-
Notifications
You must be signed in to change notification settings - Fork 15
134 lines (119 loc) · 3.4 KB
/
kics.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#
# Author: Hari Sekhon
# Date: 2022-02-01 13:56:31 +0000 (Tue, 01 Feb 2022)
#
# vim:ts=2:sts=2:sw=2:et
#
# https://github.com/HariSekhon/GitHub-Actions
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# K i c s
# ============================================================================ #
# https://github.com/Checkmarx/kics/blob/master/docs/integrations_ghactions.md
---
name: Kics
on:
push:
branches:
- master
- main
ignore-paths:
- '**/README.md'
pull_request:
branches:
- master
- main
ignore-paths:
- '**/README.md'
workflow_call:
# https://github.com/Checkmarx/kics-github-action#inputs
inputs:
path:
type: string
required: false
default: .
# https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md
config:
type: string
required: false
queries:
type: string
required: false
fail_on:
type: string
required: false
#default: high,medium
ignore_on:
type: string
required: false
default: results
debug:
type: string
required: false
default: false
workflow_dispatch:
schedule:
- cron: '0 0 * * 1'
permissions:
actions: read
contents: read
security-events: write
defaults:
run:
shell: bash -euxo pipefail {0}
env:
CONFIG: ${{ inputs.config }}
CONFIG_FILE: ''
DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }}
jobs:
kics:
name: Kics Scan
# github.event.repository.fork isn't available in scheduled workflows
# can't prevent forks of this repo, because also prevents caller workflows
#if: github.repository == 'HariSekhon/Github-Actions'
runs-on: ubuntu-latest
steps:
- name: Environment
run: env | sort
- uses: actions/checkout@v3
with:
submodules: recursive # requires Git 2.18+ to be installed first
- name: Set environment variable SCAN_PATH
run: |
if [ -n "${{inputs.path}}" ]; then
echo "SCAN_PATH=${{ inputs.path }}"
else
echo "SCAN_PATH=."
fi >> "$GITHUB_ENV"
- name: Make results dir
run: mkdir -pv results
- name: Create Config file
if: ${{ env.CONFIG }}
run: |
cat <<EOF >>kics.config
${{ env.CONFIG }}
EOF
echo "CONFIG_FILE=kics.config" >> "$GITHUB_ENV"
# https://github.com/Checkmarx/kics-github-action
- name: Kics Scan
uses: checkmarx/kics-action@master
with:
path: ${{ env.SCAN_PATH }}
fail_on: ${{ inputs.fail_on }}
ignore_on_exit: ${{ inputs.ignore_on_exit }}
output_path: results
output_formats: 'json,sarif'
#config_path: ${{ env.CONFIG_FILE }}
queries: ${{ inputs.queries }}
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results/results.sarif
# summary stats, available in the Scan output already, use this only for post-processing
#- name: Display Results
# run: jq . < results/results.json