-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0e11212
commit 574f08c
Showing
4 changed files
with
184 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Container image that runs your code | ||
FROM python:3.9-alpine | ||
|
||
# Install required libs | ||
RUN apk --no-cache add curl; \ | ||
apk --no-cache add git; \ | ||
apk --no-cache add bash | ||
|
||
# Install CFN Guard | ||
RUN curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh | ||
ENV PATH "/root/.guard/bin:${PATH}" | ||
|
||
# Install AWS SusScan | ||
RUN pip3 install git+https://github.com/awslabs/[email protected] | ||
|
||
# Uninstall libs | ||
RUN apk del git; \ | ||
apk del curl | ||
|
||
# Copies your code file from your action repository to the filesystem path `/` of the container | ||
COPY entrypoint.sh /entrypoint.sh | ||
RUN ["chmod", "+x", "/entrypoint.sh"] | ||
|
||
# Code file to execute when the docker container starts up (`entrypoint.sh`) | ||
ENTRYPOINT ["/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# action.yml | ||
name: 'AWS Sustainability Scanner GitHub Action' | ||
author: 'AWS Sustainability' | ||
description: 'Run AWS Sustainability Scan against infrastructure as code as a pre-packaged GitHub Action.' | ||
branding: | ||
icon: 'cloud' | ||
color: 'orange' | ||
inputs: | ||
file: | ||
description: 'File with infrastructure code to scan' | ||
required: true | ||
directory: | ||
description: 'Directory with infrastructure code to scan' | ||
required: false | ||
default: '.' | ||
rules_file: | ||
description: 'File to extend set of rules to scan' | ||
required: false | ||
outputs: | ||
results: | ||
description: 'The results from the sustainability scan' | ||
runs: | ||
using: 'docker' | ||
image: 'Dockerfile' | ||
args: | ||
- ${{ inputs.file }} | ||
- ${{ inputs.directory }} | ||
- ${{ inputs.rules_file }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#!/bin/bash | ||
|
||
# Leverage the default env variables as described in: | ||
# https://docs.github.com/en/actions/reference/environment-variables#default-environment-variables | ||
if [[ $GITHUB_ACTIONS != "true" ]] | ||
then | ||
susscanner "$@" | ||
exit $? | ||
fi | ||
|
||
# If an external set of rules is defined then add it to RULES_FILE var | ||
if [ -n "$INPUT_RULES_FILE" ] && [ -e "$INPUT_RULES_FILE" ]; then | ||
RULES_FILE="--rules-file $INPUT_RULES_FILE" | ||
fi | ||
|
||
# Create an empty array to store file names to scan | ||
RESOURCES_TO_SCAN=() | ||
|
||
# If File Variable exists then scan the specific resource | ||
if [ -n "$INPUT_FILE" ]; then | ||
RESOURCES_TO_SCAN+=("$INPUT_FILE") | ||
else | ||
# Otherwise scan directory provided (root by default) to populate the array with all .yml or .yaml files | ||
echo "running susscanner on directory: $INPUT_DIRECTORY" | ||
for FILE in "$INPUT_DIRECTORY"/*.yaml "$INPUT_DIRECTORY"/*.yml; do | ||
RESOURCES_TO_SCAN+=("$FILE") | ||
done | ||
fi | ||
|
||
# Build command | ||
for RESOURCE in $RESOURCES_TO_SCAN; do | ||
echo "running susscanner on file: $RESOURCE" | ||
echo "susscanner $RESOURCE $RULES_FILE" | ||
SUSSCAN_RESULTS=$(susscanner $RESOURCE $RULES_FILE) | ||
|
||
SUSSCAN_EXIT_CODE=$? | ||
|
||
if [ $SUSSCAN_EXIT_CODE -eq 0 ]; then | ||
echo "${SUSSCAN_RESULTS}" | ||
else | ||
echo "Scan failed with exit code $SUSSCAN_EXIT_CODE." | ||
exit $SUSSCAN_EXIT_CODE | ||
fi | ||
done | ||
|
||
exit $SUSSCAN_EXIT_CODE |