Skip to content

prisma-cloud-shiftleft/iac-scan-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Prisma Cloud IaC Scan Action

Description

A GitHub Action checks for security issues using the Prisma Cloud Infrastructure as Code Scan on the IaC files present in the repository. This action can give you results as an issue, pull request comment and pull request check, or can be viewed as pipeline annotations.

Setup

Step 1: Acquire Prisma Cloud API credentials

To run the scan, the action needs a Prisma Cloud Access Key and Secret Key.

If you do not have a key, refer to Create and Manage Access Keys to acquire one.

Step 2: Create GitHub secrets from the API credentials

Create GitHub Secrets called PRISMA_CLOUD_ACCESS_KEY and PRISMA_CLOUD_SECRET_KEY for the Access Key and Secret Key respectively with the values acquired in Step 1.

Refer to Encrypted secrets for more details on how to setup secrets.

Step 3: Configure Workflow

Configure your workflow based on the following example.

Note: the actions/checkout step is required to run before the scan action, otherwise the action does not have access to the IaC files to be scanned.

name: Prisma Cloud IaC Scan Example
on: [ pull_request ]

jobs:
  prisma_cloud_iac_scan:
    runs-on: ubuntu-latest
    name: Run Prisma Cloud IaC Scan to check 
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Run Scan on IaC files in the repository
        uses: prisma-cloud-shiftleft/iac-scan-action@v1
        id: iac-scan
        with:
          prisma_api_url: 'https://api.prismacloud.io'
          access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
          secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
          asset_name: 'my-asset-name'
          template_type: 'TF'
          template_version: '0.13'
      - name: Upload scan result artifact
        uses: actions/upload-artifact@v2
        if: success() || failure()
        with:
          name: iac_scan_result
          path: ${{ steps.iac-scan.outputs.iac_scan_result_path }}

Configuration Options

Scan options

Config Key Description
prisma_api_url
Required
The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed.
If your tenant is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io then replace app in the URL with api and enter it here. Refer to the Prisma Cloud REST API Reference for more details.
access_key
Required
Refer to Create and Manage Access Keys to acquire Acccess and Secret keys.
We recommend the actual value to be stored as a GitHub Secret and used here in the Action with ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key
Required
The secret key is provided to you at the time of Access Key generation.
You cannot acquire it post generation.
We recommend the actual value to be stored as a GitHub Secret and used here in the Action with ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
asset_name
Required
Can be a project name or any identifier you want to attach to the scan.
Some examples are a CI/CD project name or a Git repository name.
Eg: my-repo-name
template_type
Required
Specify the template type.
Valid values are as follows:
TF for Terraform
CFT for AWS CloudFormation
K8S for Kubernetes
template_version Specify the template version.
Valid values are: 0.11, 0.12 and 0.13
Note: Only used for 'TF' templateType.
tags Prisma Cloud tags are different from cloud tags that you might have included in your IaC templates.
Prisma Cloud tags will facilitate use of upcoming Prisma Cloud features like role-based access control and policy selection.
Eg: owner:johndoe,team:creditapp,env:dev
failure_criteria
Default: High:1,Medium:1,Low:1,Operator:or
Enables you to evaluate scan results against set failure criteria to obtain failed or passed verdicts. You can set the count for high, medium, and low severity issues and use and/or operators to refine your criteria.
The IaC scan API checks each severity violation number separately against scan results and applies the operator to each evaluation.
The scan triggers a failure if the number of violations is greater than or equal to the failureCriteria values.
The Pipeline will be set the Failed if the failure criteria matches.
scan_path
Default: ./
Path of the directory containing the IaC files.
The path is relative to the repository root.
use_scan_path_when_pr
Default: false
Specifies if files in scan_path should be scanned in context of a PR, not only changed files. Otherwise, only files changed in context of PR are scanned, which includes files outside of scan_path and excludes unchanged files in scan_path. Default is false.
upload_scan_path_only
Default: false
Specifies if only files in scan_path should be uploaded to be scanned. By default the entire GitHub workspace directory is zipped and uploaded. This option may be necessary if there are other files in the workspace directory besides IaC template files. Too many files may cause the action to timeout. Default is false.
variables Template variables in comma separate key:value pairs.
Eg: k1:v1,k2:v2
variable_files Comma separated list of variable file paths.
Paths are relative to the repository root.
Eg: ./var1.json,./var2.json
create_issue
Default: false
If turned on an Issue will be created with the scan report.
Note: Only created on scan failure.
create_pull_request_check
Default: false
If turned on a Check on Pull Request will be created with the scan report.
create_pull_request_comment
Default: false
If turned on a Comment on the Pull Request will be created with the scan report.
github_token
Default: ${{ github.token }}
Required if any of the above create* are turned on
The GitHub Token.
You can choose to use a different token than the pipeline default GITHUB_TOKEN.
Eg: ${{ secrets.GITHUB_TOKEN }}
result_path
Default: ./prismacloud_iac
Path for the directory where result files should be written
ignore_ssl
Default: false
Should internal API client ignore SSL errors.
Useful when using on GitHub Enterprise On-Prem.

Scan outputs

Step outputs
Config Key Description
iac_scan_result Overall result of the scan. Can be one of:
1. passed - either no issues were found or the Failure Criteria threshold was not reached
2. failed - issues were found and the Failure Criteria threshold for was reached
3. error - there was a scan execution error, generally due to misconfiguration or invalid templates
iac_scan_result_summary Summary describing the result of the scan
iac_scan_result_path Path for the directory where result files were written
iac_scan_result_issues_csv_path Path for the detailed Issue result CSV file
iac_scan_result_errors_csv_path Path for the detailed Error result CSV file
iac_scan_result_sarif_path Path for the detailed result SARIF Log file
iac_scan_result_md_path Path for the detailed result Markdown file
Files written to workspace

All paths are relative the workspace root. The base path ./prismacloud_iac is configurable via the result_path option.

File Description
./prismacloud_iac/issues.csv Scan Issue report in CSV format
./prismacloud_iac/errors.csv Scan Error report in CSV format
./prismacloud_iac/result.md Scan report in Markdown format
./prismacloud_iac/result.sarif Scan report in SARIF Log format

SARIF upload

When a scan finds issues the action will always write the report in SARIF Log format in the workspace.

name: Prisma Cloud IaC Scan Example
on: [ pull_request ]

jobs:
  prisma_cloud_iac_scan:
    runs-on: ubuntu-latest
    name: Run Prisma Cloud IaC Scan to check 
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Run Scan on CFT files in the repository
        uses: prisma-cloud-shiftleft/iac-scan-action@v1
        id: iac-scan
        with:
          prisma_api_url: 'https://api.prismacloud.io'
          access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
          secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
          asset_name: 'my-asset-name'
          template_type: 'CFT'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        if: success() || failure()
        with:
          sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}