-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7a83076
commit 534caf6
Showing
2 changed files
with
89 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
name: checkov-scans | ||
description: Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed and sends a result to Prisma Cloud. | ||
|
||
inputs: | ||
output-file-path: | ||
description: output file path of Checkov scans | ||
type: string | ||
required: true | ||
|
||
runs: | ||
using: 'composite' | ||
steps: | ||
# Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it | ||
- uses: actions/checkout@v4 | ||
# Used to name the file from Checkov | ||
- name: Extract package version | ||
id: extract-version | ||
shell: bash | ||
run: echo "::set-output name=version::$(jq -r .version package.json)" | ||
# The checkov scan | ||
- name: Run Prisma Cloud | ||
id: prisma-cloud | ||
uses: bridgecrewio/checkov-action@v12 | ||
with: | ||
api-key: ${{ secrets.PRISMA_ACCESS_KEY }}::${{ secrets.PRISMA_SECRET_KEY }} | ||
# CLI output to the console and md file | ||
output_format: cli | ||
framework: sca_package,github_actions,dockerfile,secrets | ||
soft_fail_on: LOW | ||
output_file_path: ${{ inputs.output-file-path }} | ||
env: | ||
PRISMA_API_URL: ${{ secrets.PRISMA_URL }} | ||
# Rename ${{ inputs.output-file-path }}/results_cli.txt to ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt | ||
- name: Rename file | ||
shell: bash | ||
run: mv ${{ inputs.output-file-path }}/results_cli.txt ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt | ||
# Create a pull request with the SCA file TODO: needed it? | ||
# - name: Create PR | ||
# uses: peter-evans/create-pull-request@v6 | ||
# with: | ||
# token: ${{ secrets.GITHUB_TOKEN }} | ||
# commit-message: 'docs: Generate a SCA Report' | ||
# branch: auto-generate-sca-report | ||
# base: develop | ||
# title: 'docs: generate a SCA report' | ||
# body: | | ||
# This patch generates a SCA report based on the outputs from Checkov. | ||
# This PR was opened by a robot :robot: :tada: | ||
# add-paths: ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
name: Checkov scan | ||
|
||
on: | ||
push: | ||
branches: | ||
# - release | ||
# - main | ||
- maks-test-gha | ||
schedule: | ||
# Run every day at 2:00 AM | ||
- cron: '0 2 * * *' | ||
|
||
jobs: | ||
checkov-scan-scheduled: | ||
# Will be triggerred if the scheduled event occurs on the develop branch | ||
# if: github.event_name == 'schedule' && github.ref == 'refs/heads/develop' | ||
if: github.event_name == 'schedule' && github.ref == 'refs/heads/maks-test-gha' | ||
permissions: | ||
contents: write # for actions/checkout to fetch code | ||
pull-requests: write # for action to create PR | ||
runs-on: ubuntu-latest | ||
timeout-minutes: 2 | ||
steps: | ||
- uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main | ||
with: | ||
output-file-path: sca/ | ||
|
||
checkov-scan-on-push: | ||
# Will be triggerred when there's a push event on the release or main branch | ||
# if: github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main') | ||
if: github.event_name == 'push' && github.ref == 'refs/heads/maks-test-gha' | ||
permissions: | ||
contents: write # for actions/checkout to fetch code | ||
pull-requests: write # for action to create PR | ||
runs-on: ubuntu-latest | ||
timeout-minutes: 2 | ||
steps: | ||
- uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main | ||
with: | ||
output-file-path: sca/ |