diff --git a/.github/actions/checkov-scans-v1/action.yml b/.github/actions/checkov-scans-v1/action.yml new file mode 100644 index 00000000..9b677061 --- /dev/null +++ b/.github/actions/checkov-scans-v1/action.yml @@ -0,0 +1,49 @@ +name: checkov-scans +description: Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed and sends a result to Prisma Cloud. + +inputs: + output-file-path: + description: output file path of Checkov scans + type: string + required: true + +runs: + using: 'composite' + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it + - uses: actions/checkout@v4 + # Used to name the file from Checkov + - name: Extract package version + id: extract-version + shell: bash + run: echo "::set-output name=version::$(jq -r .version package.json)" + # The checkov scan + - name: Run Prisma Cloud + id: prisma-cloud + uses: bridgecrewio/checkov-action@v12 + with: + api-key: ${{ secrets.PRISMA_ACCESS_KEY }}::${{ secrets.PRISMA_SECRET_KEY }} + # CLI output to the console and md file + output_format: cli + framework: sca_package,github_actions,dockerfile,secrets + soft_fail_on: LOW + output_file_path: ${{ inputs.output-file-path }} + env: + PRISMA_API_URL: ${{ secrets.PRISMA_URL }} + # Rename ${{ inputs.output-file-path }}/results_cli.txt to ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt + - name: Rename file + shell: bash + run: mv ${{ inputs.output-file-path }}/results_cli.txt ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt + # Create a pull request with the SCA file TODO: needed it? +# - name: Create PR +# uses: peter-evans/create-pull-request@v6 +# with: +# token: ${{ secrets.GITHUB_TOKEN }} +# commit-message: 'docs: Generate a SCA Report' +# branch: auto-generate-sca-report +# base: develop +# title: 'docs: generate a SCA report' +# body: | +# This patch generates a SCA report based on the outputs from Checkov. +# This PR was opened by a robot :robot: :tada: +# add-paths: ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt diff --git a/.github/workflows/checkov-scan.yml b/.github/workflows/checkov-scan.yml new file mode 100644 index 00000000..338fdeca --- /dev/null +++ b/.github/workflows/checkov-scan.yml @@ -0,0 +1,40 @@ +name: Checkov scan + +on: + push: + branches: +# - release +# - main + - maks-test-gha + schedule: + # Run every day at 2:00 AM + - cron: '0 2 * * *' + +jobs: + checkov-scan-scheduled: + # Will be triggerred if the scheduled event occurs on the develop branch +# if: github.event_name == 'schedule' && github.ref == 'refs/heads/develop' + if: github.event_name == 'schedule' && github.ref == 'refs/heads/maks-test-gha' + permissions: + contents: write # for actions/checkout to fetch code + pull-requests: write # for action to create PR + runs-on: ubuntu-latest + timeout-minutes: 2 + steps: + - uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main + with: + output-file-path: sca/ + + checkov-scan-on-push: + # Will be triggerred when there's a push event on the release or main branch +# if: github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/maks-test-gha' + permissions: + contents: write # for actions/checkout to fetch code + pull-requests: write # for action to create PR + runs-on: ubuntu-latest + timeout-minutes: 2 + steps: + - uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main + with: + output-file-path: sca/