Merge pull request #58 from slashben/adding-compliance-threshold

support for complianceThreshold
kubescape · Jan 9, 2024 · cb0c547 · cb0c547
2 parents 1dd909c + 9194bdb
commit cb0c547
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/.github/workflows/example-scan-image.yaml b/.github/workflows/example-scan-image.yaml
@@ -12,7 +12,7 @@ jobs:
     - uses: kubescape/github-action@main
       continue-on-error: true
       with:
-        image: quay.io/kubescape/kubescape
+        image: quay.io/kubescape/kubescape:v3.0.3
         format: sarif
         outputFile: results.sarif
         # severityThreshold: "critical"

diff --git a/action.yml b/action.yml
@@ -6,6 +6,11 @@ inputs:
       Failure threshold is the percent above which the command fails and
       returns exit code 1 (default 0 i.e, action fails if any control fails)
     required: false
+  complianceThreshold:
+    description: |
+      Compliance threshold is the percent bellow which the command fails and
+      returns exit code 1 (example: if set to 100 the command will fail if any control fails)
+    required: false
   severityThreshold:
     description: |
       Severity threshold is the severity of a failed control at or above which

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -20,10 +20,16 @@ set -e
 export KS_CLIENT="github_actions"
 
 if [ -n "${INPUT_FRAMEWORKS}" ] && [ -n "${INPUT_CONTROLS}" ]; then
-  echo "Framework and Control are specified. Please specify either one of them or neither"
+  echo "Framework and Control are specified. Please specify either one of them"
   exit 1
 fi
 
+if [ -z "${INPUT_FRAMEWORKS}" ] && [ -z "${INPUT_CONTROLS}" ] && [ -z "${INPUT_IMAGE}" ]; then
+  echo "Neither Framework, Control nor image are specified. Please specify one of them"
+  exit 1
+fi
+
+
 if [ -n "${INPUT_FRAMEWORKS}" ] && [ -n "${INPUT_IMAGE}" ] || [ -n "${INPUT_CONTROLS}" ] && [ -n "${INPUT_IMAGE}" ] ; then
   errmsg="Image and Framework / Control are specified. Kubescape does not support scanning both at the moment."
   errmsg="${errmsg} Please specify either one of them or neither."
@@ -99,7 +105,13 @@ account_opt=$([ -n "${INPUT_ACCOUNT}" ] && echo --account "${INPUT_ACCOUNT}" ||
 artifacts_path="/home/ks/.kubescape"
 artifacts_opt=$([ -n "${INPUT_ACCOUNT}" ] && echo "" || echo --use-artifacts-from "${artifacts_path}")
 
+if [ -n "${INPUT_FAILEDTHRESHOLD}" ] && [ -n "${INPUT_COMPLIANCETHRESHOLD}" ]; then
+  echo "Both failedThreshold and complianceThreshold are specified. Please specify either one of them or neither"
+  exit 1
+fi
+
 fail_threshold_opt=$([ -n "${INPUT_FAILEDTHRESHOLD}" ] && echo --fail-threshold "${INPUT_FAILEDTHRESHOLD}" || echo "")
+compliance_threshold_opt=$([ -n "${INPUT_COMPLIANCETHRESHOLD}" ] && echo --compliance-threshold "${INPUT_COMPLIANCETHRESHOLD}" || echo "")
 
 # When a user requests to fix files, the action should not fail because the
 # results exceed severity. This is subject to change in the future.
@@ -146,7 +158,7 @@ if [ -n "${INPUT_IMAGE}" ]; then
 fi
 
 # TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved
-scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}"
+scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${compliance_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}"
 
 echo "${scan_command}"
 eval "${scan_command}"