diff --git a/Dockerfile b/Dockerfile
index 6511046..0898fc7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
FROM ubuntu:20.04
-RUN apt-get update && \
+RUN apt-get update && \
apt-get install -y wget curl
COPY entrypoint.sh /entrypoint.sh
diff --git a/README.md b/README.md
index 9244691..e2be3af 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,10 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
-
+
+
+
+
### Please find more info in the official website: kics.io
@@ -29,7 +32,11 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
| Variable | Example Value | Description | Type | Required | Default |
| ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
-| path | terraform | path to file or directory to scan | String | Yes | N/A |
+| path | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | String | Yes | N/A |
+| ignore_on_exit | results | defines which non-zero exit codes should be ignored (all, results, errors, none) | String | No | none |
+| fail_on | high,medium | comma separated list of which severities returns exit code !=0 | String | No | high,medium,low,info |
+| timeout | 75 | number of seconds the query has to execute before being canceled | String | No | 60 |
+| profiling | CPU | turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM) | String | No | N/A |
| config_path | ./kics.config | path to configuration file | String | No | N/A |
| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms |
| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A |
@@ -38,7 +45,7 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A |
| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json |
| output_path | results.json | file path to store result in json format | String | No | N/A |
-| payload_path | | file path to store source internal representation in JSON format | String | No | N/A |
+| payload_path | /tmp/mypayload.json | file path to store source internal representation in JSON format | String | No | N/A |
| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries |
| verbose | true | verbose scan | Boolean | No | false |
@@ -51,9 +58,10 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
- uses: actions/checkout@v2
# Scan Iac with kics
- name: run kics Scan
- uses: checkmarx/kics-action@v1.0
+ uses: checkmarx/kics-action@v1.2
with:
- path: 'terraform'
+ # scanning two directories: ./terraform/ ./cfn-templates/ plus a single file
+ path: 'terraform,cfn-templates,my-other-sub-folder/Dockerfile'
output_path: 'results.json'
# Display the results in json format
- name: display kics results
@@ -61,6 +69,67 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
cat results.json
```
+## Workflow failures
+
+By default KICS will fail your workflow on any results found.
+
+### Fail by severity usage example
+
+If want your pipeline just to fail on HIGH and MEDIUM severity results and KICS engine execution errors:
+
+```yaml
+ steps:
+ - uses: actions/checkout@v2
+ - name: run kics Scan
+ uses: checkmarx/kics-action@v1.2
+ with:
+ path: 'terraform,my-other-sub-folder/Dockerfile'
+ fail_on: high,medium
+ output_path: 'results.json'
+ - name: display kics results
+ run: |
+ cat results.json
+```
+
+### Don't fail on results
+
+If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens:
+
+```yaml
+ steps:
+ - uses: actions/checkout@v2
+ - name: run kics Scan
+ uses: checkmarx/kics-action@v1.2
+ with:
+ path: 'terraform'
+ ignore_on_exit: results
+ output_path: 'results.json'
+ - name: display kics results
+ run: |
+ cat results.json
+```
+
+
+## Profiling KICS
+
+You can only enable one profiler at a time, CPU or MEM.
+
+> 📝 Please note that execution time may be impacted by enabling performance profiler due to sampling
+
+```yaml
+ steps:
+ - uses: actions/checkout@v2
+ - name: run kics Scan
+ uses: checkmarx/kics-action@v1.2
+ with:
+ path: 'terraform'
+ profiling: MEM
+ output_path: 'results.json'
+ - name: display kics results
+ run: |
+ cat results.json
+```
+
## Example using docker-runner and SARIF report
checkmarx/kics-action@docker-runner branch runs an alpine based linux container (`checkmarx/kics:nightly-alpine`) that doesn't require downloading kics binaries and queries in the `entrypoint.sh`
@@ -106,6 +175,7 @@ jobs:
with:
sarif_file: results-dir/results.sarif
```
+
## Example using docker-runner and a config file
Check [configuration file](https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md) reference for more options.
diff --git a/action.yml b/action.yml
index b962cd4..4954d4f 100644
--- a/action.yml
+++ b/action.yml
@@ -3,8 +3,20 @@ name: 'KICS Github Action'
description: 'Run KICS scan against IaC projects'
inputs:
path:
- description: 'path to file or directory to scan'
+ description: 'paths to a file or directories to scan, accepts a comma separated list'
required: true
+ ignore_on_exit:
+ description: 'defines which non-zero exit codes should be ignored (all, results, errors, none)'
+ required: false
+ fail_on:
+ description: 'comma separated list of which severities returns exit code !=0'
+ required: false
+ timeout:
+ description: 'number of seconds the query has to execute before being canceled'
+ required: false
+ profiling:
+ description: 'turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)'
+ required: false
config_path:
description: 'path to configuration file'
required: false
@@ -48,6 +60,10 @@ runs:
image: 'Dockerfile'
args:
- ${{ inputs.path }}
+ - ${{ inputs.ignore_on_exit }}
+ - ${{ inputs.fail_on }}
+ - ${{ inputs.timeout }}
+ - ${{ inputs.profiling }}
- ${{ inputs.config }}
- ${{ inputs.platform_type }}
- ${{ inputs.exclude_paths }}
diff --git a/entrypoint.sh b/entrypoint.sh
index bfb4b11..515316f 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -18,6 +18,10 @@ fi
[[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES"
[[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS"
[[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE"
+[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore_on_exit $INPUT_IGNORE_ON_EXIT"
+[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail_on $INPUT_FAIL_ON"
+[[ ! -z "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT"
+[[ ! -z "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING"
[[ ! -z "$INPUT_VERBOSE" ]] && VERBOSE_PARAM="-v"
@@ -38,5 +42,5 @@ wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${ve
echo "${DATETIME} - INF : current directory - ${PWD}"
echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
-echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM"
-kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM
+echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM"
+kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM
diff --git a/images/logo-helm.png b/images/logo-helm.png
index fb28ed1..a02aa01 100755
Binary files a/images/logo-helm.png and b/images/logo-helm.png differ
diff --git a/images/logo-openapi.png b/images/logo-openapi.png
new file mode 100755
index 0000000..7d0ca40
Binary files /dev/null and b/images/logo-openapi.png differ