diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..47ecbf8 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,25 @@ +# Container image that runs your code +FROM python:3.9-alpine + +# Install required libs +RUN apk --no-cache add curl; \ + apk --no-cache add git; \ + apk --no-cache add bash + +# Install CFN Guard +RUN curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh +ENV PATH "/root/.guard/bin:${PATH}" + +# Install AWS SusScan +RUN pip3 install git+https://github.com/awslabs/sustainability-scanner.git@v1.0.1 + +# Uninstall libs +RUN apk del git; \ + apk del curl + +# Copies your code file from your action repository to the filesystem path `/` of the container +COPY entrypoint.sh /entrypoint.sh +RUN ["chmod", "+x", "/entrypoint.sh"] + +# Code file to execute when the docker container starts up (`entrypoint.sh`) +ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/README.md b/README.md index 7f92204..f6bfb9c 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,91 @@ -## My Project +# AWS Sustainability Scanner GitHub action -TODO: Fill this README out! +This GitHub Action runs [AWS Sustainability Scanner](https://github.com/awslabs/sustainability-scanner) against infrastructure-as-code to identify sustainability best practices, generates a report with a score and suggested improvements to apply to your template. -Be sure to: +## Usage -* Change the title in this README -* Edit your repository description on GitHub +In your Github worflows, under steps, add the following: + +```yml +name: AWS Sustainability Scanner +uses: aws-actions/sustainability-scanner@latest +with: + +``` + +## Inputs + +### `file` + +Path to the specific file you want to scan. + +### `directory` + +Path to the directory you want to scan. Every `.yml` and `.yaml` files that this directory contain will be scan. + +### `rules_file` + +Path to your `.json` file to extend the Susscan rules set. + + +## Example usage + +### Simple usage with one specific file + +```yml +name: susscan + +# Controls when the workflow will run +on: + # Triggers the workflow on push events but only for the "main" branch + push: + branches: "main" + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it + - uses: actions/checkout@v3 + + # Run AWS Sustainability Scanner against template.yaml + - name: AWS Sustainability Scanner + uses: aws-actions/sustainability-scanner@latest + with: + file: 'template.yaml' +``` + +### Usage with a directory and custom rules set + +```yml +name: susscan + +on: + push: + branches: "main" + workflow_dispatch: + +jobs: + scan: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + # Run AWS Sustainability Scanner against "my-cf-stacks" folder with an additional rules set + - name: AWS Sustainability Scanner + uses: aws-actions/sustainability-scanner@latest + with: + directory: 'my-cf-stacks/' + rules-file: 'tests/additional-rules.json' +``` ## Security diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..760b03a --- /dev/null +++ b/action.yml @@ -0,0 +1,28 @@ +# action.yml +name: 'AWS Sustainability Scanner GitHub Action' +author: 'AWS Sustainability' +description: 'Run AWS Sustainability Scan against infrastructure as code as a pre-packaged GitHub Action.' +branding: + icon: 'cloud' + color: 'orange' +inputs: + file: + description: 'File with infrastructure code to scan' + required: true + directory: + description: 'Directory with infrastructure code to scan' + required: false + default: '.' + rules_file: + description: 'File to extend set of rules to scan' + required: false +outputs: + results: + description: 'The results from the sustainability scan' +runs: + using: 'docker' + image: 'Dockerfile' + args: + - ${{ inputs.file }} + - ${{ inputs.directory }} + - ${{ inputs.rules_file }} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..a848801 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Leverage the default env variables as described in: +# https://docs.github.com/en/actions/reference/environment-variables#default-environment-variables +if [[ $GITHUB_ACTIONS != "true" ]] +then + susscanner "$@" + exit $? +fi + +# If an external set of rules is defined then add it to RULES_FILE var +if [ -n "$INPUT_RULES_FILE" ] && [ -e "$INPUT_RULES_FILE" ]; then + RULES_FILE="--rules-file $INPUT_RULES_FILE" +fi + +# Create an empty array to store file names to scan +RESOURCES_TO_SCAN=() + +# If File Variable exists then scan the specific resource +if [ -n "$INPUT_FILE" ]; then + RESOURCES_TO_SCAN+=("$INPUT_FILE") +else +# Otherwise scan directory provided (root by default) to populate the array with all .yml or .yaml files + echo "running susscanner on directory: $INPUT_DIRECTORY" + for FILE in "$INPUT_DIRECTORY"/*.yaml "$INPUT_DIRECTORY"/*.yml; do + RESOURCES_TO_SCAN+=("$FILE") + done +fi + +# Build command +for RESOURCE in $RESOURCES_TO_SCAN; do + echo "running susscanner on file: $RESOURCE" + echo "susscanner $RESOURCE $RULES_FILE" + SUSSCAN_RESULTS=$(susscanner $RESOURCE $RULES_FILE) + + SUSSCAN_EXIT_CODE=$? + + if [ $SUSSCAN_EXIT_CODE -eq 0 ]; then + echo "${SUSSCAN_RESULTS}" + else + echo "Scan failed with exit code $SUSSCAN_EXIT_CODE." + exit $SUSSCAN_EXIT_CODE + fi +done + +exit $SUSSCAN_EXIT_CODE \ No newline at end of file