrastructure code and/or package manager files to scan"
required: false
compact:
description: "Do not display code blocks in output"
required: false
quiet:
description: "Display only failed checks"
required: false
output_format:
description: "The format of the output. cli, json, junitxml, github_failed_only, or sarif (comma separated)"
required: false
default: "json"
output_file_path:
description: "Path and name for output file, needs to end with a comma for a single output format"
required: false
default: "./results.json"
soft_fail:
description: "Do not return an error code if there are failed checks"
required: false
framework:
description: "Run only on a specific infrastructure, Supported: Kubernetes & Terraform"
required: false
skip_framework:
description: "Skip a specific infrastructure"
required: false
token:
description: "The token for authenticating with the CSPM panel."
required: true
tenant_id:
description: "The ID of the tenant associated with the CSPM panel."
required: true
endpoint:
description: "The URL of the CSPM panel to push the scan results to."
required: true
default: "cspm.demo.accuknox.com"
label:
description: "The label created in AccuKnox SaaS for associating scan results."
required: true
branding:
icon: "shield"
color: "purple"
runs:
using: "composite"
steps:
- name: Run Checkov IaC Scan
id: checkov-scan
uses: docker://ghcr.io/bridgecrewio/checkov:3.2.21
with:
args: |
${INPUT_FILE}
${INPUT_DIRECTORY}
${INPUT_COMPACT}
${INPUT_QUIET}
${INPUT_OUTPUT_FORMAT}
${INPUT_OUTPUT_FILE_PATH}
${INPUT_SOFT_FAIL}
${INPUT_FRAMEWORK}
env:
INPUT_FILE: ${{ inputs.file }}
INPUT_DIRECTORY: ${{ inputs.directory }}
INPUT_COMPACT: ${{ inputs.compact }}
INPUT_QUIET: ${{ inputs.quiet }}
INPUT_OUTPUT_FORMAT: ${{ inputs.output_format }}
INPUT_OUTPUT_FILE_PATH: ${{ inputs.output_file_path }}
INPUT_SOFT_FAIL: ${{ inputs.soft_fail }}
INPUT_FRAMEWORK: ${{ inputs.framework }}
continue-on-error: true
- name: Formatting the results
run: |
jq --arg repoLink "${{ github.server_url }}/${{ github.repository }}" --arg branch "${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }}" '. += [{"details": {"repo": $repoLink, "branch": $branch}}]' results/results_json.json > temp.json && mv temp.json results.json
shell: bash
- name: Push report to CSPM panel
run: |
curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=IAC&label_id=${{ inputs.label }}&save_to_s3=false' --header 'Tenant-Id: ${{ inputs.tenant_id }}' --header 'Authorization: Bearer ${{ inputs.token }}' --form 'file=@"results.json"'
shell: bash
- name: Capture Checkov exit code
id: capture-exit-code
run: |
echo "Checkov exit code: ${{ steps.checkov-scan.outcome }}"
if [ "${{ steps.checkov-scan.outcome }}" == "failure" ]; then
echo "checkov_failed=true" >> $GITHUB_ENV
fi
shell: bash
- name: Fail pipeline at the end if Checkov scan failed
if: env.checkov_failed == 'true'
run: |
echo "Checkov scan failed. Exiting with failure."
exit 1
shell: bash