-
Notifications
You must be signed in to change notification settings - Fork 12
/
action.yml
150 lines (150 loc) · 6.4 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: 'Prisma Cloud IaC Scan'
description: 'Scan you IaC templates for security issues'
author: 'Yatindra AP'
branding:
icon: 'shield'
color: 'orange'
runs:
using: 'node12'
main: 'dist/index.js'
inputs:
github_token:
required: false
default: ${{ github.token }}
description: |-
The GitHub Token. Required if any of the 'create*' options are turned on
You can choose to use a different token than the pipeline default `GITHUB_TOKEN`.
Eg: secrets.GITHUB_TOKEN
create_issue:
required: true
default: 'false'
description: |-
If turned on an Issue will be created with the scan report.
Note: Only created on scan failure.
create_pull_request_check:
required: true
default: 'false'
description: If turned on a Check on Pull Request will be created with the scan report
create_pull_request_comment:
required: true
default: 'false'
description: If turned on a Comment on the Pull Request will be created with the scan report
prisma_api_url:
required: true
description: |-
The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed.
The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io.
Replace 'app' in the URL with 'api' and enter it here.
Refer to the Prisma Cloud REST API Reference (https://api.docs.prismacloud.io/reference#try-the-apis) for more details.
access_key:
required: true
description: |-
The access key enables programmatic access.
If you do not have a key, refer to Create and Manage Access Keys (https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/create-access-keys.html) to acquire one.
We recommend the actual value to be stored as a GitHub Secret and used here in the Action with secrets.PRISMA_CLOUD_ACCESS_KEY
secret_key:
required: true
description: |-
The secret key is provided to you at the time of Access Key generation.
You cannot view it on the Prisma Cloud web interface.
We recommend the actual value to be stored as a GitHub Secret and used here in the Action with secrets.PRISMA_CLOUD_SECRET_KEY
asset_name:
required: true
description: |-
Can be a project name or any identifier you want to attach to the scan.
Some examples are a CI/CD project name or a Git repository name.
Eg: 'my-repo-name'
tags:
required: false
description: |-
Prisma Cloud tags are different from cloud tags that you might have included in your IaC templates.
Prisma Cloud tags will facilitate use of upcoming Prisma Cloud features like role-based access control and policy selection.
Eg: 'owner:johndoe,team:creditapp,env:dev'
failure_criteria:
required: false
default: 'High:1,Medium:1,Low:1,Operator:or'
description: |-
Enables you to evaluate scan results against set failure criteria to obtain failed or passed verdicts.
You can set the count for high, medium, and low severity issues and use 'and'/'or' operators to refine your criteria.
The IaC scan API checks each severity violation number separately against scan results and applies the operator to each evaluation.
The scan triggers a failure if the number of violations is greater than or equal to the failureCriteria values.
The Pipeline will be set the Failed if the failure criteria matches.
scan_path:
required: false
default: './'
description: |-
Path of the directory containing the IaC files.
The path is relative to the repository root.
use_scan_path_when_pr:
required: false
default: "false"
description: |-
Specifies if files in scan_path should be scanned in context of a PR,
not only changed files. Otherwise, only files changed in context of PR
are scanned, which includes files outside of scan_path and excludes
unchanged files in scan_path. Default is false.
upload_scan_path_only:
required: false
default: "false"
description: |-
Specifies if only files in scan_path should be uploaded to be scanned.
By default the entire GitHub workspace directory is zipped and uploaded.
This option may be necessary if there are other files in the workspace
directory besides IaC template files. Too many files may cause the
action to timeout.
template_type:
required: true
description: |-
Specify the template type.
Valid values are as follows:
'TF' for Terraform
'CFT' for AWS CloudFormation
'K8S' for Kubernetes
template_version:
required: false
description: |-
Specify the template version.
Valid values are: '0.11', '0.12' and '0.13'
Note: Only used for 'TF' templateType.
variables:
required: false
description: |-
Template variables in comma separate key:value pairs.
Eg: 'k1:v1,k2:v2'
variable_files:
required: false
description: |-
Comma separated list of variable file paths.
Paths are relative to the repository root.
Eg: './var1.json,./var2.json'
result_path:
required: false
default: './prismacloud_iac'
description: |-
The directory relative to the workspace where scan result files will be stored
ignore_ssl:
required: false
default: 'false'
description: |-
Should internal API client ignore SSL errors.
Useful when using on GitHub Enterprise On-Prem behind SSL intercepting firewalls.
outputs:
iac_scan_result:
description: |-
Overall result of the scan.
Can be one of:
1. passed - When either no issues were found or the Failure Criteria threshold was not reached
2. failed - When issues were found and the Failure Criteria threshold for was reached
3. error - When there was a scan execution error, generally due to misconfiguration or invalid templates
iac_scan_result_summary:
description: Summary describing the result of the scan
iac_scan_result_path:
description: Path for the directory where result files should be written
iac_scan_result_issues_csv_path:
description: Path for the detailed Issue result CSV file
iac_scan_result_errors_csv_path:
description: Path for the detailed Error result CSV file
iac_scan_result_sarif_path:
description: Path for the detailed result SARIF Log file
iac_scan_result_md_path:
description: Path for the detailed result Markdown file