feat: converting to javascript action
Signed-off-by: Rogério Peixoto <rogerio.peixoto@checkmarx.com>
This commit is contained in:
Rogério Peixoto
7
.github/workflows/test_action.yaml
vendored
7
.github/workflows/test_action.yaml
vendored
@ -1,6 +1,7 @@
|
|||||||
name: Test KICS action
|
name: Test KICS action
|
||||||
|
|
||||||
on:
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
pull_request:
|
pull_request:
|
||||||
types: [opened]
|
types: [opened]
|
||||||
|
|
||||||
@ -12,4 +13,8 @@ jobs:
|
|||||||
- name: Test KICS action
|
- name: Test KICS action
|
||||||
uses: ./
|
uses: ./
|
||||||
with:
|
with:
|
||||||
path: positive.tf
|
path: test/samples/positive1.tf,test/samples/positive2.tf
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
timeout: 60
|
||||||
|
verbose: true
|
||||||
|
enable_comments: true
|
||||||
|
|||||||
@ -47,7 +47,7 @@ inputs:
|
|||||||
description: "formats in which the results report will be exported (json, sarif)"
|
description: "formats in which the results report will be exported (json, sarif)"
|
||||||
required: false
|
required: false
|
||||||
output_path:
|
output_path:
|
||||||
description: "file path to store results report (json, sarif)"
|
description: "directory to store results report"
|
||||||
required: false
|
required: false
|
||||||
payload_path:
|
payload_path:
|
||||||
description: "file path to store source internal representation in JSON format"
|
description: "file path to store source internal representation in JSON format"
|
||||||
|
|||||||
3
deps.txt
3
deps.txt
@ -1,3 +0,0 @@
|
|||||||
"@fohlen/github-release-downloader": "^1.0.0",
|
|
||||||
"decompress": "^4.2.1",
|
|
||||||
"decompress-targz": "^4.1.1",
|
|
||||||
145
dist/index.js
vendored
145
dist/index.js
vendored
@ -17804,7 +17804,6 @@ function wrappy (fn, cb) {
|
|||||||
/***/ 3571:
|
/***/ 3571:
|
||||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||||
|
|
||||||
const fs = __nccwpck_require__(5747);
|
|
||||||
const moment = __nccwpck_require__(9623)
|
const moment = __nccwpck_require__(9623)
|
||||||
|
|
||||||
const kicsLogo = "https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png"
|
const kicsLogo = "https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png"
|
||||||
@ -17817,13 +17816,6 @@ const severityIcons = {
|
|||||||
"TRACE": "https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png"
|
"TRACE": "https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function readJSON(filename) {
|
|
||||||
const rawdata = fs.readFileSync(filename);
|
|
||||||
const parsedJSON = JSON.parse(rawdata.toString());
|
|
||||||
return parsedJSON;
|
|
||||||
}
|
|
||||||
|
|
||||||
function createComment(results) {
|
function createComment(results) {
|
||||||
let message = "![kics-logo](" + kicsLogo + ")\n";
|
let message = "![kics-logo](" + kicsLogo + ")\n";
|
||||||
|
|
||||||
@ -17855,12 +17847,8 @@ function createComment(results) {
|
|||||||
return message;
|
return message;
|
||||||
}
|
}
|
||||||
|
|
||||||
async function postPRComment(repo, prNumber) {
|
async function postPRComment(results, repo, prNumber, octokit) {
|
||||||
const githubToken = core.getInput("token");
|
|
||||||
const octokit = github.getOctokit(githubToken);
|
|
||||||
const results = readJSON("results.json");
|
|
||||||
const message = createComment(results);
|
const message = createComment(results);
|
||||||
console.log(message);
|
|
||||||
|
|
||||||
const { data: comments } = await octokit.rest.issues.listComments({
|
const { data: comments } = await octokit.rest.issues.listComments({
|
||||||
...repo,
|
...repo,
|
||||||
@ -17893,6 +17881,7 @@ module.exports = {
|
|||||||
postPRComment
|
postPRComment
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
/***/ }),
|
/***/ }),
|
||||||
|
|
||||||
/***/ 1430:
|
/***/ 1430:
|
||||||
@ -17992,19 +17981,20 @@ module.exports = {
|
|||||||
installKICS
|
installKICS
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/***/ }),
|
/***/ }),
|
||||||
|
|
||||||
/***/ 3157:
|
/***/ 3157:
|
||||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||||
|
|
||||||
const exec = __nccwpck_require__(1514);
|
const exec = __nccwpck_require__(1514);
|
||||||
|
|
||||||
const core = __nccwpck_require__(2186);
|
const core = __nccwpck_require__(2186);
|
||||||
|
const filepath = __nccwpck_require__(5622);
|
||||||
|
|
||||||
const kicsBinary = 'kics';
|
const kicsBinary = 'kics';
|
||||||
|
|
||||||
const kicsInput = {
|
const kicsInput = {
|
||||||
path: { value_type: "string", flag: '--path', value: core.getInput('path') },
|
path: { value_type: "list", flag: '--path', value: core.getInput('path') },
|
||||||
ignore_on_exit: { value_type: "list", flag: '--ignore-on-exit', value: core.getInput('ignore_on_exit') },
|
ignore_on_exit: { value_type: "list", flag: '--ignore-on-exit', value: core.getInput('ignore_on_exit') },
|
||||||
fail_on: { value_type: "list", flag: '--fail-on', value: core.getInput('fail_on') },
|
fail_on: { value_type: "list", flag: '--fail-on', value: core.getInput('fail_on') },
|
||||||
timeout: { value_type: "int", flag: '--timeout', value: core.getInput('timeout') },
|
timeout: { value_type: "int", flag: '--timeout', value: core.getInput('timeout') },
|
||||||
@ -18028,9 +18018,11 @@ const kicsInput = {
|
|||||||
};
|
};
|
||||||
|
|
||||||
async function scanWithKICS(enableComments) {
|
async function scanWithKICS(enableComments) {
|
||||||
|
let resultsFile;
|
||||||
|
|
||||||
if (!kicsInput.path.value) {
|
if (!kicsInput.path.value) {
|
||||||
core.error('Path to scan is not set');
|
core.error('Path to scan is not set');
|
||||||
throw new Error('Path to scan is not set');
|
core.setFailed('Path to scan is not set');
|
||||||
}
|
}
|
||||||
let cmdArgs = [];
|
let cmdArgs = [];
|
||||||
for (let input in kicsInput) {
|
for (let input in kicsInput) {
|
||||||
@ -18041,29 +18033,56 @@ async function scanWithKICS(enableComments) {
|
|||||||
}
|
}
|
||||||
} else if (kicsInput[input].value_type === 'list') {
|
} else if (kicsInput[input].value_type === 'list') {
|
||||||
if (kicsInput[input].value) {
|
if (kicsInput[input].value) {
|
||||||
cmdArgs.push(kicsInput[input].flag);
|
if (kicsInput[input].value.indexOf(',') > -1) {
|
||||||
cmdArgs.push(kicsInput[input].value);
|
kicsInput[input].value.split(',').forEach(value => {
|
||||||
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
|
cmdArgs.push(value);
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
|
cmdArgs.push(kicsInput[input].value);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else if (kicsInput[input].value_type === 'bool') {
|
} else if (kicsInput[input].value_type === 'bool') {
|
||||||
if (kicsInput[input].value) {
|
if (kicsInput[input].value) {
|
||||||
cmdArgs.push(kicsInput[input].flag);
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
}
|
}
|
||||||
|
} else if (kicsInput[input].value_type === 'int') {
|
||||||
|
if (kicsInput[input].value) {
|
||||||
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
|
cmdArgs.push(kicsInput[input].value);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// making sure results.json is always created when PR comments are enabled
|
||||||
if (enableComments) {
|
if (enableComments) {
|
||||||
if (!cmdArgs.find(arg => arg == '--output-path')) {
|
if (!cmdArgs.find(arg => arg == '--output-path')) {
|
||||||
cmdArgs.push('--output-path');
|
cmdArgs.push('--output-path');
|
||||||
cmdArgs.push('./');
|
cmdArgs.push('./');
|
||||||
|
resultsFile = './results.json';
|
||||||
|
} else {
|
||||||
|
const outputFormats = core.getInput('output_formats');
|
||||||
|
if (!outputFormats.toLowerCase().indexOf('json')) {
|
||||||
|
cmdArgs.push('--output-formats');
|
||||||
|
cmdArgs.push('json');
|
||||||
|
}
|
||||||
|
let resultsDir = core.getInput('output_path');
|
||||||
|
resultsFile = filepath.join(resultsDir, '/results.json');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
exitCode = await exec.exec(`${kicsBinary} scan --no-progress ${cmdArgs.join(" ")}`, [], { ignoreReturnCode: true });
|
||||||
return await exec.exec(`${kicsBinary} scan --no-progress ${cmdArgs.join(" ")}`)
|
return {
|
||||||
|
statusCode: exitCode,
|
||||||
|
resultsFile: resultsFile
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
scanWithKICS
|
scanWithKICS
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
/***/ }),
|
/***/ }),
|
||||||
|
|
||||||
/***/ 2877:
|
/***/ 2877:
|
||||||
@ -18282,27 +18301,96 @@ var __webpack_exports__ = {};
|
|||||||
const install = __nccwpck_require__(1430);
|
const install = __nccwpck_require__(1430);
|
||||||
const commenter = __nccwpck_require__(3571);
|
const commenter = __nccwpck_require__(3571);
|
||||||
const scanner = __nccwpck_require__(3157);
|
const scanner = __nccwpck_require__(3157);
|
||||||
|
|
||||||
const core = __nccwpck_require__(2186);
|
const core = __nccwpck_require__(2186);
|
||||||
const github = __nccwpck_require__(5438);
|
const github = __nccwpck_require__(5438);
|
||||||
|
|
||||||
|
const fs = __nccwpck_require__(5747);
|
||||||
|
|
||||||
const actionInputs = {
|
const actionInputs = {
|
||||||
kics_version: { value: core.getInput('kics_version') },
|
kics_version: { value: core.getInput('kics_version') },
|
||||||
enable_comments: { value: core.getInput('enable_comments') },
|
enable_comments: { value: core.getInput('enable_comments') },
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const exitStatus = {
|
||||||
|
results: {
|
||||||
|
codes: {
|
||||||
|
HIGH: 50,
|
||||||
|
MEDIUM: 40,
|
||||||
|
LOW: 30,
|
||||||
|
INFO: 20,
|
||||||
|
},
|
||||||
|
isResultExitStatus: function (exitCode) {
|
||||||
|
for (const key in this.codes) {
|
||||||
|
if (this.codes[key] === exitCode) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function setWorkflowStatus(statusCode) {
|
||||||
|
console.log(`KICS scan status code: ${statusCode}`);
|
||||||
|
|
||||||
|
const ignoreOnExit = core.getInput('ignore_on_exit');
|
||||||
|
|
||||||
|
if (ignoreOnExit.toLowerCase() === 'all') {
|
||||||
|
console.log(`ignore_on_exit=all :: Ignoring exit code ${statusCode}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ignoreOnExit.toLowerCase() === 'results') {
|
||||||
|
if (exitStatus.results.isResultExitStatus(statusCode)) {
|
||||||
|
console.log(`ignore_on_exit=results :: Ignoring exit code ${statusCode}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (ignoreOnExit.toLowerCase() === 'errors') {
|
||||||
|
if (!exitStatus.results.isResultExitStatus(statusCode)) {
|
||||||
|
console.log(`ignore_on_exit=errors :: Ignoring exit code ${statusCode}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
core.setFailed(`KICS scan failed with exit code ${statusCode}`);
|
||||||
|
}
|
||||||
|
|
||||||
|
function readJSON(filename) {
|
||||||
|
const rawdata = fs.readFileSync(filename);
|
||||||
|
const parsedJSON = JSON.parse(rawdata.toString());
|
||||||
|
return parsedJSON;
|
||||||
|
}
|
||||||
|
|
||||||
async function main() {
|
async function main() {
|
||||||
console.log("Running KICS action...");
|
console.log("Running KICS action...");
|
||||||
try {
|
try {
|
||||||
|
const githubToken = core.getInput("token");
|
||||||
|
const octokit = github.getOctokit(githubToken);
|
||||||
let enableComments = actionInputs.enable_comments.value.toLocaleLowerCase() === "true";
|
let enableComments = actionInputs.enable_comments.value.toLocaleLowerCase() === "true";
|
||||||
const context = github.context;
|
let context = {};
|
||||||
const repository = context.repo;
|
let repo = '';
|
||||||
console.log(context);
|
let prNumber = '';
|
||||||
const pullRequestNumber = context.payload.pull_request.number;
|
|
||||||
await install.installKICS();
|
if (github.context) {
|
||||||
await scanner.scanWithKICS(enableComments);
|
context = github.context;
|
||||||
if (enableComments) {
|
if (context.repo) {
|
||||||
await commenter.commentOnPullRequest(repository, pullRequestNumber);
|
repo = context.repo;
|
||||||
|
}
|
||||||
|
if (context.payload && context.payload.pull_request) {
|
||||||
|
prNumber = context.payload.pull_request.number;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
await install.installKICS();
|
||||||
|
const scanResults = await scanner.scanWithKICS(enableComments);
|
||||||
|
if (enableComments) {
|
||||||
|
let parsedResults = readJSON(scanResults.resultsFile);
|
||||||
|
await commenter.postPRComment(parsedResults, repo, prNumber, octokit);
|
||||||
|
}
|
||||||
|
|
||||||
|
setWorkflowStatus(scanResults.statusCode);
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error(e);
|
console.error(e);
|
||||||
core.setFailed(e.message);
|
core.setFailed(e.message);
|
||||||
@ -18310,6 +18398,7 @@ async function main() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
main();
|
main();
|
||||||
|
|
||||||
})();
|
})();
|
||||||
|
|
||||||
module.exports = __webpack_exports__;
|
module.exports = __webpack_exports__;
|
||||||
|
|||||||
@ -1,38 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
DATETIME=$(date '+%H:%M')
|
|
||||||
|
|
||||||
if [ -z "$INPUT_PATH" ]
|
|
||||||
then
|
|
||||||
echo "${DATETIME} - ERR input path can't be empty"
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
INPUT_PARAM="-p $INPUT_PATH"
|
|
||||||
fi
|
|
||||||
|
|
||||||
[[ -n "$INPUT_OUTPUT_PATH" ]] && OUTPUT_PATH_PARAM="-o $INPUT_OUTPUT_PATH"
|
|
||||||
[[ -n "$INPUT_PAYLOAD_PATH" ]] && PAYLOAD_PATH_PARAM="-d $INPUT_PAYLOAD_PATH"
|
|
||||||
[[ -n "$INPUT_CONFIG_PATH" ]] && CONFIG_PATH_PARAM="--config $INPUT_CONFIG_PATH"
|
|
||||||
[[ -n "$INPUT_EXCLUDE_PATHS" ]] && EXCLUDE_PATHS_PARAM="-e $INPUT_EXCLUDE_PATHS"
|
|
||||||
[[ -n "$INPUT_EXCLUDE_RESULTS" ]] && EXCLUDE_RESULTS_PARAM="-x $INPUT_EXCLUDE_RESULTS"
|
|
||||||
[[ -n "$INPUT_EXCLUDE_QUERIES" ]] && EXCLUDE_QUERIES_PARAM="--exclude-queries $INPUT_EXCLUDE_QUERIES"
|
|
||||||
[[ -n "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES"
|
|
||||||
[[ -n "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS"
|
|
||||||
[[ -n "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE"
|
|
||||||
[[ -n "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore-on-exit $INPUT_IGNORE_ON_EXIT"
|
|
||||||
[[ -n "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail-on $INPUT_FAIL_ON"
|
|
||||||
[[ -n "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT"
|
|
||||||
[[ -n "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING"
|
|
||||||
|
|
||||||
[[ -n "$INPUT_VERBOSE" ]] && VERBOSE_PARAM="-v"
|
|
||||||
|
|
||||||
if [ -n "$INPUT_QUERIES" ]
|
|
||||||
then
|
|
||||||
QUERIES_PARAM="-q $INPUT_QUERIES"
|
|
||||||
else
|
|
||||||
QUERIES_PARAM="-q /app/bin/assets/queries"
|
|
||||||
fi
|
|
||||||
|
|
||||||
cd "$GITHUB_WORKSPACE" || exit 1
|
|
||||||
echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
|
|
||||||
echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM"
|
|
||||||
/app/bin/kics scan --no-progress "$INPUT_PARAM" "$OUTPUT_PATH_PARAM" "$OUTPUT_FORMATS_PARAM" "$PLATFORM_TYPE_PARAM" "$PAYLOAD_PATH_PARAM" "$CONFIG_PATH_PARAM" "$EXCLUDE_PATHS_PARAM" "$EXCLUDE_CATEGORIES_PARAM" "$EXCLUDE_RESULTS_PARAM" "$EXCLUDE_QUERIES_PARAM" "$QUERIES_PARAM" "$VERBOSE_PARAM" "$IGNORE_ON_EXIT_PARAM" "$FAIL_ON_PARAM" "$TIMEOUT_PARAM" "$PROFILING_PARAM"
|
|
||||||
2
package-lock.json
generated
2
package-lock.json
generated
@ -539,4 +539,4 @@
|
|||||||
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
|
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
27008
results.json
27008
results.json
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,3 @@
|
|||||||
const fs = require("fs");
|
|
||||||
const moment = require('moment')
|
const moment = require('moment')
|
||||||
|
|
||||||
const kicsLogo = "https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png"
|
const kicsLogo = "https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png"
|
||||||
@ -11,13 +10,6 @@ const severityIcons = {
|
|||||||
"TRACE": "https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png"
|
"TRACE": "https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function readJSON(filename) {
|
|
||||||
const rawdata = fs.readFileSync(filename);
|
|
||||||
const parsedJSON = JSON.parse(rawdata.toString());
|
|
||||||
return parsedJSON;
|
|
||||||
}
|
|
||||||
|
|
||||||
function createComment(results) {
|
function createComment(results) {
|
||||||
let message = "![kics-logo](" + kicsLogo + ")\n";
|
let message = "![kics-logo](" + kicsLogo + ")\n";
|
||||||
|
|
||||||
@ -49,12 +41,8 @@ function createComment(results) {
|
|||||||
return message;
|
return message;
|
||||||
}
|
}
|
||||||
|
|
||||||
async function postPRComment(repo, prNumber) {
|
async function postPRComment(results, repo, prNumber, octokit) {
|
||||||
const githubToken = core.getInput("token");
|
|
||||||
const octokit = github.getOctokit(githubToken);
|
|
||||||
const results = readJSON("results.json");
|
|
||||||
const message = createComment(results);
|
const message = createComment(results);
|
||||||
console.log(message);
|
|
||||||
|
|
||||||
const { data: comments } = await octokit.rest.issues.listComments({
|
const { data: comments } = await octokit.rest.issues.listComments({
|
||||||
...repo,
|
...repo,
|
||||||
@ -85,4 +73,4 @@ async function postPRComment(repo, prNumber) {
|
|||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
postPRComment
|
postPRComment
|
||||||
};
|
};
|
||||||
|
|||||||
@ -90,4 +90,4 @@ async function installKICS(kicsVersion) {
|
|||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
installKICS
|
installKICS
|
||||||
}
|
}
|
||||||
|
|||||||
87
src/main.js
87
src/main.js
@ -1,31 +1,100 @@
|
|||||||
const install = require("./install");
|
const install = require("./install");
|
||||||
const commenter = require("./commenter");
|
const commenter = require("./commenter");
|
||||||
const scanner = require("./scanner");
|
const scanner = require("./scanner");
|
||||||
|
|
||||||
const core = require("@actions/core");
|
const core = require("@actions/core");
|
||||||
const github = require("@actions/github");
|
const github = require("@actions/github");
|
||||||
|
|
||||||
|
const fs = require("fs");
|
||||||
|
|
||||||
const actionInputs = {
|
const actionInputs = {
|
||||||
kics_version: { value: core.getInput('kics_version') },
|
kics_version: { value: core.getInput('kics_version') },
|
||||||
enable_comments: { value: core.getInput('enable_comments') },
|
enable_comments: { value: core.getInput('enable_comments') },
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const exitStatus = {
|
||||||
|
results: {
|
||||||
|
codes: {
|
||||||
|
HIGH: 50,
|
||||||
|
MEDIUM: 40,
|
||||||
|
LOW: 30,
|
||||||
|
INFO: 20,
|
||||||
|
},
|
||||||
|
isResultExitStatus: function (exitCode) {
|
||||||
|
for (const key in this.codes) {
|
||||||
|
if (this.codes[key] === exitCode) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function setWorkflowStatus(statusCode) {
|
||||||
|
console.log(`KICS scan status code: ${statusCode}`);
|
||||||
|
|
||||||
|
const ignoreOnExit = core.getInput('ignore_on_exit');
|
||||||
|
|
||||||
|
if (ignoreOnExit.toLowerCase() === 'all') {
|
||||||
|
console.log(`ignore_on_exit=all :: Ignoring exit code ${statusCode}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ignoreOnExit.toLowerCase() === 'results') {
|
||||||
|
if (exitStatus.results.isResultExitStatus(statusCode)) {
|
||||||
|
console.log(`ignore_on_exit=results :: Ignoring exit code ${statusCode}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (ignoreOnExit.toLowerCase() === 'errors') {
|
||||||
|
if (!exitStatus.results.isResultExitStatus(statusCode)) {
|
||||||
|
console.log(`ignore_on_exit=errors :: Ignoring exit code ${statusCode}`);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
core.setFailed(`KICS scan failed with exit code ${statusCode}`);
|
||||||
|
}
|
||||||
|
|
||||||
|
function readJSON(filename) {
|
||||||
|
const rawdata = fs.readFileSync(filename);
|
||||||
|
const parsedJSON = JSON.parse(rawdata.toString());
|
||||||
|
return parsedJSON;
|
||||||
|
}
|
||||||
|
|
||||||
async function main() {
|
async function main() {
|
||||||
console.log("Running KICS action...");
|
console.log("Running KICS action...");
|
||||||
try {
|
try {
|
||||||
|
const githubToken = core.getInput("token");
|
||||||
|
const octokit = github.getOctokit(githubToken);
|
||||||
let enableComments = actionInputs.enable_comments.value.toLocaleLowerCase() === "true";
|
let enableComments = actionInputs.enable_comments.value.toLocaleLowerCase() === "true";
|
||||||
const context = github.context;
|
let context = {};
|
||||||
const repository = context.repo;
|
let repo = '';
|
||||||
console.log(context);
|
let prNumber = '';
|
||||||
const pullRequestNumber = context.payload.pull_request.number;
|
|
||||||
await install.installKICS();
|
if (github.context) {
|
||||||
await scanner.scanWithKICS(enableComments);
|
context = github.context;
|
||||||
if (enableComments) {
|
if (context.repo) {
|
||||||
await commenter.commentOnPullRequest(repository, pullRequestNumber);
|
repo = context.repo;
|
||||||
|
}
|
||||||
|
if (context.payload && context.payload.pull_request) {
|
||||||
|
prNumber = context.payload.pull_request.number;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
await install.installKICS();
|
||||||
|
const scanResults = await scanner.scanWithKICS(enableComments);
|
||||||
|
if (enableComments) {
|
||||||
|
let parsedResults = readJSON(scanResults.resultsFile);
|
||||||
|
await commenter.postPRComment(parsedResults, repo, prNumber, octokit);
|
||||||
|
}
|
||||||
|
|
||||||
|
setWorkflowStatus(scanResults.statusCode);
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error(e);
|
console.error(e);
|
||||||
core.setFailed(e.message);
|
core.setFailed(e.message);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
main();
|
main();
|
||||||
|
|||||||
@ -1,11 +1,11 @@
|
|||||||
const exec = require('@actions/exec');
|
const exec = require('@actions/exec');
|
||||||
|
|
||||||
const core = require("@actions/core");
|
const core = require("@actions/core");
|
||||||
|
const filepath = require('path');
|
||||||
|
|
||||||
const kicsBinary = 'kics';
|
const kicsBinary = 'kics';
|
||||||
|
|
||||||
const kicsInput = {
|
const kicsInput = {
|
||||||
path: { value_type: "string", flag: '--path', value: core.getInput('path') },
|
path: { value_type: "list", flag: '--path', value: core.getInput('path') },
|
||||||
ignore_on_exit: { value_type: "list", flag: '--ignore-on-exit', value: core.getInput('ignore_on_exit') },
|
ignore_on_exit: { value_type: "list", flag: '--ignore-on-exit', value: core.getInput('ignore_on_exit') },
|
||||||
fail_on: { value_type: "list", flag: '--fail-on', value: core.getInput('fail_on') },
|
fail_on: { value_type: "list", flag: '--fail-on', value: core.getInput('fail_on') },
|
||||||
timeout: { value_type: "int", flag: '--timeout', value: core.getInput('timeout') },
|
timeout: { value_type: "int", flag: '--timeout', value: core.getInput('timeout') },
|
||||||
@ -29,9 +29,11 @@ const kicsInput = {
|
|||||||
};
|
};
|
||||||
|
|
||||||
async function scanWithKICS(enableComments) {
|
async function scanWithKICS(enableComments) {
|
||||||
|
let resultsFile;
|
||||||
|
|
||||||
if (!kicsInput.path.value) {
|
if (!kicsInput.path.value) {
|
||||||
core.error('Path to scan is not set');
|
core.error('Path to scan is not set');
|
||||||
throw new Error('Path to scan is not set');
|
core.setFailed('Path to scan is not set');
|
||||||
}
|
}
|
||||||
let cmdArgs = [];
|
let cmdArgs = [];
|
||||||
for (let input in kicsInput) {
|
for (let input in kicsInput) {
|
||||||
@ -42,25 +44,51 @@ async function scanWithKICS(enableComments) {
|
|||||||
}
|
}
|
||||||
} else if (kicsInput[input].value_type === 'list') {
|
} else if (kicsInput[input].value_type === 'list') {
|
||||||
if (kicsInput[input].value) {
|
if (kicsInput[input].value) {
|
||||||
cmdArgs.push(kicsInput[input].flag);
|
if (kicsInput[input].value.indexOf(',') > -1) {
|
||||||
cmdArgs.push(kicsInput[input].value);
|
kicsInput[input].value.split(',').forEach(value => {
|
||||||
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
|
cmdArgs.push(value);
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
|
cmdArgs.push(kicsInput[input].value);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else if (kicsInput[input].value_type === 'bool') {
|
} else if (kicsInput[input].value_type === 'bool') {
|
||||||
if (kicsInput[input].value) {
|
if (kicsInput[input].value) {
|
||||||
cmdArgs.push(kicsInput[input].flag);
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
}
|
}
|
||||||
|
} else if (kicsInput[input].value_type === 'int') {
|
||||||
|
if (kicsInput[input].value) {
|
||||||
|
cmdArgs.push(kicsInput[input].flag);
|
||||||
|
cmdArgs.push(kicsInput[input].value);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// making sure results.json is always created when PR comments are enabled
|
||||||
if (enableComments) {
|
if (enableComments) {
|
||||||
if (!cmdArgs.find(arg => arg == '--output-path')) {
|
if (!cmdArgs.find(arg => arg == '--output-path')) {
|
||||||
cmdArgs.push('--output-path');
|
cmdArgs.push('--output-path');
|
||||||
cmdArgs.push('./');
|
cmdArgs.push('./');
|
||||||
|
resultsFile = './results.json';
|
||||||
|
} else {
|
||||||
|
const outputFormats = core.getInput('output_formats');
|
||||||
|
if (!outputFormats.toLowerCase().indexOf('json')) {
|
||||||
|
cmdArgs.push('--output-formats');
|
||||||
|
cmdArgs.push('json');
|
||||||
|
}
|
||||||
|
let resultsDir = core.getInput('output_path');
|
||||||
|
resultsFile = filepath.join(resultsDir, '/results.json');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
exitCode = await exec.exec(`${kicsBinary} scan --no-progress ${cmdArgs.join(" ")}`, [], { ignoreReturnCode: true });
|
||||||
return await exec.exec(`${kicsBinary} scan --no-progress ${cmdArgs.join(" ")}`)
|
return {
|
||||||
|
statusCode: exitCode,
|
||||||
|
resultsFile: resultsFile
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
scanWithKICS
|
scanWithKICS
|
||||||
};
|
};
|
||||||
|
|||||||
13
test/samples/positive2.tf
Normal file
13
test/samples/positive2.tf
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
resource "azurerm_resource_group" "positive1" {
|
||||||
|
name = "resourceGroup1"
|
||||||
|
location = "West US"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_container_registry" "positive2" {
|
||||||
|
name = "containerRegistry1"
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
sku = "Premium"
|
||||||
|
admin_enabled = true
|
||||||
|
georeplication_locations = ["East US", "West Europe"]
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user