diff --git a/README.md b/README.md index e0be223..30d0482 100644 --- a/README.md +++ b/README.md @@ -4,25 +4,27 @@ - [About Accuknox](https://www.accuknox.com/) +| Input Values | Description | Optional/Required | Default Values | +| ---------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------------------------ | +| file | Specify a file for scanning; cannot be used with directory input. Filter runners by file type, e.g., '.tf' for Terraform. | Optional | - | +| directory | Directory with infrastructure code and/or package manager files to scan | Optional | `.` | +| compact | Do not display code blocks in output | Optional | - | +| quiet | Display only failed checks | Optional | - | +| output_format | The format of the output. Options: cli, json, junitxml, github_failed_only, or sarif (comma-separated) | Optional | `json` | +| output_file_path | Path and name for the output file, needs to end with a comma for a single output format | Optional | ./results.json | +| soft_fail | Do not return an error code if there are failed checks | Optional | - | +| framework | Run only on a specific infrastructure, values can be Kubernetes or Terraform. | Optional(🚧) | - | +| skip_framework | Skip a specific infrastructure | Optional(🚧) | - | +| baseline | Path to a baseline file to compare. Report will include only failed checks that are not in the baseline | Optional | `baseline` | +| token | The token for authenticating with the CSPM panel | Required | - | +| tenant_id | The ID of the tenant associated with the CSPM panel | Required | - | +| endpoint | The URL of the CSPM panel to push the scan results to | Optional | `cspm.demo.accuknox.com` | +| label | The label created in AccuKnox SaaS for associating scan results. | Required | - | -| Input Values | Description | Optional/Required | Default Values | -|--------------|-------------|-------------------|----------------| -| file | Specify a file for scanning; cannot be used with directory input. Filter runners by file type, e.g., '.tf' for Terraform. | Optional | - | -| directory | Directory with infrastructure code and/or package manager files to scan | Optional | `.` | -| compact | Do not display code blocks in output | Optional | - | -| quiet | Display only failed checks | Optional | - | -| output_format | The format of the output. Options: cli, json, junitxml, github_failed_only, or sarif (comma-separated) | Optional | `json` | -| output_file_path | Path and name for the output file, needs to end with a comma for a single output format | Optional | ./results.json | -| soft_fail | Do not return an error code if there are failed checks | Optional | - | -| framework | Run only on a specific infrastructure, values can be Kubernetes or Terraform. | Optional(🚧) | - | -| skip_framework | Skip a specific infrastructure | Optional(🚧) | - | -| baseline | Path to a baseline file to compare. Report will include only failed checks that are not in the baseline | Optional | `baseline` | -| token | The token for authenticating with the CSPM panel | Required | - | -| tenant_id | The ID of the tenant associated with the CSPM panel | Required | - | -| endpoint | The URL of the CSPM panel to push the scan results to | Optional | `cspm.demo.accuknox.com` | ## Usage -Steps for using Install-action in a workflow yaml file +Steps for using Install-action in a workflow yaml file + - Checkout into the repo using checkout action. - Utilize the accuknox/iac-scan-action repository with version tag v0.0.1. @@ -32,42 +34,39 @@ Navigate to Tokens within the Settings section in the sidebar: ![1](https://github.com/udit-uniyal/iac-scan-action/assets/115368361/e3916e08-ab5c-46da-8504-d47778f7d6a8) -Click on Create Token: +Click on Create Token: After clicking on 'Create Token,' the Tenant ID will be visible. ![2](https://github.com/udit-uniyal/iac-scan-action/assets/115368361/b49e25dd-fca0-458e-84d3-48de152ef57d) - Click on Generate: ![3](https://github.com/udit-uniyal/iac-scan-action/assets/115368361/11a2b277-649d-4ef7-b51f-861e8b947b59) - ### workflow steps: ```yaml - - name: Run IaC scan - uses: accuknox/iac-scan-action@v0.0.1 - with: - file: #Optional - directory: #Optional - compact: #Optional - quiet: #Optional - output_format: #Optional - output_file_path: #Optional - framework: #Optional - skip_framework: #Optional - soft_fail: #Optional - endpoint: #Optional - baseline: #Optional - token: - tenant_id: +- name: Run IaC scan + uses: accuknox/iac-scan-action@v0.0.1 + with: + file: #Optional + directory: #Optional + compact: #Optional + quiet: #Optional + output_format: #Optional + output_file_path: #Optional + framework: #Optional + skip_framework: #Optional + soft_fail: #Optional + endpoint: #Optional + baseline: #Optional + token: #Required + tenant_id: #Required + label: #Required ``` - -## Sample Configuration +## Sample Configuration ```yaml - name: AccuKnox IaC Scan Workflow on: @@ -84,22 +83,22 @@ jobs: steps: - name: Checkout code uses: actions/checkout@main - + - name: Run IaC scan uses: accuknox/iac-scan-action@v0.0.1 with: - file: - directory: - compact: + file: + directory: + compact: quiet: - output_format: + output_format: output_file_path: - framework: - skip_framework: + framework: + skip_framework: soft_fail: endpoint: - baseline: + baseline: token: ${{ secrets.TOKEN }} tenant_id: ${{ secrets.TENANT_ID }} - + label: ${{ secrets.LABEL }} ``` diff --git a/action.yaml b/action.yaml index 146a02e..9988efc 100644 --- a/action.yaml +++ b/action.yaml @@ -12,7 +12,7 @@ inputs: description: "Do not display code blocks in output" required: false quiet: - description: "display only failed checks" + description: "Display only failed checks" required: false output_format: description: "The format of the output. cli, json, junitxml, github_failed_only, or sarif (comma separated)" @@ -23,10 +23,10 @@ inputs: required: false default: "./results.json" soft_fail: - description: "do not return an error code if there are failed checks" + description: "Do not return an error code if there are failed checks" required: false framework: - description: "Run only on a specific infrastructure, Supported: Kuberenetes & Terraform" + description: "Run only on a specific infrastructure, Supported: Kubernetes & Terraform" required: false skip_framework: description: "Skip a specific infrastructure" @@ -41,6 +41,9 @@ inputs: description: "The URL of the CSPM panel to push the scan results to." required: true default: "cspm.demo.accuknox.com" + label: + description: "The label created in AccuKnox SaaS for associating scan results." + required: true branding: icon: "shield" @@ -72,12 +75,30 @@ runs: INPUT_SOFT_FAIL: ${{ inputs.soft_fail }} INPUT_FRAMEWORK: ${{ inputs.framework }} - - name: Formating the results + continue-on-error: true + + - name: Formatting the results run: | jq --arg repoLink "${{ github.server_url }}/${{ github.repository }}" --arg branch "${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }}" '. += [{"details": {"repo": $repoLink, "branch": $branch}}]' results/results_json.json > temp.json && mv temp.json results.json shell: bash - name: Push report to CSPM panel run: | - curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=IAC&save_to_s3=false' --header 'Tenant-Id: ${{ inputs.tenant_id }}' --header 'Authorization: Bearer ${{ inputs.token }}' --form 'file=@"results.json"' + curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=IAC&label_id=${{ inputs.label }}&save_to_s3=false' --header 'Tenant-Id: ${{ inputs.tenant_id }}' --header 'Authorization: Bearer ${{ inputs.token }}' --form 'file=@"results.json"' + shell: bash + + - name: Capture Checkov exit code + id: capture-exit-code + run: | + echo "Checkov exit code: ${{ steps.checkov-scan.outcome }}" + if [ "${{ steps.checkov-scan.outcome }}" == "failure" ]; then + echo "checkov_failed=true" >> $GITHUB_ENV + fi + shell: bash + + - name: Fail pipeline at the end if Checkov scan failed + if: env.checkov_failed == 'true' + run: | + echo "Checkov scan failed. Exiting with failure." + exit 1 shell: bash