support KICS 1.3.0 use docker-runner as default

Dockerfile

@@ -1,10 +1,7 @@
-FROM ubuntu:20.04
-
-RUN  apt-get update && \
-     apt-get install -y wget curl
-
-COPY entrypoint.sh /entrypoint.sh
-
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
+FROM checkmarx/kics:nightly-alpine
+
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -130,12 +130,11 @@ You can only enable one profiler at a time, CPU or MEM.
         cat results.json
 ```
 
-## Example using docker-runner and SARIF report
+## Uploading SARIF report
 
-checkmarx/kics-action@docker-runner branch runs an alpine based linux container (`checkmarx/kics:nightly-alpine`) that doesn't require downloading kics binaries and queries in the `entrypoint.sh`
 
 ```yaml
-name: scan with KICS docker-runner
+name: scan with KICS and upload SARIF
 
 on:
   pull_request:
@@ -152,7 +151,7 @@ jobs:
         # make sure results dir is created
         run: mkdir -p results-dir
       - name: Run KICS Scan with SARIF result
-        uses: checkmarx/kics-action@docker-runner
+        uses: checkmarx/kics-action@v1.2
         with:
           path: 'terraform'
           # when provided with a directory on output_path
@@ -176,7 +175,7 @@ jobs:
           sarif_file: results-dir/results.sarif
 ```
 
-## Example using docker-runner and a config file
+## Using configuration file
 
 Check [configuration file](https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md) reference for more options.
 
@@ -217,7 +216,7 @@ jobs:
           }
           EOF
       - name: Run KICS Scan using config
-        uses: checkmarx/kics-action@docker-runner
+        uses: checkmarx/kics-action@v1.2
         with:
           path: 'terraform'
           config_path: ./kics.config

action.yml

@@ -1,77 +1,77 @@
-# action.yml
-name: 'KICS Github Action'
-description: 'Run KICS scan against IaC projects'
-inputs:
-  path:
-    description: 'paths to a file or directories to scan, accepts a comma separated list'
-    required: true
-  ignore_on_exit:
-    description: 'defines which non-zero exit codes should be ignored (all, results, errors, none)'
-    required: false
-  fail_on:
-    description: 'comma separated list of which severities returns exit code !=0'
-    required: false
-  timeout:
-    description: 'number of seconds the query has to execute before being canceled'
-    required: false
-  profiling:
-    description: 'turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)'
-    required: false
-  config_path:
-    description: 'path to configuration file'
-    required: false
-  platform_type:
-    description: 'case insensitive list of platform types to scan'
-    required: false
-  exclude_paths:
-    description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'"
-    required: false
-  exclude_queries:
-    description: exclude queries by providing the query ID
-    required: false
-  exclude_categories:
-    description: exclude categories by providing its name, can be provided multiple times or as a comma separated string
-    required: false
-  exclude_results:
-    description: "exclude results by providing the similarity ID of a result"
-    required: false
-  output_formats:
-    description: "formats in which the results report will be exported (json, sarif)"
-    required: false
-  output_path:
-    description: 'file path to store results report (json, sarif)'
-    required: false
-  payload_path:
-    description: 'file path to store source internal representation in JSON format'
-    required: false
-  queries:
-    description: 'path to directory with queries (default "./assets/queries")'
-    required: false
-  verbose:
-    description: 'verbose scan'
-outputs:
-  results:
-    description: 'the result of KICS scan'
-branding:
-  icon: 'shield'
-  color: 'green'
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.path }}
-    - ${{ inputs.ignore_on_exit }}
-    - ${{ inputs.fail_on }}
-    - ${{ inputs.timeout }}
-    - ${{ inputs.profiling }}
-    - ${{ inputs.config }}
-    - ${{ inputs.platform_type }}
-    - ${{ inputs.exclude_paths }}
-    - ${{ inputs.exclude_queries }}
-    - ${{ inputs.exclude_categories }}
-    - ${{ inputs.exclude_results }}
-    - ${{ inputs.output_formats }}
-    - ${{ inputs.output_path }}
-    - ${{ inputs.payload_path }}
-    - ${{ inputs.queries }}
-    - ${{ inputs.verbose }}
+# action.yml
+name: 'KICS Github Action'
+description: 'Run KICS scan against IaC projects'
+inputs:
+  path:
+    description: 'paths to a file or directories to scan, accepts a comma separated list'
+    required: true
+  ignore_on_exit:
+    description: 'defines which non-zero exit codes should be ignored (all, results, errors, none)'
+    required: false
+  fail_on:
+    description: 'comma separated list of which severities returns exit code !=0'
+    required: false
+  timeout:
+    description: 'number of seconds the query has to execute before being canceled'
+    required: false
+  profiling:
+    description: 'turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)'
+    required: false
+  config_path:
+    description: 'path to configuration file'
+    required: false
+  platform_type:
+    description: 'case insensitive list of platform types to scan'
+    required: false
+  exclude_paths:
+    description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'"
+    required: false
+  exclude_queries:
+    description: exclude queries by providing the query ID
+    required: false
+  exclude_categories:
+    description: exclude categories by providing its name, can be provided multiple times or as a comma separated string
+    required: false
+  exclude_results:
+    description: "exclude results by providing the similarity ID of a result"
+    required: false
+  output_formats:
+    description: "formats in which the results report will be exported (json, sarif)"
+    required: false
+  output_path:
+    description: 'file path to store results report (json, sarif)'
+    required: false
+  payload_path:
+    description: 'file path to store source internal representation in JSON format'
+    required: false
+  queries:
+    description: 'path to directory with queries (default "./assets/queries")'
+    required: false
+  verbose:
+    description: 'verbose scan'
+outputs:
+  results:
+    description: 'the result of KICS scan'
+branding:
+  icon: 'shield'
+  color: 'green'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.path }}
+    - ${{ inputs.ignore_on_exit }}
+    - ${{ inputs.fail_on }}
+    - ${{ inputs.timeout }}
+    - ${{ inputs.profiling }}
+    - ${{ inputs.config }}
+    - ${{ inputs.platform_type }}
+    - ${{ inputs.exclude_paths }}
+    - ${{ inputs.exclude_queries }}
+    - ${{ inputs.exclude_categories }}
+    - ${{ inputs.exclude_results }}
+    - ${{ inputs.output_formats }}
+    - ${{ inputs.output_path }}
+    - ${{ inputs.payload_path }}
+    - ${{ inputs.queries }}
+    - ${{ inputs.verbose }}

entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/ash
 DATETIME="`date '+%H:%M'`"
 
 if [ -z "$INPUT_PATH" ]
@@ -18,8 +18,8 @@ fi
 [[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES"
 [[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS"
 [[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE"
-[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore_on_exit $INPUT_IGNORE_ON_EXIT"
-[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail_on $INPUT_FAIL_ON"
+[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore-on-exit $INPUT_IGNORE_ON_EXIT"
+[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail-on $INPUT_FAIL_ON"
 [[ ! -z "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT"
 [[ ! -z "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING"
 
@@ -29,18 +29,10 @@ if [ ! -z "$INPUT_QUERIES" ]
 then
     QUERIES_PARAM="-q $INPUT_QUERIES"
 else
-    QUERIES_PARAM="-q /usr/bin/assets/queries"
+    QUERIES_PARAM="-q /app/bin/assets/queries"
 fi
 
-tag=`curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/'`
-echo "${DATETIME} - INF latest tag is $tag"
-version=`echo $tag | sed -r 's/^.{1}//'`
-echo "${DATETIME} - INF version is $version"
-
-echo "${DATETIME} - INF downloading latest kics binaries kics_${version}_linux_x64.tar.gz"
-wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${version}_linux_x64.tar.gz" -O - | tar -xz --directory /usr/bin &>/dev/null
-
-echo "${DATETIME} - INF : current directory - ${PWD}"
+cd $GITHUB_WORKSPACE
 echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
 echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM"
-kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM
+kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM