diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..baede35 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,9 @@ +FROM checkmarx/kics:gh-action + +COPY ./entrypoint.sh /entrypoint.sh + +RUN chmod +x /entrypoint.sh + +COPY ./ /app + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/README.md b/README.md index e88aae9..ccd539b 100644 --- a/README.md +++ b/README.md @@ -167,9 +167,9 @@ jobs: ### PR Comment Example -KICS Logo +KICS Logo -**KICS version: 1.4.5** +**KICS version: 1.4.8** diff --git a/action.yml b/action.yml index 1619d40..4d60af9 100644 --- a/action.yml +++ b/action.yml @@ -83,53 +83,34 @@ branding: icon: "shield" color: "green" runs: - using: "composite" - steps: - - uses: actions/checkout@v2 - - name: Run KICS Scan - id: kics_scan - uses: docker://checkmarx/kics:v1.4.8-alpine - env: - INPUT_PATH: ${{ inputs.path }} - INPUT_FAIL_ON: ${{ inputs.fail_on }} - INPUT_TIMEOUT: ${{ inputs.timeout }} - INPUT_PROFILING: ${{ inputs.profiling }} - INPUT_CONFIG_PATH: ${{ inputs.config }} - INPUT_PLATFORM_TYPE: ${{ inputs.platform_type }} - INPUT_EXCLUDE_PATHS: ${{ inputs.exclude_paths }} - INPUT_EXCLUDE_QUERIES: ${{ inputs.exclude_queries }} - INPUT_INCLUDE_QUERIES: ${{ inputs.include_queries }} - INPUT_EXCLUDE_CATEGORIES: ${{ inputs.exclude_categories }} - INPUT_EXCLUDE_RESULTS: ${{ inputs.exclude_results }} - INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} - INPUT_OUTPUT_PATH: ${{ inputs.output_path }} - INPUT_PAYLOAD_PATH: ${{ inputs.payload_path }} - INPUT_QUERIES: ${{ inputs.queries }} - INPUT_VERBOSE: ${{ inputs.verbose }} - INPUT_BOM: ${{ inputs.bom }} - INPUT_IGNORE_ON_EXIT: ${{ inputs.ignore_on_exit }} - INPUT_DISABLE_SECRETS: ${{ inputs.disable_secrets }} - INPUT_DISABLE_FULL_DESCRIPTIONS: ${{ inputs.disable_full_descriptions }} - INPUT_LIBRARIES_PATH: ${{ inputs.libraries_path }} - INPUT_SECRETS_REGEXES_PATH: ${{ inputs.secrets_regexes_path}} - with: - entrypoint: ./entrypoint.sh - - name: Run KICS PR Comentator - uses: actions/setup-node@v2 - with: - node-version: 12.x - - name: Install dependencies - shell: bash - run: npm ci - - run: | - sudo chown -R ${USER} ${{ inputs.output_path }} - npm run build --if-present - shell: bash - - run: node dist/index.js - shell: bash - env: - INPUT_TOKEN: ${{ inputs.token }} - INPUT_OUTPUT_PATH: ${{ inputs.output_path }} - INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }} - INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} - KICS_EXIT_CODE: ${{ steps.kics_scan.outputs.exit_code }} + using: "docker" + image: Dockerfile + env: + INPUT_TOKEN: ${{ inputs.token }} + INPUT_OUTPUT_PATH: ${{ inputs.output_path }} + INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }} + INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} + WORKSPACE_PATH: $GITHUB_WORKSPACE + args: + - ${{ inputs.path }} + - ${{ inputs.fail_on }} + - ${{ inputs.timeout }} + - ${{ inputs.profiling }} + - ${{ inputs.config }} + - ${{ inputs.platform_type }} + - ${{ inputs.exclude_paths }} + - ${{ inputs.exclude_queries }} + - ${{ inputs.include_queries }} + - ${{ inputs.exclude_categories }} + - ${{ inputs.exclude_results }} + - ${{ inputs.output_formats }} + - ${{ inputs.output_path }} + - ${{ inputs.payload_path }} + - ${{ inputs.queries }} + - ${{ inputs.verbose }} + - ${{ inputs.bom }} + - ${{ inputs.ignore_on_exit }} + - ${{ inputs.disable_secrets }} + - ${{ inputs.disable_full_descriptions }} + - ${{ inputs.libraries_path }} + - ${{ inputs.secrets_regexes_path}} diff --git a/entrypoint.sh b/entrypoint.sh index bc1d07e..c4056db 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -59,8 +59,11 @@ fi ############################ # Check for Output Path # ############################ + +CP_PATH="./results.json" if [ ! -z "$INPUT_OUTPUT_PATH" ]; then OUTPUT_PATH_PARAM="-o $INPUT_OUTPUT_PATH" + CP_PATH=$INPUT_OUTPUT_PATH else OUTPUT_PATH_PARAM="-o ./" fi @@ -72,5 +75,15 @@ cd $GITHUB_WORKSPACE echo "${DATETIME} - INF : about to scan directory $INPUT_PATH" echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM $BOM_PARAM $INCLUDE_QUERIES_PARAM $DISABLE_SECRETS_PARAM $DISABLE_FULL_DESCRIPTIONS_PARAM $LIBRARIES_PATH_PARAM $SECRETS_REGEXES_PATH_PARAM" /app/bin/kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM $BOM_PARAM $INCLUDE_QUERIES_PARAM $DISABLE_SECRETS_PARAM $DISABLE_FULL_DESCRIPTIONS_PARAM $LIBRARIES_PATH_PARAM $SECRETS_REGEXES_PATH_PARAM -echo "::set-output name=exit_code::$?" -exit 0 + +export KICS_EXIT_CODE=$? + +cp -r "${CP_PATH}" "/app/" + +cd /app + +# install and run nodejs +apk add --update nodejs npm +npm ci +npm run build --if-present +node dist/index.js diff --git a/src/commenter.js b/src/commenter.js index 18e3b06..5a2cfde 100644 --- a/src/commenter.js +++ b/src/commenter.js @@ -1,6 +1,6 @@ const moment = require('moment') -const kicsLogo = "https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png" +const kicsLogo = "https://user-images.githubusercontent.com/74597872/143567454-f65ad285-00d8-4875-845d-568d2e67d868.png" const severityOrder = ["HIGH", "MEDIUM", "LOW", "INFO", "TRACE"]; const severityIcons = { "HIGH": "https://user-images.githubusercontent.com/23239410/92157087-97285600-ee32-11ea-988f-0aca12c4c126.png",