diff --git a/Dockerfile b/Dockerfile index 0898fc7..25ee620 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,7 @@ -FROM ubuntu:20.04 - -RUN apt-get update && \ - apt-get install -y wget curl - -COPY entrypoint.sh /entrypoint.sh - -RUN chmod +x /entrypoint.sh - -ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file +FROM checkmarx/kics:nightly-alpine + +COPY entrypoint.sh /entrypoint.sh + +RUN chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/README.md b/README.md index e2be3af..e4290eb 100644 --- a/README.md +++ b/README.md @@ -130,12 +130,11 @@ You can only enable one profiler at a time, CPU or MEM. cat results.json ``` -## Example using docker-runner and SARIF report +## Uploading SARIF report -checkmarx/kics-action@docker-runner branch runs an alpine based linux container (`checkmarx/kics:nightly-alpine`) that doesn't require downloading kics binaries and queries in the `entrypoint.sh` ```yaml -name: scan with KICS docker-runner +name: scan with KICS and upload SARIF on: pull_request: @@ -152,7 +151,7 @@ jobs: # make sure results dir is created run: mkdir -p results-dir - name: Run KICS Scan with SARIF result - uses: checkmarx/kics-action@docker-runner + uses: checkmarx/kics-action@v1.2 with: path: 'terraform' # when provided with a directory on output_path @@ -176,7 +175,7 @@ jobs: sarif_file: results-dir/results.sarif ``` -## Example using docker-runner and a config file +## Using configuration file Check [configuration file](https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md) reference for more options. @@ -217,7 +216,7 @@ jobs: } EOF - name: Run KICS Scan using config - uses: checkmarx/kics-action@docker-runner + uses: checkmarx/kics-action@v1.2 with: path: 'terraform' config_path: ./kics.config diff --git a/action.yml b/action.yml index 4954d4f..bbabc77 100644 --- a/action.yml +++ b/action.yml @@ -1,77 +1,77 @@ -# action.yml -name: 'KICS Github Action' -description: 'Run KICS scan against IaC projects' -inputs: - path: - description: 'paths to a file or directories to scan, accepts a comma separated list' - required: true - ignore_on_exit: - description: 'defines which non-zero exit codes should be ignored (all, results, errors, none)' - required: false - fail_on: - description: 'comma separated list of which severities returns exit code !=0' - required: false - timeout: - description: 'number of seconds the query has to execute before being canceled' - required: false - profiling: - description: 'turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)' - required: false - config_path: - description: 'path to configuration file' - required: false - platform_type: - description: 'case insensitive list of platform types to scan' - required: false - exclude_paths: - description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'" - required: false - exclude_queries: - description: exclude queries by providing the query ID - required: false - exclude_categories: - description: exclude categories by providing its name, can be provided multiple times or as a comma separated string - required: false - exclude_results: - description: "exclude results by providing the similarity ID of a result" - required: false - output_formats: - description: "formats in which the results report will be exported (json, sarif)" - required: false - output_path: - description: 'file path to store results report (json, sarif)' - required: false - payload_path: - description: 'file path to store source internal representation in JSON format' - required: false - queries: - description: 'path to directory with queries (default "./assets/queries")' - required: false - verbose: - description: 'verbose scan' -outputs: - results: - description: 'the result of KICS scan' -branding: - icon: 'shield' - color: 'green' -runs: - using: 'docker' - image: 'Dockerfile' - args: - - ${{ inputs.path }} - - ${{ inputs.ignore_on_exit }} - - ${{ inputs.fail_on }} - - ${{ inputs.timeout }} - - ${{ inputs.profiling }} - - ${{ inputs.config }} - - ${{ inputs.platform_type }} - - ${{ inputs.exclude_paths }} - - ${{ inputs.exclude_queries }} - - ${{ inputs.exclude_categories }} - - ${{ inputs.exclude_results }} - - ${{ inputs.output_formats }} - - ${{ inputs.output_path }} - - ${{ inputs.payload_path }} - - ${{ inputs.queries }} - - ${{ inputs.verbose }} +# action.yml +name: 'KICS Github Action' +description: 'Run KICS scan against IaC projects' +inputs: + path: + description: 'paths to a file or directories to scan, accepts a comma separated list' + required: true + ignore_on_exit: + description: 'defines which non-zero exit codes should be ignored (all, results, errors, none)' + required: false + fail_on: + description: 'comma separated list of which severities returns exit code !=0' + required: false + timeout: + description: 'number of seconds the query has to execute before being canceled' + required: false + profiling: + description: 'turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)' + required: false + config_path: + description: 'path to configuration file' + required: false + platform_type: + description: 'case insensitive list of platform types to scan' + required: false + exclude_paths: + description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'" + required: false + exclude_queries: + description: exclude queries by providing the query ID + required: false + exclude_categories: + description: exclude categories by providing its name, can be provided multiple times or as a comma separated string + required: false + exclude_results: + description: "exclude results by providing the similarity ID of a result" + required: false + output_formats: + description: "formats in which the results report will be exported (json, sarif)" + required: false + output_path: + description: 'file path to store results report (json, sarif)' + required: false + payload_path: + description: 'file path to store source internal representation in JSON format' + required: false + queries: + description: 'path to directory with queries (default "./assets/queries")' + required: false + verbose: + description: 'verbose scan' +outputs: + results: + description: 'the result of KICS scan' +branding: + icon: 'shield' + color: 'green' +runs: + using: 'docker' + image: 'Dockerfile' + args: + - ${{ inputs.path }} + - ${{ inputs.ignore_on_exit }} + - ${{ inputs.fail_on }} + - ${{ inputs.timeout }} + - ${{ inputs.profiling }} + - ${{ inputs.config }} + - ${{ inputs.platform_type }} + - ${{ inputs.exclude_paths }} + - ${{ inputs.exclude_queries }} + - ${{ inputs.exclude_categories }} + - ${{ inputs.exclude_results }} + - ${{ inputs.output_formats }} + - ${{ inputs.output_path }} + - ${{ inputs.payload_path }} + - ${{ inputs.queries }} + - ${{ inputs.verbose }} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 515316f..caa62f4 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/ash DATETIME="`date '+%H:%M'`" if [ -z "$INPUT_PATH" ] @@ -18,8 +18,8 @@ fi [[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES" [[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS" [[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE" -[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore_on_exit $INPUT_IGNORE_ON_EXIT" -[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail_on $INPUT_FAIL_ON" +[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore-on-exit $INPUT_IGNORE_ON_EXIT" +[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail-on $INPUT_FAIL_ON" [[ ! -z "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT" [[ ! -z "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING" @@ -29,18 +29,10 @@ if [ ! -z "$INPUT_QUERIES" ] then QUERIES_PARAM="-q $INPUT_QUERIES" else - QUERIES_PARAM="-q /usr/bin/assets/queries" + QUERIES_PARAM="-q /app/bin/assets/queries" fi -tag=`curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/'` -echo "${DATETIME} - INF latest tag is $tag" -version=`echo $tag | sed -r 's/^.{1}//'` -echo "${DATETIME} - INF version is $version" - -echo "${DATETIME} - INF downloading latest kics binaries kics_${version}_linux_x64.tar.gz" -wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${version}_linux_x64.tar.gz" -O - | tar -xz --directory /usr/bin &>/dev/null - -echo "${DATETIME} - INF : current directory - ${PWD}" +cd $GITHUB_WORKSPACE echo "${DATETIME} - INF : about to scan directory $INPUT_PATH" echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM" -kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM +kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM \ No newline at end of file