From 724a9206e0f81fc0ba7c34d537e97abeabf30e65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rog=C3=A9rio=20Peixoto?= Date: Mon, 15 Mar 2021 23:10:21 +0000 Subject: [PATCH] adding new parameters --- .github/workflows/publish.yml | 2 +- README.md | 29 ++++++++++++++++++----------- action.yml | 32 ++++++++++++++++++++++++++++++-- entrypoint.sh | 12 ++++++++++-- 4 files changed, 59 insertions(+), 16 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f0435ba..1dafeb3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,7 +4,7 @@ name: Publish kics GitHub Action on: push: tags: - - 'v*' + - 'v*' jobs: publish: diff --git a/README.md b/README.md index f418490..020096a 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![Latest Release](https://img.shields.io/github/v/release/checkmarx/kics-github-action)](https://github.com/checkmarx/kics-github-action/releases) [![Open Issues](https://img.shields.io/github/issues-raw/checkmarx/kics-github-action)](https://github.com/checkmarx/kics-github-action/issues) -## Integrate KICS into your GitHub workflows, using KICS Github Action to make your IaC more secure +## Integrate KICS into your GitHub workflows, using KICS Github Action to make your IaC more secure **KICS** (pronounced as 'kick-s') or **Kicscan** is an open source solution for static code analysis of Infrastructure as Code. @@ -21,16 +21,23 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj ## Inputs -| Variable | Example Value  | Description   | Type | Required | Default | -| ------------- | ------------- | ------------- |------------- | ------------- | ------------- | -| path | terraform | path to file or directory to scan | String | Yes | N/A -| output_path | results.json | file path to store result in json format | String | No | N/A -| payload_path | | file path to store source internal representation in JSON format | String | No | N/A -| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries -| verbose | true | verbose scan | Boolean | No | false | +| Variable | Example Value   | Description   | Type | Required | Default | +| ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- | +| path | terraform | path to file or directory to scan | String | Yes | N/A | +| config | ./kics.config | path to configuration file | String | No | N/A | +| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms | +| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A | +| exclude_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | exclude queries by providing the query ID, comma separated list | String | No | N/A | +| exclude_categories | 'Observability,Networking and Firewall' | exclude categories by providing its name, comma separated list | String | No | N/A | +| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A | +| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json | +| output_path | results.json | file path to store result in json format | String | No | N/A | +| payload_path | | file path to store source internal representation in JSON format | String | No | N/A | +| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries | +| verbose | true | verbose scan | Boolean | No | false | ## Example usage - +**** ``` # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -42,12 +49,12 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj with: path: 'terraform' output_path: 'results.json' - # Display the results in json format + # Display the results in json format - name: display kics results run: | cat results.json ``` - + ## How To Contribute diff --git a/action.yml b/action.yml index c014bc6..fb8f778 100644 --- a/action.yml +++ b/action.yml @@ -5,8 +5,29 @@ inputs: path: description: 'path to file or directory to scan' required: true + config: + description: 'path to configuration file' + required: false + platform_type: + description: 'case insensitive list of platform types to scan' + required: false + exclude_paths: + description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'" + required: false + exclude_queries: + description: exclude queries by providing the query ID + required: false + exclude_categories: + description: exclude categories by providing its name, can be provided multiple times or as a comma separated string + required: false + exclude_results: + description: "exclude results by providing the similarity ID of a result" + required: false + output_formats: + description: "formats in which the results report will be exported (json, sarif)" + required: false output_path: - description: 'file path to store result in json format' + description: 'file path to store results report (json, sarif)' required: false payload_path: description: 'file path to store source internal representation in JSON format' @@ -27,7 +48,14 @@ runs: image: 'Dockerfile' args: - ${{ inputs.path }} + - ${{ inputs.config }} + - ${{ inputs.platform_type }} + - ${{ inputs.exclude_paths }} + - ${{ inputs.exclude_queries }} + - ${{ inputs.exclude_categories }} + - ${{ inputs.exclude_results }} + - ${{ inputs.output_formats }} - ${{ inputs.output_path }} - ${{ inputs.payload_path }} - ${{ inputs.queries }} - - ${{ inputs.versbose }} + - ${{ inputs.verbose }} diff --git a/entrypoint.sh b/entrypoint.sh index a11c61b..f0738bd 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -11,6 +11,14 @@ fi [[ ! -z "$INPUT_OUTPUT_PATH" ]] && OUTPUT_PATH_PARAM="-o $INPUT_OUTPUT_PATH" [[ ! -z "$INPUT_PAYLOAD_PATH" ]] && PAYLOAD_PATH_PARAM="-d $INPUT_PAYLOAD_PATH" +[[ ! -z "$INPUT_CONFIG_PATH" ]] && CONFIG_PATH_PARAM="--config $INPUT_CONFIG_PATH" +[[ ! -z "$INPUT_EXCLUDE_PATHS" ]] && EXCLUDE_PATHS_PARAM="-e $INPUT_EXCLUDE_PATHS" +[[ ! -z "$INPUT_EXCLUDE_RESULTS" ]] && EXCLUDE_RESULTS_PARAM="-x $INPUT_EXCLUDE_RESULTS" +[[ ! -z "$INPUT_EXCLUDE_QUERIES" ]] && EXCLUDE_QUERIES_PARAM="--exclude-queries $INPUT_EXCLUDE_QUERIES" +[[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES" +[[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS" +[[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE" + [[ ! -z "$INPUT_VERBOSE" ]] && VERBOSE_PARAM="-v" if [ ! -z "$INPUT_QUERIES" ] @@ -30,5 +38,5 @@ wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${ve echo "${DATETIME} - INF : current directory - ${PWD}" echo "${DATETIME} - INF : about to scan directory $INPUT_PATH" -echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $PAYLOAD_PATH_PARAM $QUERIES_PARAM $VERBOSE_PARAM" -kics $INPUT_PARAM $OUTPUT_PATH_PARAM $PAYLOAD_PATH_PARAM $QUERIES_PARAM $VERBOSE_PARAM \ No newline at end of file +echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM" +kics --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM