Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
shield

GitHub Action

Mondoo Action

v2.1.0

Mondoo Action

shield

Mondoo Action

Mondoo Actions to scan IaC configs, containers, servers, clouds, and Kubernetes

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Mondoo Action

              
  uses: mondoohq/[email protected]
Learn more about this action in mondoohq/actions

Choose a version

Mondoo GitHub Action

A set of GitHub Action for using Mondoo to check for vulnerabilities and misconfigurations in your GitHub projects. Actions have been organized into different asset types that Mondoo supports. We currently support the following asset types:

  • AWS - Scan AWS accounts for misconfigurations as a post-provisioning step in your pipeline.
  • Docker Image - Scan Docker images vulnerabilities and misconfigurations before pushing to a container registry.
  • GitHub Organization - Scan a GitHub organization and repositories for security configuration best practices.
  • GitHub Repository - Scan a GitHub repository for security configuration best practices.
  • Kubernetes - Scan Kubernetes Clusters post-deploy for continuous auditing and compliance of the cluster.
  • Kubernetes Manifest - Scan Kubernetes manifests for misconfigurations before applying changes to the cluster.
  • Policy - Publish Mondoo policies to Mondoo Platform using GitHub Actions.
  • Terraform HCL - Scan HashiCorp Terraform HCL code for security misconfigurations.
  • Terraform Plan - Scan HashiCorp Terraform Plan for security misconfigurations.
  • Terraform State - Scan HashiCorp Terraform State output for security misconfigurations.

Service Accounts

All Mondoo GitHub Actions require a service account to authenticate with Mondoo Platform and run policies enabled for your assets in the Policy Hub.

Create Service Account

To create a service account on Mondoo Platform:

  1. Log in to Mondoo Platform
  2. Select the Space you want to integrate with your repository.
  3. Select Settings and then Service Accounts.
  4. Select ADD ACCOUNT.
  5. Select the Base64-encoded checkbox, and then select the GENERATE NEW CREDENTIALS button.
  6. Copy the base64 encoded credentials and then move on to the next section.

Add new GitHub Actions Secrets

  1. Select Settings in your GitHub repository.
  2. Under the Security section select Actions.
  3. Select New repository secret.
  4. Name the secret MONDOO_SERVICE_ACCOUNT and paste the base64 encoded credentials from the previous section into the value input.
  5. Select Add secret.

Examples Workflows

Simple scan of nginx.yml Kubernetes manifest:

name: Mondoo Kubernetes Manifest scan
on:
  push:
    paths:
      - "k8s/*.yaml"
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: mondoohq/actions/[email protected]
        env:
          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
        with:
          path: k8s/manifest.yaml

Simple scan of Terraform files:

name: Mondoo Terraform scan
on:
  push:
    paths:
      - "terraform/main.tf"
jobs:
  steps:
    - uses: actions/checkout@v3

    - uses: mondoohq/actions/[email protected]
      env:
        MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
      with:
        path: terraform

Build a Docker image before pushing to a registry:

name: docker-build-scan-push

on:
  push:

env:
  APP: myapp
  VERSION: 0.1.0

jobs:
  docker-build-scan-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to GHCR.io
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Build and export to Docker
        uses: docker/build-push-action@v3
        with:
          context: .
          load: true
          tags: |
            ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
            ghcr.io/${{github.repository_owner}}/${{env.APP}}:${{env.VERSION}}
          secrets: GIT_AUTH_TOKEN=${{ secrets.GIT_AUTH_TOKEN }}
      - name: Scan Docker Image with Mondoo
        uses: mondoohq/actions/[email protected]
        env:
          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
        with:
          image: ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
      - name: Build and push
        uses: docker/build-push-action@v3
        with:
          context: .
          tags: |
            ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
            ghcr.io/${{github.repository_owner}}/${{env.APP}}:${{env.VERSION}}
          push: ${{ github.ref == 'refs/heads/main' }}

      - name: Image Digest
        run: echo ${{ steps.docker_build.outputs.digest }}

Join the community!

Join the Mondoo Community GitHub Discussions to collaborate on policy as code and security automation.

License

Mozilla Public License v2.0