-
Notifications
You must be signed in to change notification settings - Fork 29
/
action.yml
166 lines (163 loc) · 7.14 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: 'Bridgecrew Github Action'
author: 'Bridgecrew.io'
description: 'Find and fix security and compliance issues in infrastructure as code, open source packages, container images, and CI/CD configurations using Bridgecrew Action'
inputs:
file:
description: 'File with infrastructure code or packages to scan'
required: false
directory:
description: 'directory with infrastructure code to scan'
default: '.'
required: false
check:
description: 'Run scan only on a specific check identifier (comma separated)'
required: false
skip_check:
description: 'Run scan on all checks but a specific check identifier (comma separated)'
required: false
compact:
description: 'Do not display code blocks in output'
required: false
quiet:
description: 'display only failed checks'
required: false
api-key:
description: 'Environment variable name of the Bridgecrew API key from Bridgecrew app'
required: false
use_enforcement_rules:
description: 'Use the Enforcement rules configured in the platform for hard / soft fail logic. See checkov help text for more details on the nuances of this option.'
required: false
skip_results_upload:
description: 'Do not upload scan results to the platform to view in the console. Results are only available locally. If you use the --support flag, logs will still get uploaded.'
required: false
enable_secrets_scan_all_files:
description: 'Scan all files for secrets'
required: false
soft_fail:
description: 'do not return an error code if there are failed checks'
required: false
framework:
description: 'run only on a specific infrastructure'
required: false
external_checks_dirs:
description: 'comma separated list of external (custom) checks directories'
required: false
external_checks_repos:
description: 'comma separated list of external (custom) checks repositories'
required: false
output_format:
description: 'The format of the output. cli, json, junitxml, github_failed_only, or sarif'
required: false
default: 'sarif'
output_file_path:
description: Path and name for output file.
required: false
download_external_modules:
description: 'download external terraform modules from public git repositories and terraform registry:true, false'
required: false
log_level:
description: 'log level'
required: false
default: 'WARNING'
config_file:
description: 'checkov configuration file'
required: false
baseline:
description: 'Path to a .checkov.baseline file to compare. Report will include only failed checks that are not in the baseline'
required: false
soft_fail_on:
description: 'Do not return an error code only for specific check identifiers (comma separated)'
required: false
hard_fail_on:
description: 'Return an error code only for specific check identifiers (comma separated)'
required: false
container_user:
default: 0
description: 'Set the username or UID used and optionally the groupname or GID for the action to run under'
required: false
docker_image:
description: 'Name of the docker image with the tags. Only works with an API and Dockerfile path'
required: false
dockerfile_path:
description: 'Path to the Dockerfile of the scanned docker image'
required: false
var_file:
description: 'Variable files to load in addition to the default files. Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, not --file.'
required: false
github_pat:
description: 'Environment variable name for a Github personal access token for scanning external modules sourced from private repositories'
required: false
tfc_token:
description: 'Environment variable name for a Terraform Cloud token for scanning external modules sourced from private registries'
required: false
vcs_base_url:
description: 'Environment variable name for the base url of a self hosted VCS with external modules. To be used with vcs_username and vcs_token'
required: false
vcs_username:
description: 'Environment variable name for the username for basic auth against a self hosted VCS with external modules. To be used with vcs_base_url and vcs_token'
required: false
vcs_token:
description: 'Environment variable name for the password (personal access token) for basic auth against a self hosted VCS with external modules. To be used with vcs_base_url and vcs_username'
required: false
bitbucket_token:
description: 'Environment variable name for a Bitbucket access token to scan external modules sourced from a private Bitbucket repository'
required: false
bitbucket_app_password:
description: 'Environment variable name for a Bitbucket app password to perform basic auth inorder to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_usernam'
required: false
bitbucket_username:
description: 'Environment variable name for a Bitbucket username to perform basic auth inorder to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_app_password'
required: false
repo_root_for_plan_enrichment:
description: 'Directory containing the hcl code used to generate a given plan file. Use with `file`'
required: false
policy_metadata_filter:
description: 'comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws'
required: false
outputs:
results:
description: 'The results from the scan'
branding:
icon: 'shield'
color: 'purple'
runs:
using: 'docker'
image: 'docker://bridgecrew/bridgecrew:3.1.20'
args:
- ${{ inputs.file }}
- ${{ inputs.directory }}
- ${{ inputs.check }}
- ${{ inputs.skip_check }}
- ${{ inputs.compact }}
- ${{ inputs.quiet }}
- ${{ inputs.soft_fail }}
- ${{ inputs.use_enforcement_rules }}
- ${{ inputs.skip_results_upload }}
- ${{ inputs.enable_secrets_scan_all_files }}
- ${{ inputs.framework }}
- ${{ inputs.external_checks_dirs }}
- ${{ inputs.external_checks_repos }}
- ${{ inputs.output_format }}
- ${{ inputs.output_file_path }}
- ${{ inputs.download_external_modules }}
- ${{ inputs.log_level }}
- ${{ inputs.config_file }}
- ${{ inputs.baseline }}
- ${{ inputs.hard_fail_on }}
- ${{ inputs.soft_fail_on }}
- ${{ inputs.docker_image }}
- ${{ inputs.dockerfile_path }}
- ${{ inputs.var_file }}
- ${{ inputs.repo_root_for_plan_enrichment }}
- ${{ inputs.policy_metadata_filter }}
- "--user ${{ inputs.container_user }}"
env:
API_KEY_VARIABLE: ${{ inputs.api-key }}
GITHUB_PAT: ${{ inputs.github_pat }}
TFC_TOKEN: ${{ inputs.tfc_token }}
VCS_USERNAME: ${{ inputs.vcs_username }}
VCS_BASE_URL: ${{ inputs.vcs_base_url }}
VCS_TOKEN: ${{ inputs.vcs_token }}
BITBUCKET_TOKEN: ${{ inputs.bitbucket_token }}
BITBUCKET_USERNAME: ${{ inputs.bitbucket_username }}
BITBUCKET_APP_PASSWORD: ${{ inputs.bitbucket_app_password }}