GitHub Action
Cloud One Conformity Pipeline Scanner
Pipeline scanner uses Cloud Conformity's Template Scanner to secure your CloudFormation templates before they're deployed.
- Have an Cloud One Conformity account. Sign up for free trial now if it's not already the case!
- A cloud formation template to be scan.
To use the script, specify the following required environment variables:
cc_apikey
(Cloud One Conformity API KEY)cc_region
(Cloud One Conformity account region)templatePath
(Path of the template to be scanned)templatesDirPath
(OPTIONAL. Location of the directory of templates to be scanned, (e.g., templates). This ignores the value of 'templatePath' if supplied.)maxExtreme | maxVeryHigh | maxHigh | maxMedium | maxLow
(Choose one or more of the options and set a number of how many violations are accepted)cc_output_result
(Either true or false, defaults to false. If set to true, it outputs the detected risks, instead of just the amount.)profileId
(OPTIONAL. Provides a profile Id to be used by the scanner.)accountId
(OPTIONAL. Provides an account Id to be used by the scanner.)
PS.: ALWAYS use secrets to expose your credentials!
Add an Action in your .github/workflow
yml file to scan your cloud formation template with Cloud One Conformity.
name: My CI/CD Pipeline
on:
push:
branches:
- main
jobs:
CloudFormation-Scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Cloud One Conformity Pipeline Scanner
uses: raphabot/conformity-template-scanner-pipeline@version
env:
cc_apikey: ${{ secrets.apikey }}
maxExtreme: 0
maxVeryHigh: 1
maxHigh: 3
maxMedium: 5
maxLow: 10
cc_region: us-west-2
templatePath: template/infrastructure.yaml
templatesDirPath: templates # This is an example to scan all the templates inside the folder "templates"
cc_output_results: true
To be able to scan your template using a Docker comtainer, follow the example below:
https://hub.docker.com/r/raphabot/conformity-template-scanner-pipeline
docker run -v /home/ec2-user/dynamotest.template:/app/dynamotest.template -e cc_apikey=$MYAPIKEY -e cc_region=$MYREGION -e maxExtreme=0 -e maxVeryHigh=0
-e maxHigh=0 -e maxMedium=0 -e maxLow=0 -e templatePath=infrastructure.yaml -cc_output_results=true felipecosta09/conformity-template-scanner-pipeline:latest
PS.: To be able to scan a local template from a machine or inside a pipeline, the parameter "-v" is required in the docker run command, the example specifies a local file being copied to the container that will scan the Cloud Formation template /home/ec2-user/dynamotest.template:/app/dynamotest.template
, where:
- /home/ec2-user/dynamotest.template - Represent the absolute path of the local Cloud Formation template file to be scanned;
- /app/dynamotest.template - The path where the file will be copied (ONLY CHANGE THE FILE NAME OF THE TEMPLATE);
To run the scanner in the Node CLI, just set the envinronment variables before execute the node script:
cc_apikey=$MYAPIKEY cc_region=$MYREGION maxExtreme=0 maxVeryHigh=0 maxHigh=0 maxMedium=0 maxLow=0 templatePath=infrastructure.yaml cc_output_results=true node scan.js
If you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!
We ❤️ pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.
Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.