HPCE/kics-github-action
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

panel with two tables side by side + docs

Browse Source
This commit is contained in:
Rogério Peixoto
2021-10-18 12:34:52 +01:00
parent 9b8f2723f8
commit add321edd5
3 changed files with 87 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
README.md
View File

@ -32,22 +32,31 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
| Variable | Example Value   | Description   | Type | Required | Default | | Variable | Example Value   | Description   | Type | Required | Default |
| ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- | | ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
| enable_comment | true | Enable pull request report comments | Boolean | No | false |
| path | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | String | Yes | N/A | | path | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | String | Yes | N/A |
| ignore_on_exit | results | defines which non-zero exit codes should be ignored (all, results, errors, none) | String | No | none | | ignore_on_exit | results | defines which non-zero exit codes should be ignored (all, results, errors, none) | String | No | none |
| fail_on | high,medium | comma separated list of which severities returns exit code !=0 | String | No | high,medium,low,info | | fail_on | high,medium | comma separated list of which severities returns exit code !=0 | String | No | high,medium,low,info |
| timeout | 75 | number of seconds the query has to execute before being canceled | String | No | 60 | | timeout | 75 | number of seconds the query has to execute before being canceled | String | No | 60 |
| profiling | CPU | turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM) | String | No | N/A | | profiling | CPU | turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM) | String | No | N/A |
| config_path | ./kics.config | path to configuration file | String | No | N/A | | config_path | ./kics.config | path to configuration file | String | No | N/A |
| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms | | platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms |
| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A | | exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A |
| exclude_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | exclude queries by providing the query ID, comma separated list | String | No | N/A | | exclude_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | exclude queries by providing the query ID, comma separated list | String | No | N/A |
| exclude_categories | 'Observability,Networking and Firewall' | exclude categories by providing its name, comma separated list | String | No | N/A | | exclude_categories | 'Observability,Networking and Firewall' | exclude categories by providing its name, comma separated list | String | No | N/A |
| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A | | exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A |
| include_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | include only specified list of queries to the scan, cannot be provided with query exclusion flags | String | No | N/A |
| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json | | output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json |
| output_path | results.json | file path to store result in json format | String | No | N/A | | output_path | results.json | file path to store result in json format | String | No | N/A |
| payload_path | /tmp/mypayload.json | file path to store source internal representation in JSON format | String | No | N/A | | payload_path | /tmp/mypayload.json | file path to store source internal representation in JSON format | String | No | N/A |
| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries | | queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries |
| verbose | true | verbose scan | Boolean | No | false | | verbose | true | verbose scan | Boolean | No | false |
| type | Ansible,Dockerfile | case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform) | String | No | all types |
| bom | true | include bill of materials (BoM) in results.json output | Boolean | No | false |
| disable_full_descriptions | false | disable request for full descriptions and use default vulnerability descriptions | Boolean | false |
| disable_secrets | false | disable secrets detection | Boolean | false |
| secrets_regexes_path| ./mydir/secrets-config.json | path to custom secrets regex rules configuration file | String | No | N/A |
| libraries_path | ./myLibsDir | path to directory with Rego libraries | String | No | N/A |
## Simple usage example ## Simple usage example
@ -58,7 +67,7 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
- uses: actions/checkout@v2 - uses: actions/checkout@v2
# Scan Iac with kics # Scan Iac with kics
- name: run kics Scan - name: run kics Scan
uses: checkmarx/kics-action@v1.2 uses: checkmarx/kics-action@v1.3
with: with:
# scanning two directories: ./terraform/ ./cfn-templates/ plus a single file # scanning two directories: ./terraform/ ./cfn-templates/ plus a single file
path: 'terraform,cfn-templates,my-other-sub-folder/Dockerfile' path: 'terraform,cfn-templates,my-other-sub-folder/Dockerfile'
@ -81,7 +90,7 @@ If want your pipeline just to fail on HIGH and MEDIUM severity results and KICS
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: run kics Scan - name: run kics Scan
uses: checkmarx/kics-action@v1.2 uses: checkmarx/kics-action@v1.3
with: with:
path: 'terraform,my-other-sub-folder/Dockerfile' path: 'terraform,my-other-sub-folder/Dockerfile'
fail_on: high,medium fail_on: high,medium
@ -99,7 +108,7 @@ If you want KICS to ignore the results and return exit status code 0 unless a KI
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: run kics Scan - name: run kics Scan
uses: checkmarx/kics-action@v1.2 uses: checkmarx/kics-action@v1.3
with: with:
path: 'terraform' path: 'terraform'
ignore_on_exit: results ignore_on_exit: results
@ -120,7 +129,7 @@ You can only enable one profiler at a time, CPU or MEM.
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: run kics Scan - name: run kics Scan
uses: checkmarx/kics-action@v1.2 uses: checkmarx/kics-action@v1.3
with: with:
path: 'terraform' path: 'terraform'
profiling: MEM profiling: MEM
@ -151,7 +160,7 @@ jobs:
# make sure results dir is created # make sure results dir is created
run: mkdir -p results-dir run: mkdir -p results-dir
- name: Run KICS Scan with SARIF result - name: Run KICS Scan with SARIF result
uses: checkmarx/kics-action@v1.2 uses: checkmarx/kics-action@v1.3
with: with:
path: 'terraform' path: 'terraform'
# when provided with a directory on output_path # when provided with a directory on output_path
@ -226,6 +235,64 @@ jobs:
sarif_file: results-dir/results.sarif sarif_file: results-dir/results.sarif
``` ```
## Enabling Pull Request Comment
`GITHUB_TOKEN` enables this github action to access github API and post comments in a pull request:
```yaml
name: Test KICS action PR comment
on:
pull_request:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: run kics Scan
uses: checkmarx/kics-action@v1.3
with:
path: test/samples/positive1.tf,test/samples/positive2.tf
token: ${{ secrets.GITHUB_TOKEN }}
output_path: myResults/
ignore_on_exit: results
enable_comments: true
```
### Example Pull Request Comment
<img alt="KICS Logo" src="https://user-images.githubusercontent.com/75368139/136991766-a4e5bc8b-63db-48f7-9384-740e9f15c9f6.png" width="150">
**KICS version: 1.4.5**
<table>
<tr></tr>
<tr><td>
| | Category | Results |
| --- |--- | --- |
| ![HIGH](https://user-images.githubusercontent.com/23239410/92157087-97285600-ee32-11ea-988f-0aca12c4c126.png) |HIGH | 3 |
| ![MEDIUM](https://user-images.githubusercontent.com/23239410/92157093-98598300-ee32-11ea-83d7-af52251a011b.png) |MEDIUM | 2 |
| ![LOW](https://user-images.githubusercontent.com/23239410/92157091-98598300-ee32-11ea-8498-19bd7d62019b.png) |LOW | 0 |
| ![INFO](https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png) |INFO | 0 |
| ![TRACE](https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png) |TRACE | 0 |
| ![TOTAL](https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png) | TOTAL | 5 |
</td><td>
| Metric | Values |
| --- | --- |
| Files scanned | 2 |
| Files parsed | 2 |
| Files failed to scan | 0 |
| Total queries | 821 |
| Queries failed to execute | 0 |
| Execution time | 13s |
</td></tr> </table>
## How To Contribute ## How To Contribute
We welcome [issues](https://github.com/checkmarx/kics-github-action/issues) to and [pull requests](https://github.com/checkmarx/kics-github-action/pulls) against this repository! We welcome [issues](https://github.com/checkmarx/kics-github-action/issues) to and [pull requests](https://github.com/checkmarx/kics-github-action/pulls) against this repository!

9
action.yml
View File

@ -3,12 +3,13 @@ name: "KICS Github Action"
description: "Run KICS scan against IaC projects" description: "Run KICS scan against IaC projects"
inputs: inputs:
token: token:
required: true description: "The GITHUB_TOKEN for the current workflow run"
description: "Github token" required: false
default: ${{github.token}}
enable_comments: enable_comments:
required: false required: false
default: false default: false
description: "Enable pull request reprot comments" description: "Enable pull request report comments"
path: path:
description: "paths to a file or directories to scan, accepts a comma separated list" description: "paths to a file or directories to scan, accepts a comma separated list"
required: true required: true
@ -58,7 +59,7 @@ inputs:
description: "path to secrets regex rules configuration file" description: "path to secrets regex rules configuration file"
required: false required: false
libraries_path: libraries_path:
description: "path to directory with libraries" description: "path to directory with Rego libraries"
required: false required: false
disable_full_descriptions: disable_full_descriptions:
description: "disable request for full descriptions and use default vulnerability descriptions" description: "disable request for full descriptions and use default vulnerability descriptions"

15
src/commenter.js
View File

@ -13,9 +13,11 @@ const severityIcons = {
function createComment(results) { function createComment(results) {
let message = "![kics-logo](" + kicsLogo + ")\n"; let message = "![kics-logo](" + kicsLogo + ")\n";
message += "---"; message += "<table>";
message += "<tr></tr>";
message += "<tr><td>";
message += `\n**KICS version: ${results['kics_version']}**\n` message += `\n**KICS version: ${results['kics_version']}**\n`
message += "\n**Total Results: " + results['total_counter'] + "**\n\n";
message += "| | Category | Results |\n"; message += "| | Category | Results |\n";
message += "| --- |--- | --- |\n"; message += "| --- |--- | --- |\n";
let severityCounters = results['severity_counters'] let severityCounters = results['severity_counters']
@ -24,8 +26,9 @@ function createComment(results) {
message += "| ![" + severity + "](" + severityIcons[severity] + ") |" + severity.toUpperCase() + " | " + severityCounters[severity.toUpperCase()] + " |\n"; message += "| ![" + severity + "](" + severityIcons[severity] + ") |" + severity.toUpperCase() + " | " + severityCounters[severity.toUpperCase()] + " |\n";
} }
} }
message += `| ![TOTAL](https://user-images.githubusercontent.com/23239410/92157090-97c0ec80-ee32-11ea-9b2e-aa6b32b03d54.png) | TOTAL | ${results['total_counter']} |`;
message += "</td><td>";
message += "\n**Scan Metrics**\n\n";
message += "| Metric | Values |\n"; message += "| Metric | Values |\n";
message += "| --- | --- |\n"; message += "| --- | --- |\n";
message += "| Files scanned | " + results['files_scanned'] + "\n"; message += "| Files scanned | " + results['files_scanned'] + "\n";
@ -33,10 +36,8 @@ function createComment(results) {
message += "| Files failed to scan | " + results['files_failed_to_scan'] + "\n"; message += "| Files failed to scan | " + results['files_failed_to_scan'] + "\n";
message += "| Total queries | " + results['queries_total'] + "\n"; message += "| Total queries | " + results['queries_total'] + "\n";
message += "| Queries failed to execute | " + results['queries_failed_to_execute'] + "\n"; message += "| Queries failed to execute | " + results['queries_failed_to_execute'] + "\n";
message += "| Execution time | " + moment(results['end']).diff(moment(results['start']), 'seconds') + "s\n";
let executionTime = moment(results['end']).diff(moment(results['start']), 'seconds'); message += "</td></tr></table>";
message += "| Execution time | " + executionTime + "s\n";
return message; return message;
} }