-
Notifications
You must be signed in to change notification settings - Fork 11
/
entrypoint.sh
172 lines (159 loc) · 5.32 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#!/bin/bash
exit_with_err() {
local msg="${1?}"
echo "ERROR: ${msg}"
exit 1
}
function run_orca_iac_scan() {
cd "${GITHUB_WORKSPACE}" || exit_with_err "could not find GITHUB_WORKSPACE: ${GITHUB_WORKSPACE}"
git config --global --add safe.directory "$PWD"
echo "Running Orca IaC scan:"
echo orca-cli "${GLOBAL_FLAGS[@]}" iac scan "${SCAN_FLAGS[@]}"
orca-cli "${GLOBAL_FLAGS[@]}" iac scan "${SCAN_FLAGS[@]}"
export ORCA_EXIT_CODE=$?
# save exit code on output
echo "exit_code=${ORCA_EXIT_CODE}" >>"$GITHUB_OUTPUT"
}
function set_global_flags() {
GLOBAL_FLAGS=()
if [ "${INPUT_EXIT_CODE}" ]; then
GLOBAL_FLAGS+=(--exit-code "${INPUT_EXIT_CODE}")
fi
if [ "${INPUT_NO_COLOR}" == "true" ]; then
GLOBAL_FLAGS+=(--no-color)
fi
if [ "${INPUT_PROJECT_KEY}" ]; then
GLOBAL_FLAGS+=(--project-key "${INPUT_PROJECT_KEY}")
fi
if [ "${INPUT_SILENT}" == "true" ]; then
GLOBAL_FLAGS+=(--silent)
fi
if [ "${INPUT_CONFIG}" ]; then
GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
fi
if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-err-report)
fi
if [ "${INPUT_DISPLAY_NAME}" ]; then
GLOBAL_FLAGS+=(--display-name "${INPUT_DISPLAY_NAME}")
fi
if [ "${INPUT_DEBUG}" == "true" ]; then
GLOBAL_FLAGS+=(--debug)
fi
if [ "${INPUT_LOG_PATH}" ]; then
GLOBAL_FLAGS+=(--log-path "${INPUT_LOG_PATH}")
fi
}
# Json format must be reported and be stored in a file for github annotations
function prepare_json_to_file_flags() {
# Output directory must be provided to store the json results
OUTPUT_FOR_JSON="${INPUT_OUTPUT}"
CONSOLE_OUTPUT_FOR_JSON="${INPUT_CONSOLE_OUTPUT}"
if [[ -z "${INPUT_OUTPUT}" ]]; then
# Results should be printed to console in the selected format
CONSOLE_OUTPUT_FOR_JSON="${INPUT_FORMAT:-cli}"
# Results should also be stored in a directory
OUTPUT_FOR_JSON="orca_results/"
fi
if [[ -z "${INPUT_FORMAT}" ]]; then
# The default format should be provided together with the one we are adding
FORMATS_FOR_JSON="cli,json"
else
if [[ "${INPUT_FORMAT}" == *"json"* ]]; then
FORMATS_FOR_JSON="${INPUT_FORMAT}"
else
FORMATS_FOR_JSON="${INPUT_FORMAT},json"
fi
fi
# Used during the annotation process
export OUTPUT_FOR_JSON CONSOLE_OUTPUT_FOR_JSON FORMATS_FOR_JSON
}
function set_iac_scan_flags() {
SCAN_FLAGS=()
if [ "${INPUT_PATH}" ]; then
SCAN_FLAGS+=(--path "${INPUT_PATH}")
fi
if [ "${INPUT_CLOUD_PROVIDER}" ]; then
SCAN_FLAGS+=(--cloud-provider "${INPUT_CLOUD_PROVIDER}")
fi
if [ "${INPUT_EXCLUDE_PATHS}" ]; then
SCAN_FLAGS+=(--exclude-paths "${INPUT_EXCLUDE_PATHS}")
fi
if [ "${INPUT_PLATFORM}" ]; then
SCAN_FLAGS+=(--platform "${INPUT_PLATFORM}")
fi
if [ "${INPUT_EXCLUDE_PLATFORM}" ]; then
SCAN_FLAGS+=(--exclude-platform "${INPUT_EXCLUDE_PLATFORM}")
fi
if [ "${INPUT_CONTROL_TIMEOUT}" ]; then
SCAN_FLAGS+=(--control-timeout "${INPUT_CONTROL_TIMEOUT}")
fi
if [ "${INPUT_TIMEOUT}" ]; then
SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")
fi
if [ "${INPUT_IGNORE_FAILED_EXEC_CONTROLS}" == "true" ]; then
SCAN_FLAGS+=(--ignore-failed-exec-controls)
fi
if [ "${INPUT_PREVIEW_LINES}" ]; then
SCAN_FLAGS+=(--preview-lines "${INPUT_PREVIEW_LINES}")
fi
if [ "${INPUT_SHOW_FAILED_ISSUES_ONLY}" = "true" ]; then
SCAN_FLAGS+=(--show-failed-issues-only)
fi
if [ "${FORMATS_FOR_JSON}" ]; then
SCAN_FLAGS+=(--format "${FORMATS_FOR_JSON}")
fi
if [ "${OUTPUT_FOR_JSON}" ]; then
SCAN_FLAGS+=(--output "${OUTPUT_FOR_JSON}")
fi
if [ "${CONSOLE_OUTPUT_FOR_JSON}" ]; then
SCAN_FLAGS+=(--console-output="${CONSOLE_OUTPUT_FOR_JSON}")
fi
if [ "${INPUT_CUSTOM_CONTROLS}" ]; then
SCAN_FLAGS+=(--custom-controls "${INPUT_CUSTOM_CONTROLS}")
fi
if [ "${INPUT_GENERATE_REGO_INPUT}" ]; then
SCAN_FLAGS+=(--generate-rego-input "${INPUT_GENERATE_REGO_INPUT}")
fi
if [ "${INPUT_INCLUDE_COMPRESSED_FILES}" = "true" ]; then
SCAN_FLAGS+=(--include-compressed-files)
fi
if [ "${INPUT_MAX_FILE_SIZE}" ]; then
SCAN_FLAGS+=(--max-file-size "${INPUT_MAX_FILE_SIZE}")
fi
if [ "${INPUT_TERRAFORM_VARS_PATH}" ]; then
SCAN_FLAGS+=(--terraform-vars-path "${INPUT_TERRAFORM_VARS_PATH}")
fi
}
function set_env_vars() {
if [ "${INPUT_API_TOKEN}" ]; then
export ORCA_SECURITY_API_TOKEN="${INPUT_API_TOKEN}"
fi
}
function validate_flags() {
[[ -n "${INPUT_PATH}" ]] || exit_with_err "Path must be provided"
[[ "${INPUT_PATH}" != /* ]] || exit_with_err "Path shouldn't be absolute. Please provide a relative path within the repository. Use '.' to scan the entire repository"
[[ -n "${INPUT_API_TOKEN}" ]] || exit_with_err "api_token must be provided"
[[ -n "${INPUT_PROJECT_KEY}" ]] || exit_with_err "project_key must be provided"
[[ -z "${INPUT_OUTPUT}" ]] || [[ "${INPUT_OUTPUT}" == */ ]] || [[ -d "${INPUT_OUTPUT}" ]] || exit_with_err "Output must be a folder (end with /)"
}
annotate() {
if [ "${INPUT_SHOW_ANNOTATIONS}" == "false" ]; then
exit "${ORCA_EXIT_CODE}"
fi
mkdir -p "/app/${OUTPUT_FOR_JSON}"
cp "${OUTPUT_FOR_JSON}/iac.json" "/app/${OUTPUT_FOR_JSON}/" || exit_with_err "error during annotations initiation"
cd /app
npm run build --if-present
node dist/index.js
}
function main() {
validate_flags
set_env_vars
set_global_flags
prepare_json_to_file_flags
set_iac_scan_flags
run_orca_iac_scan
annotate
}
main "${@}"