Skip to content

Commit

Permalink
Updated the logic to fail the pipeline with exit code 1 in the end af…
Browse files Browse the repository at this point in the history
…ter sending the results to accuknox saas when soft fail is false. & updated the readme file
  • Loading branch information
udit-uniyal committed Sep 25, 2024
1 parent 1d3862d commit fc81037
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 52 deletions.
93 changes: 46 additions & 47 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,27 @@

- [About Accuknox](https://www.accuknox.com/)

| Input Values | Description | Optional/Required | Default Values |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------------------------ |
| file | Specify a file for scanning; cannot be used with directory input. Filter runners by file type, e.g., '.tf' for Terraform. | Optional | - |
| directory | Directory with infrastructure code and/or package manager files to scan | Optional | `.` |
| compact | Do not display code blocks in output | Optional | - |
| quiet | Display only failed checks | Optional | - |
| output_format | The format of the output. Options: cli, json, junitxml, github_failed_only, or sarif (comma-separated) | Optional | `json` |
| output_file_path | Path and name for the output file, needs to end with a comma for a single output format | Optional | ./results.json |
| soft_fail | Do not return an error code if there are failed checks | Optional | - |
| framework | Run only on a specific infrastructure, values can be Kubernetes or Terraform. | Optional(🚧) | - |
| skip_framework | Skip a specific infrastructure | Optional(🚧) | - |
| baseline | Path to a baseline file to compare. Report will include only failed checks that are not in the baseline | Optional | `baseline` |
| token | The token for authenticating with the CSPM panel | Required | - |
| tenant_id | The ID of the tenant associated with the CSPM panel | Required | - |
| endpoint | The URL of the CSPM panel to push the scan results to | Optional | `cspm.demo.accuknox.com` |
| label | The label created in AccuKnox SaaS for associating scan results. | Required | - |

| Input Values | Description | Optional/Required | Default Values |
|--------------|-------------|-------------------|----------------|
| file | Specify a file for scanning; cannot be used with directory input. Filter runners by file type, e.g., '.tf' for Terraform. | Optional | - |
| directory | Directory with infrastructure code and/or package manager files to scan | Optional | `.` |
| compact | Do not display code blocks in output | Optional | - |
| quiet | Display only failed checks | Optional | - |
| output_format | The format of the output. Options: cli, json, junitxml, github_failed_only, or sarif (comma-separated) | Optional | `json` |
| output_file_path | Path and name for the output file, needs to end with a comma for a single output format | Optional | ./results.json |
| soft_fail | Do not return an error code if there are failed checks | Optional | - |
| framework | Run only on a specific infrastructure, values can be Kubernetes or Terraform. | Optional(🚧) | - |
| skip_framework | Skip a specific infrastructure | Optional(🚧) | - |
| baseline | Path to a baseline file to compare. Report will include only failed checks that are not in the baseline | Optional | `baseline` |
| token | The token for authenticating with the CSPM panel | Required | - |
| tenant_id | The ID of the tenant associated with the CSPM panel | Required | - |
| endpoint | The URL of the CSPM panel to push the scan results to | Optional | `cspm.demo.accuknox.com` |
## Usage

Steps for using Install-action in a workflow yaml file
Steps for using Install-action in a workflow yaml file

- Checkout into the repo using checkout action.
- Utilize the accuknox/iac-scan-action repository with version tag v0.0.1.

Expand All @@ -32,42 +34,39 @@ Navigate to Tokens within the Settings section in the sidebar:

![1](https://github.com/udit-uniyal/iac-scan-action/assets/115368361/e3916e08-ab5c-46da-8504-d47778f7d6a8)

Click on Create Token:
Click on Create Token:
After clicking on 'Create Token,' the Tenant ID will be visible.
![2](https://github.com/udit-uniyal/iac-scan-action/assets/115368361/b49e25dd-fca0-458e-84d3-48de152ef57d)


Click on Generate:

![3](https://github.com/udit-uniyal/iac-scan-action/assets/115368361/11a2b277-649d-4ef7-b51f-861e8b947b59)


### workflow steps:

```yaml
- name: Run IaC scan
uses: accuknox/[email protected]
with:
file: #Optional
directory: #Optional
compact: #Optional
quiet: #Optional
output_format: #Optional
output_file_path: #Optional
framework: #Optional
skip_framework: #Optional
soft_fail: #Optional
endpoint: #Optional
baseline: #Optional
token:
tenant_id:
- name: Run IaC scan
uses: accuknox/[email protected]
with:
file: #Optional
directory: #Optional
compact: #Optional
quiet: #Optional
output_format: #Optional
output_file_path: #Optional
framework: #Optional
skip_framework: #Optional
soft_fail: #Optional
endpoint: #Optional
baseline: #Optional
token: #Required
tenant_id: #Required
label: #Required
```
## Sample Configuration
## Sample Configuration
```yaml

name: AccuKnox IaC Scan Workflow

on:
Expand All @@ -84,22 +83,22 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@main

- name: Run IaC scan
uses: accuknox/[email protected]
with:
file:
directory:
compact:
file:
directory:
compact:
quiet:
output_format:
output_format:
output_file_path:
framework:
skip_framework:
framework:
skip_framework:
soft_fail:
endpoint:
baseline:
baseline:
token: ${{ secrets.TOKEN }}
tenant_id: ${{ secrets.TENANT_ID }}

label: ${{ secrets.LABEL }}
```
31 changes: 26 additions & 5 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ inputs:
description: "Do not display code blocks in output"
required: false
quiet:
description: "display only failed checks"
description: "Display only failed checks"
required: false
output_format:
description: "The format of the output. cli, json, junitxml, github_failed_only, or sarif (comma separated)"
Expand All @@ -23,10 +23,10 @@ inputs:
required: false
default: "./results.json"
soft_fail:
description: "do not return an error code if there are failed checks"
description: "Do not return an error code if there are failed checks"
required: false
framework:
description: "Run only on a specific infrastructure, Supported: Kuberenetes & Terraform"
description: "Run only on a specific infrastructure, Supported: Kubernetes & Terraform"
required: false
skip_framework:
description: "Skip a specific infrastructure"
Expand All @@ -41,6 +41,9 @@ inputs:
description: "The URL of the CSPM panel to push the scan results to."
required: true
default: "cspm.demo.accuknox.com"
label:
description: "The label created in AccuKnox SaaS for associating scan results."
required: true

branding:
icon: "shield"
Expand Down Expand Up @@ -72,12 +75,30 @@ runs:
INPUT_SOFT_FAIL: ${{ inputs.soft_fail }}
INPUT_FRAMEWORK: ${{ inputs.framework }}

- name: Formating the results
continue-on-error: true

- name: Formatting the results
run: |
jq --arg repoLink "${{ github.server_url }}/${{ github.repository }}" --arg branch "${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }}" '. += [{"details": {"repo": $repoLink, "branch": $branch}}]' results/results_json.json > temp.json && mv temp.json results.json
shell: bash

- name: Push report to CSPM panel
run: |
curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=IAC&save_to_s3=false' --header 'Tenant-Id: ${{ inputs.tenant_id }}' --header 'Authorization: Bearer ${{ inputs.token }}' --form 'file=@"results.json"'
curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=IAC&label_id=${{ inputs.label }}&save_to_s3=false' --header 'Tenant-Id: ${{ inputs.tenant_id }}' --header 'Authorization: Bearer ${{ inputs.token }}' --form 'file=@"results.json"'
shell: bash

- name: Capture Checkov exit code
id: capture-exit-code
run: |
echo "Checkov exit code: ${{ steps.checkov-scan.outcome }}"
if [ "${{ steps.checkov-scan.outcome }}" == "failure" ]; then
echo "checkov_failed=true" >> $GITHUB_ENV
fi
shell: bash

- name: Fail pipeline at the end if Checkov scan failed
if: env.checkov_failed == 'true'
run: |
echo "Checkov scan failed. Exiting with failure."
exit 1
shell: bash

0 comments on commit fc81037

Please sign in to comment.