KICS GitHub Action now pulls KICS from Docker image

Updated KICS to pull from Docker image checkmarx/kics:gh-action for better version control

Signed-off-by: João Reigota <joao.reigota@checkmarx.com>

Dockerfile

@@ -0,0 +1,9 @@
+FROM checkmarx/kics:gh-action
+
+COPY ./entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh
+
+COPY ./ /app
+
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -167,9 +167,9 @@ jobs:
 ### PR Comment Example
 
 
-<img alt="KICS Logo" src="https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png" width="150">
+<img alt="KICS Logo" src="https://user-images.githubusercontent.com/74597872/143567454-f65ad285-00d8-4875-845d-568d2e67d868.png" width="150">
 
-**KICS version: 1.4.5**
+**KICS version: 1.4.8**
 
 <table>
 <tr></tr>

action.yml

@@ -83,53 +83,34 @@ branding:
   icon: "shield"
   color: "green"
 runs:
-  using: "composite"
+  using: "docker"
-  steps:
+  image: Dockerfile
-    - uses: actions/checkout@v2
+  env:
-    - name: Run KICS Scan
+    INPUT_TOKEN: ${{ inputs.token }}
-      id: kics_scan
+    INPUT_OUTPUT_PATH: ${{ inputs.output_path }}
-      uses: docker://checkmarx/kics:v1.4.8-alpine
+    INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }}
-      env:
+    INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }}
-        INPUT_PATH: ${{ inputs.path }}
+    WORKSPACE_PATH: $GITHUB_WORKSPACE
-        INPUT_FAIL_ON: ${{ inputs.fail_on }}
+  args:
-        INPUT_TIMEOUT: ${{ inputs.timeout }}
+    - ${{ inputs.path }}
-        INPUT_PROFILING: ${{ inputs.profiling }}
+    - ${{ inputs.fail_on }}
-        INPUT_CONFIG_PATH: ${{ inputs.config }}
+    - ${{ inputs.timeout }}
-        INPUT_PLATFORM_TYPE: ${{ inputs.platform_type }}
+    - ${{ inputs.profiling }}
-        INPUT_EXCLUDE_PATHS: ${{ inputs.exclude_paths }}
+    - ${{ inputs.config }}
-        INPUT_EXCLUDE_QUERIES: ${{ inputs.exclude_queries }}
+    - ${{ inputs.platform_type }}
-        INPUT_INCLUDE_QUERIES: ${{ inputs.include_queries }}
+    - ${{ inputs.exclude_paths }}
-        INPUT_EXCLUDE_CATEGORIES: ${{ inputs.exclude_categories }}
+    - ${{ inputs.exclude_queries }}
-        INPUT_EXCLUDE_RESULTS: ${{ inputs.exclude_results }}
+    - ${{ inputs.include_queries }}
-        INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }}
+    - ${{ inputs.exclude_categories }}
-        INPUT_OUTPUT_PATH: ${{ inputs.output_path }}
+    - ${{ inputs.exclude_results }}
-        INPUT_PAYLOAD_PATH: ${{ inputs.payload_path }}
+    - ${{ inputs.output_formats }}
-        INPUT_QUERIES: ${{ inputs.queries }}
+    - ${{ inputs.output_path }}
-        INPUT_VERBOSE: ${{ inputs.verbose }}
+    - ${{ inputs.payload_path }}
-        INPUT_BOM: ${{ inputs.bom }}
+    - ${{ inputs.queries }}
-        INPUT_IGNORE_ON_EXIT: ${{ inputs.ignore_on_exit }}
+    - ${{ inputs.verbose }}
-        INPUT_DISABLE_SECRETS: ${{ inputs.disable_secrets }}
+    - ${{ inputs.bom }}
-        INPUT_DISABLE_FULL_DESCRIPTIONS: ${{ inputs.disable_full_descriptions }}
+    - ${{ inputs.ignore_on_exit }}
-        INPUT_LIBRARIES_PATH: ${{ inputs.libraries_path }}
+    - ${{ inputs.disable_secrets }}
-        INPUT_SECRETS_REGEXES_PATH: ${{ inputs.secrets_regexes_path}}
+    - ${{ inputs.disable_full_descriptions }}
-      with:
+    - ${{ inputs.libraries_path }}
-        entrypoint: ./entrypoint.sh
+    - ${{ inputs.secrets_regexes_path}}
-    - name: Run KICS PR Comentator
-      uses: actions/setup-node@v2
-      with:
-        node-version: 12.x
-    - name: Install dependencies
-      shell: bash
-      run: npm ci
-    - run: |
-        sudo chown -R ${USER} ${{ inputs.output_path }}
-        npm run build --if-present
-      shell: bash
-    - run: node dist/index.js
-      shell: bash
-      env:
-        INPUT_TOKEN: ${{ inputs.token }}
-        INPUT_OUTPUT_PATH: ${{ inputs.output_path }}
-        INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }}
-        INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }}
-        KICS_EXIT_CODE: ${{ steps.kics_scan.outputs.exit_code }}

entrypoint.sh

@@ -59,8 +59,11 @@ fi
 ############################
 # Check for Output Path    #
 ############################
+
+CP_PATH="./results.json"
 if [ ! -z "$INPUT_OUTPUT_PATH" ]; then
     OUTPUT_PATH_PARAM="-o $INPUT_OUTPUT_PATH"
+    CP_PATH=$INPUT_OUTPUT_PATH
 else
     OUTPUT_PATH_PARAM="-o ./"
 fi
@@ -72,5 +75,15 @@ cd $GITHUB_WORKSPACE
 echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
 echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM $BOM_PARAM $INCLUDE_QUERIES_PARAM $DISABLE_SECRETS_PARAM $DISABLE_FULL_DESCRIPTIONS_PARAM $LIBRARIES_PATH_PARAM $SECRETS_REGEXES_PATH_PARAM"
 /app/bin/kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM $BOM_PARAM $INCLUDE_QUERIES_PARAM $DISABLE_SECRETS_PARAM $DISABLE_FULL_DESCRIPTIONS_PARAM $LIBRARIES_PATH_PARAM $SECRETS_REGEXES_PATH_PARAM
-echo "::set-output name=exit_code::$?"
+
-exit 0
+export KICS_EXIT_CODE=$?
+
+cp -r "${CP_PATH}" "/app/"
+
+cd /app
+
+# install and run nodejs
+apk add --update nodejs npm
+npm ci
+npm run build --if-present
+node dist/index.js

src/commenter.js

@@ -1,6 +1,6 @@
 const moment = require('moment')
 
-const kicsLogo = "https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png"
+const kicsLogo = "https://user-images.githubusercontent.com/74597872/143567454-f65ad285-00d8-4875-845d-568d2e67d868.png"
 const severityOrder = ["HIGH", "MEDIUM", "LOW", "INFO", "TRACE"];
 const severityIcons = {
     "HIGH": "https://user-images.githubusercontent.com/23239410/92157087-97285600-ee32-11ea-988f-0aca12c4c126.png",