From 31113506bff0e628850f820f4039ccdb81f5d9b3 Mon Sep 17 00:00:00 2001
From: Maksym Shynkarenko
 <160499295+maksym-shynkarenko@users.noreply.github.com>
Date: Mon, 18 Mar 2024 13:28:43 +0200
Subject: [PATCH] ci(.github/action): add checkov-scan github action (#141)

* ci(.github/action): add checkov scan github action

* ci(.github/action): delete unnecessary step in the checkov-scan github action

* ci(.github/action): delete unnecessary input in the checkov-scan github action

* ci(.github/action): set SHA of checkov-action in the checkov-scans action
---
 .github/actions/checkov-scans-v1/README.md  | 34 +++++++++++++++++++++
 .github/actions/checkov-scans-v1/action.yml | 31 +++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 .github/actions/checkov-scans-v1/README.md
 create mode 100644 .github/actions/checkov-scans-v1/action.yml

diff --git a/.github/actions/checkov-scans-v1/README.md b/.github/actions/checkov-scans-v1/README.md
new file mode 100644
index 00000000..b7a249ab
--- /dev/null
+++ b/.github/actions/checkov-scans-v1/README.md
@@ -0,0 +1,34 @@
+# checkov-scans-v1
+
+A GitHub Action to run [Checkov scans](https://github.com/bridgecrewio/checkov-action/tree/v12#readme) and a result will be shown in Prisma Cloud.
+
+## Inputs
+
+| Name                | Required | Description             | Default |
+| ------------------- | -------- | ----------------------- | ------- |
+| `prisma-access-key` | Yes      | Prisma Cloud access key | NA      |
+| `prisma-secret-key` | Yes      | Prisma Cloud secret key | NA      |
+| `prisma-api-url`    | Yes      | Prisma Cloud API URL    | NA      |
+
+## Example usage
+
+```yaml
+name: Checkov
+
+on:
+  push:
+    branches:
+      - release
+      - main
+
+jobs:
+  checkov-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main
+        with:
+          prisma-access-key: ${{ secrets.PRISMA_ACCESS_KEY }}
+          prisma-secret-key: ${{ secrets.PRISMA_SECRET_KEY }}
+          prisma-api-url: ${{ secrets.PRISMA_URL }}
+```
diff --git a/.github/actions/checkov-scans-v1/action.yml b/.github/actions/checkov-scans-v1/action.yml
new file mode 100644
index 00000000..ef88d2aa
--- /dev/null
+++ b/.github/actions/checkov-scans-v1/action.yml
@@ -0,0 +1,31 @@
+name: checkov-scans
+description: Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed and sends a result to Prisma Cloud.
+
+inputs:
+  prisma-access-key:
+    description: Prisma Cloud access key
+    required: true
+  prisma-secret-key:
+    description: Prisma Cloud secret key
+    required: true
+  prisma-api-url:
+    description: Prisma Cloud API URL
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
+    - uses: actions/checkout@v4
+    # The checkov scan
+    - name: Run Prisma Cloud
+      id: prisma-cloud
+      uses: bridgecrewio/checkov-action@8b268e1e4d7e52a78ba9d86e2489fb09b8a340c3 # tag=v12.2690.0
+      with:
+        api-key: ${{ inputs.prisma-access-key }}::${{ inputs.prisma-secret-key }}
+        # CLI output to the console and md file
+        output_format: cli
+        framework: sca_package,github_actions,dockerfile,secrets
+        soft_fail_on: LOW
+      env:
+        PRISMA_API_URL: ${{ inputs.prisma-api-url }}