diff --git a/.github/workflows/test_action.yaml b/.github/workflows/test_action.yaml index a6a76a5..db46112 100644 --- a/.github/workflows/test_action.yaml +++ b/.github/workflows/test_action.yaml @@ -16,10 +16,9 @@ jobs: path: test/samples/positive1.tf,test/samples/positive2.tf token: ${{ secrets.GITHUB_TOKEN }} timeout: 60 - verbose: true - output_path: myoutput/ + # output_path: myoutput/ output_formats: sarif - ignore_on_exit: errors + ignore_on_exit: results enable_comments: true - run: ls -la && ls -la myoutput if: always() diff --git a/action.yml b/action.yml index e406694..4cb1bb4 100644 --- a/action.yml +++ b/action.yml @@ -2,10 +2,9 @@ name: "KICS Github Action" description: "Run KICS scan against IaC projects" inputs: - kics_version: - required: false - default: "latest" - description: "KICS version to use (defaults to latest)" + token: + required: true + description: "Github token" enable_comments: required: false default: false diff --git a/dist/index.js b/dist/index.js index 1beb159..e882335 100644 --- a/dist/index.js +++ b/dist/index.js @@ -18017,14 +18017,15 @@ const kicsInput = { bom: { value_type: "bool", flag: '--bom', value: core.getInput('bom') }, }; -async function scanWithKICS(enableComments) { - let resultsFile; - - if (!kicsInput.path.value) { - core.error('Path to scan is not set'); - core.setFailed('Path to scan is not set'); +function addJSONReportFormat(cmdArgs) { + const outputFormats = core.getInput('output_formats'); + if (outputFormats.toLowerCase().indexOf('json') == -1) { + cmdArgs.push('--report-formats'); + cmdArgs.push('json'); } - let cmdArgs = []; +} + +function addKICSCmdArgs(cmdArgs) { for (let input in kicsInput) { if (kicsInput[input].value_type === 'string') { if (kicsInput[input].value) { @@ -18054,27 +18055,34 @@ async function scanWithKICS(enableComments) { } } } +} + +async function scanWithKICS(enableComments) { + let resultsJSONFile; + + if (!kicsInput.path.value) { + core.error('Path to scan is not set'); + core.setFailed('Path to scan is not set'); + } + let cmdArgs = []; + addKICSCmdArgs(cmdArgs); // making sure results.json is always created when PR comments are enabled if (enableComments) { if (!cmdArgs.find(arg => arg == '--output-path')) { cmdArgs.push('--output-path'); cmdArgs.push('./'); - resultsFile = './results.json'; + resultsJSONFile = './results.json'; } else { - const outputFormats = core.getInput('output_formats'); - if (outputFormats.toLowerCase().indexOf('json') == -1) { - cmdArgs.push('--report-formats'); - cmdArgs.push('json'); - } let resultsDir = core.getInput('output_path'); - resultsFile = filepath.join(resultsDir, '/results.json'); + resultsJSONFile = filepath.join(resultsDir, '/results.json'); } + addJSONReportFormat(cmdArgs); } exitCode = await exec.exec(`${kicsBinary} scan --no-progress ${cmdArgs.join(" ")}`, [], { ignoreReturnCode: true }); return { statusCode: exitCode, - resultsFile: resultsFile + resultsJSONFile: resultsJSONFile }; } @@ -18082,7 +18090,6 @@ module.exports = { scanWithKICS }; - /***/ }), /***/ 2877: @@ -18304,6 +18311,7 @@ const scanner = __nccwpck_require__(3157); const core = __nccwpck_require__(2186); const github = __nccwpck_require__(5438); +const io = __nccwpck_require__(7436); const fs = __nccwpck_require__(5747); @@ -18367,6 +18375,13 @@ function readJSON(filename) { return parsedJSON; } +function cleanupOutput(resultsJSONFile) { + const outputFormats = core.getInput('output_formats'); + if (!outputFormats.toLowerCase().includes('json') || core.getInput('output_path') === '') { + io.rmRF(resultsJSONFile); + } +} + async function main() { console.log("Running KICS action..."); try { @@ -18390,10 +18405,11 @@ async function main() { await install.installKICS(); const scanResults = await scanner.scanWithKICS(enableComments); if (enableComments) { - let parsedResults = readJSON(scanResults.resultsFile); + let parsedResults = readJSON(scanResults.resultsJSONFile); await commenter.postPRComment(parsedResults, repo, prNumber, octokit); } + cleanupOutput(scanResults.resultsJSONFile); setWorkflowStatus(scanResults.statusCode); } catch (e) { console.error(e); diff --git a/package-lock.json b/package-lock.json index cabb309..f26433e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,6 +12,7 @@ "@actions/core": "^1.6.0", "@actions/exec": "^1.1.0", "@actions/github": "^5.0.0", + "@actions/io": "^1.1.1", "@actions/tool-cache": "^1.7.1", "moment": "^2.29.1" }, @@ -539,4 +540,4 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" } } -} \ No newline at end of file +} diff --git a/package.json b/package.json index 7a3b060..3d7a4e1 100644 --- a/package.json +++ b/package.json @@ -22,6 +22,7 @@ "@actions/core": "^1.6.0", "@actions/exec": "^1.1.0", "@actions/github": "^5.0.0", + "@actions/io": "^1.1.1", "@actions/tool-cache": "^1.7.1", "moment": "^2.29.1" }, @@ -29,4 +30,4 @@ "@vercel/ncc": "^0.31.1", "prettier": "^2.4.1" } -} \ No newline at end of file +} diff --git a/src/main.js b/src/main.js index 3325aa3..df9d715 100644 --- a/src/main.js +++ b/src/main.js @@ -4,14 +4,10 @@ const scanner = require("./scanner"); const core = require("@actions/core"); const github = require("@actions/github"); +const io = require("@actions/io"); const fs = require("fs"); -const actionInputs = { - kics_version: { value: core.getInput('kics_version') }, - enable_comments: { value: core.getInput('enable_comments') }, -} - const exitStatus = { results: { codes: { @@ -67,12 +63,19 @@ function readJSON(filename) { return parsedJSON; } +function cleanupOutput(resultsJSONFile) { + const outputFormats = core.getInput('output_formats'); + if (!outputFormats.toLowerCase().includes('json') || core.getInput('output_path') === '') { + io.rmRF(resultsJSONFile); + } +} + async function main() { console.log("Running KICS action..."); try { const githubToken = core.getInput("token"); const octokit = github.getOctokit(githubToken); - let enableComments = actionInputs.enable_comments.value.toLocaleLowerCase() === "true"; + let enableComments = core.getInput('enable_comments').toLocaleLowerCase() === "true"; let context = {}; let repo = ''; let prNumber = ''; @@ -90,10 +93,11 @@ async function main() { await install.installKICS(); const scanResults = await scanner.scanWithKICS(enableComments); if (enableComments) { - let parsedResults = readJSON(scanResults.resultsFile); + let parsedResults = readJSON(scanResults.resultsJSONFile); await commenter.postPRComment(parsedResults, repo, prNumber, octokit); } + cleanupOutput(scanResults.resultsJSONFile); setWorkflowStatus(scanResults.statusCode); } catch (e) { console.error(e); diff --git a/src/scanner.js b/src/scanner.js index 1446cb3..c2293cd 100644 --- a/src/scanner.js +++ b/src/scanner.js @@ -28,14 +28,15 @@ const kicsInput = { bom: { value_type: "bool", flag: '--bom', value: core.getInput('bom') }, }; -async function scanWithKICS(enableComments) { - let resultsFile; - - if (!kicsInput.path.value) { - core.error('Path to scan is not set'); - core.setFailed('Path to scan is not set'); +function addJSONReportFormat(cmdArgs) { + const outputFormats = core.getInput('output_formats'); + if (outputFormats.toLowerCase().indexOf('json') == -1) { + cmdArgs.push('--report-formats'); + cmdArgs.push('json'); } - let cmdArgs = []; +} + +function addKICSCmdArgs(cmdArgs) { for (let input in kicsInput) { if (kicsInput[input].value_type === 'string') { if (kicsInput[input].value) { @@ -65,30 +66,37 @@ async function scanWithKICS(enableComments) { } } } +} + +async function scanWithKICS(enableComments) { + let resultsJSONFile; + + if (!kicsInput.path.value) { + core.error('Path to scan is not set'); + core.setFailed('Path to scan is not set'); + } + let cmdArgs = []; + addKICSCmdArgs(cmdArgs); // making sure results.json is always created when PR comments are enabled if (enableComments) { if (!cmdArgs.find(arg => arg == '--output-path')) { cmdArgs.push('--output-path'); cmdArgs.push('./'); - resultsFile = './results.json'; + resultsJSONFile = './results.json'; } else { - const outputFormats = core.getInput('output_formats'); - if (outputFormats.toLowerCase().indexOf('json') == -1) { - cmdArgs.push('--report-formats'); - cmdArgs.push('json'); - } let resultsDir = core.getInput('output_path'); - resultsFile = filepath.join(resultsDir, '/results.json'); + resultsJSONFile = filepath.join(resultsDir, '/results.json'); } + addJSONReportFormat(cmdArgs); } exitCode = await exec.exec(`${kicsBinary} scan --no-progress ${cmdArgs.join(" ")}`, [], { ignoreReturnCode: true }); return { statusCode: exitCode, - resultsFile: resultsFile + resultsJSONFile: resultsJSONFile }; } module.exports = { scanWithKICS -}; +}; \ No newline at end of file