Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates flags for Github Actions to add support for skip-frameworks, skip-cve-package & output-bc-ids #148

Merged
merged 5 commits into from
Oct 26, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,11 @@ jobs:
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
output_file_path: reports/results.sarif # folder and name of results file
output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
Expand Down
16 changes: 14 additions & 2 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ inputs:
api-key:
description: 'Environment variable name of the Bridgecrew API key from Bridgecrew app'
required: false
output-bc-ids:
description: 'Output Bridgecrew IDs (BC...) instead of Checkov IDs (CKV...)'
required: false
use_enforcement_rules:
description: 'Use the Enforcement rules configured in the platform for hard / soft fail logic. See checkov help text for more details on the nuances of this option.'
required: false
Expand All @@ -37,6 +40,9 @@ inputs:
framework:
description: 'run only on a specific infrastructure'
required: false
skip_framework:
description: 'skip a specific infrastructure'
required: false
external_checks_dirs:
description: 'comma separated list of external (custom) checks directories'
required: false
Expand Down Expand Up @@ -104,10 +110,10 @@ inputs:
description: 'Environment variable name for a Bitbucket access token to scan external modules sourced from a private Bitbucket repository'
required: false
bitbucket_app_password:
description: 'Environment variable name for a Bitbucket app password to perform basic auth inorder to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_usernam'
description: 'Environment variable name for a Bitbucket app password to perform basic auth in order to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_usernam'
required: false
bitbucket_username:
description: 'Environment variable name for a Bitbucket username to perform basic auth inorder to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_app_password'
description: 'Environment variable name for a Bitbucket username to perform basic auth in order to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_app_password'
required: false
repo_root_for_plan_enrichment:
description: 'Directory containing the hcl code used to generate a given plan file. Use with `file`'
Expand All @@ -118,6 +124,9 @@ inputs:
skip_path:
description: 'Path (file or directory) to skip, using regular expression logic, relative to the current working directory. Word boundaries are not implicit; i.e., specifying "dir1" will skip any directory or subdirectory named "dir1". Ignored with -f. (comma separated)'
required: false
skip_cve_package:
description: 'Filter scan to run on all packages except for a specific CVE package identifier, e.g. CVE-2018-19788 (comma separated)'
required: false
outputs:
results:
description: 'The results from the infrastructure scan'
Expand All @@ -136,9 +145,11 @@ runs:
- ${{ inputs.compact }}
- ${{ inputs.quiet }}
- ${{ inputs.soft_fail }}
- ${{ inputs.output_bc_ids }}
- ${{ inputs.use_enforcement_rules }}
- ${{ inputs.skip_results_upload }}
- ${{ inputs.framework }}
- ${{ inputs.skip_framework }}
- ${{ inputs.external_checks_dirs }}
- ${{ inputs.external_checks_repos }}
- ${{ inputs.output_format }}
Expand All @@ -156,6 +167,7 @@ runs:
- ${{ inputs.repo_root_for_plan_enrichment }}
- ${{ inputs.policy_metadata_filter }}
- ${{ inputs.skip_path }}
- ${{ inputs.skip_cve_package }}
- "--user ${{ inputs.container_user }}"
env:
API_KEY_VARIABLE: ${{ inputs.api-key }}
Expand Down
Loading