Skip to content

raphabot/conformity-template-scanner-pipeline

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Cloud Conformity Pipeline Scanner

Pipeline scanner uses Cloud Conformity's Template Scanner to secure your CloudFormation templates before they're deployed.

Requirements

Usage

To use the script, specify the following required environment variables:

  • cc_apikey (Cloud One Conformity API KEY)
  • cc_region (Cloud One Conformity account region)
  • templatePath (Path of the template to be scanned)
  • templatesDirPath (OPTIONAL. Location of the directory of templates to be scanned, (e.g., templates). This ignores the value of 'templatePath' if supplied.)
  • maxExtreme | maxVeryHigh | maxHigh | maxMedium | maxLow (Choose one or more of the options and set a number of how many violations are accepted)
  • cc_output_result (Either true or false, defaults to false. If set to true, it outputs the detected risks, instead of just the amount.)
  • profileId (OPTIONAL. Provides a profile Id to be used by the scanner.)
  • accountId (OPTIONAL. Provides an account Id to be used by the scanner.)

PS.: ALWAYS use secrets to expose your credentials!

GitHub Actions Example

Add an Action in your .github/workflow yml file to scan your cloud formation template with Cloud One Conformity.

name: My CI/CD Pipeline

on: 
  push:
    branches: 
      - main
      
jobs:      
    CloudFormation-Scan:
       runs-on: ubuntu-latest
       steps:
          - name: Checkout
            uses: actions/checkout@v2
          - name: Cloud One Conformity Pipeline Scanner
            uses: raphabot/conformity-template-scanner-pipeline@version
            env:
              cc_apikey: ${{ secrets.apikey }}
              maxExtreme: 0
              maxVeryHigh: 1
              maxHigh: 3
              maxMedium: 5
              maxLow: 10
              cc_region: us-west-2
              templatePath: template/infrastructure.yaml
              templatesDirPath: templates # This is an example to scan all the templates inside the folder "templates"
              cc_output_results: true

Docker Container Example

To be able to scan your template using a Docker comtainer, follow the example below:

https://hub.docker.com/r/raphabot/conformity-template-scanner-pipeline

docker run -v /home/ec2-user/dynamotest.template:/app/dynamotest.template -e cc_apikey=$MYAPIKEY -e cc_region=$MYREGION -e maxExtreme=0 -e maxVeryHigh=0
-e maxHigh=0 -e maxMedium=0 -e maxLow=0 -e templatePath=infrastructure.yaml -cc_output_results=true felipecosta09/conformity-template-scanner-pipeline:latest

PS.: To be able to scan a local template from a machine or inside a pipeline, the parameter "-v" is required in the docker run command, the example specifies a local file being copied to the container that will scan the Cloud Formation template /home/ec2-user/dynamotest.template:/app/dynamotest.template, where:

  • /home/ec2-user/dynamotest.template - Represent the absolute path of the local Cloud Formation template file to be scanned;
  • /app/dynamotest.template - The path where the file will be copied (ONLY CHANGE THE FILE NAME OF THE TEMPLATE);

Node CLI Example

To run the scanner in the Node CLI, just set the envinronment variables before execute the node script:

cc_apikey=$MYAPIKEY cc_region=$MYREGION maxExtreme=0 maxVeryHigh=0 maxHigh=0 maxMedium=0 maxLow=0 templatePath=infrastructure.yaml cc_output_results=true node scan.js

Contributing

If you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!

We ❤️ pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.

Support

Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.