-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(.github/action): add checkov-scan github action (#141)
* ci(.github/action): add checkov scan github action * ci(.github/action): delete unnecessary step in the checkov-scan github action * ci(.github/action): delete unnecessary input in the checkov-scan github action * ci(.github/action): set SHA of checkov-action in the checkov-scans action
- Loading branch information
1 parent
bade3ff
commit 3111350
Showing
2 changed files
with
65 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # checkov-scans-v1 | ||
|
|
||
| A GitHub Action to run [Checkov scans](https://github.com/bridgecrewio/checkov-action/tree/v12#readme) and a result will be shown in Prisma Cloud. | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Required | Description | Default | | ||
| | ------------------- | -------- | ----------------------- | ------- | | ||
| | `prisma-access-key` | Yes | Prisma Cloud access key | NA | | ||
| | `prisma-secret-key` | Yes | Prisma Cloud secret key | NA | | ||
| | `prisma-api-url` | Yes | Prisma Cloud API URL | NA | | ||
|
|
||
| ## Example usage | ||
|
|
||
| ```yaml | ||
| name: Checkov | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - release | ||
| - main | ||
|
|
||
| jobs: | ||
| checkov-scan: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 2 | ||
| steps: | ||
| - uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main | ||
| with: | ||
| prisma-access-key: ${{ secrets.PRISMA_ACCESS_KEY }} | ||
| prisma-secret-key: ${{ secrets.PRISMA_SECRET_KEY }} | ||
| prisma-api-url: ${{ secrets.PRISMA_URL }} | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: checkov-scans | ||
| description: Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed and sends a result to Prisma Cloud. | ||
|
|
||
| inputs: | ||
| prisma-access-key: | ||
| description: Prisma Cloud access key | ||
| required: true | ||
| prisma-secret-key: | ||
| description: Prisma Cloud secret key | ||
| required: true | ||
| prisma-api-url: | ||
| description: Prisma Cloud API URL | ||
| required: true | ||
|
|
||
| runs: | ||
| using: 'composite' | ||
| steps: | ||
| # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it | ||
| - uses: actions/checkout@v4 | ||
| # The checkov scan | ||
| - name: Run Prisma Cloud | ||
| id: prisma-cloud | ||
| uses: bridgecrewio/checkov-action@8b268e1e4d7e52a78ba9d86e2489fb09b8a340c3 # tag=v12.2690.0 | ||
| with: | ||
| api-key: ${{ inputs.prisma-access-key }}::${{ inputs.prisma-secret-key }} | ||
| # CLI output to the console and md file | ||
| output_format: cli | ||
| framework: sca_package,github_actions,dockerfile,secrets | ||
| soft_fail_on: LOW | ||
| env: | ||
| PRISMA_API_URL: ${{ inputs.prisma-api-url }} |