Merge pull request #5 from rogeriopeixotocx/master
Adding new KICS parameters master
This commit is contained in:
Rogerio Peixoto
2
.github/workflows/publish.yml
vendored
2
.github/workflows/publish.yml
vendored
@ -4,7 +4,7 @@ name: Publish kics GitHub Action
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- 'v*'
|
||||
- 'v*'
|
||||
|
||||
jobs:
|
||||
publish:
|
||||
|
||||
29
README.md
29
README.md
@ -4,7 +4,7 @@
|
||||
[](https://github.com/checkmarx/kics-github-action/releases)
|
||||
[](https://github.com/checkmarx/kics-github-action/issues)
|
||||
|
||||
## Integrate KICS into your GitHub workflows, using KICS Github Action to make your IaC more secure
|
||||
## Integrate KICS into your GitHub workflows, using KICS Github Action to make your IaC more secure
|
||||
|
||||
**KICS** (pronounced as 'kick-s') or **Kicscan** is an open source solution for static code analysis of Infrastructure as Code.
|
||||
|
||||
@ -21,16 +21,23 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
|
||||
|
||||
## Inputs
|
||||
|
||||
| Variable | Example Value | Description | Type | Required | Default |
|
||||
| ------------- | ------------- | ------------- |------------- | ------------- | ------------- |
|
||||
| path | terraform | path to file or directory to scan | String | Yes | N/A
|
||||
| output_path | results.json | file path to store result in json format | String | No | N/A
|
||||
| payload_path | | file path to store source internal representation in JSON format | String | No | N/A
|
||||
| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries
|
||||
| verbose | true | verbose scan | Boolean | No | false |
|
||||
| Variable | Example Value | Description | Type | Required | Default |
|
||||
| ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
|
||||
| path | terraform | path to file or directory to scan | String | Yes | N/A |
|
||||
| config | ./kics.config | path to configuration file | String | No | N/A |
|
||||
| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms |
|
||||
| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A |
|
||||
| exclude_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | exclude queries by providing the query ID, comma separated list | String | No | N/A |
|
||||
| exclude_categories | 'Observability,Networking and Firewall' | exclude categories by providing its name, comma separated list | String | No | N/A |
|
||||
| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A |
|
||||
| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json |
|
||||
| output_path | results.json | file path to store result in json format | String | No | N/A |
|
||||
| payload_path | | file path to store source internal representation in JSON format | String | No | N/A |
|
||||
| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries |
|
||||
| verbose | true | verbose scan | Boolean | No | false |
|
||||
|
||||
## Example usage
|
||||
|
||||
****
|
||||
```
|
||||
# Steps represent a sequence of tasks that will be executed as part of the job
|
||||
steps:
|
||||
@ -42,12 +49,12 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
|
||||
with:
|
||||
path: 'terraform'
|
||||
output_path: 'results.json'
|
||||
# Display the results in json format
|
||||
# Display the results in json format
|
||||
- name: display kics results
|
||||
run: |
|
||||
cat results.json
|
||||
```
|
||||
|
||||
|
||||
|
||||
## How To Contribute
|
||||
|
||||
|
||||
32
action.yml
32
action.yml
@ -5,8 +5,29 @@ inputs:
|
||||
path:
|
||||
description: 'path to file or directory to scan'
|
||||
required: true
|
||||
config:
|
||||
description: 'path to configuration file'
|
||||
required: false
|
||||
platform_type:
|
||||
description: 'case insensitive list of platform types to scan'
|
||||
required: false
|
||||
exclude_paths:
|
||||
description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'"
|
||||
required: false
|
||||
exclude_queries:
|
||||
description: exclude queries by providing the query ID
|
||||
required: false
|
||||
exclude_categories:
|
||||
description: exclude categories by providing its name, can be provided multiple times or as a comma separated string
|
||||
required: false
|
||||
exclude_results:
|
||||
description: "exclude results by providing the similarity ID of a result"
|
||||
required: false
|
||||
output_formats:
|
||||
description: "formats in which the results report will be exported (json, sarif)"
|
||||
required: false
|
||||
output_path:
|
||||
description: 'file path to store result in json format'
|
||||
description: 'file path to store results report (json, sarif)'
|
||||
required: false
|
||||
payload_path:
|
||||
description: 'file path to store source internal representation in JSON format'
|
||||
@ -27,7 +48,14 @@ runs:
|
||||
image: 'Dockerfile'
|
||||
args:
|
||||
- ${{ inputs.path }}
|
||||
- ${{ inputs.config }}
|
||||
- ${{ inputs.platform_type }}
|
||||
- ${{ inputs.exclude_paths }}
|
||||
- ${{ inputs.exclude_queries }}
|
||||
- ${{ inputs.exclude_categories }}
|
||||
- ${{ inputs.exclude_results }}
|
||||
- ${{ inputs.output_formats }}
|
||||
- ${{ inputs.output_path }}
|
||||
- ${{ inputs.payload_path }}
|
||||
- ${{ inputs.queries }}
|
||||
- ${{ inputs.versbose }}
|
||||
- ${{ inputs.verbose }}
|
||||
|
||||
@ -11,6 +11,14 @@ fi
|
||||
|
||||
[[ ! -z "$INPUT_OUTPUT_PATH" ]] && OUTPUT_PATH_PARAM="-o $INPUT_OUTPUT_PATH"
|
||||
[[ ! -z "$INPUT_PAYLOAD_PATH" ]] && PAYLOAD_PATH_PARAM="-d $INPUT_PAYLOAD_PATH"
|
||||
[[ ! -z "$INPUT_CONFIG_PATH" ]] && CONFIG_PATH_PARAM="--config $INPUT_CONFIG_PATH"
|
||||
[[ ! -z "$INPUT_EXCLUDE_PATHS" ]] && EXCLUDE_PATHS_PARAM="-e $INPUT_EXCLUDE_PATHS"
|
||||
[[ ! -z "$INPUT_EXCLUDE_RESULTS" ]] && EXCLUDE_RESULTS_PARAM="-x $INPUT_EXCLUDE_RESULTS"
|
||||
[[ ! -z "$INPUT_EXCLUDE_QUERIES" ]] && EXCLUDE_QUERIES_PARAM="--exclude-queries $INPUT_EXCLUDE_QUERIES"
|
||||
[[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES"
|
||||
[[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS"
|
||||
[[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE"
|
||||
|
||||
[[ ! -z "$INPUT_VERBOSE" ]] && VERBOSE_PARAM="-v"
|
||||
|
||||
if [ ! -z "$INPUT_QUERIES" ]
|
||||
@ -30,5 +38,5 @@ wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${ve
|
||||
|
||||
echo "${DATETIME} - INF : current directory - ${PWD}"
|
||||
echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
|
||||
echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $PAYLOAD_PATH_PARAM $QUERIES_PARAM $VERBOSE_PARAM"
|
||||
kics $INPUT_PARAM $OUTPUT_PATH_PARAM $PAYLOAD_PATH_PARAM $QUERIES_PARAM $VERBOSE_PARAM
|
||||
echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM"
|
||||
kics --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM
|
||||
|
||||
Reference in New Issue
Block a user