HPCE/kics-github-action
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support KICS 1.3.0 use docker-runner as default

Browse Source
This commit is contained in:
Rogerio Peixoto
2021-05-10 18:52:01 +01:00
committed by GitHub
parent 69b03ca60c c510bce1ac
commit fc7708721f
4 changed files with 95 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@ -1,7 +1,4 @@
FROM ubuntu:20.04 FROM checkmarx/kics:nightly-alpine
RUN apt-get update && \
apt-get install -y wget curl
COPY entrypoint.sh /entrypoint.sh COPY entrypoint.sh /entrypoint.sh

11
README.md
View File

@ -130,12 +130,11 @@ You can only enable one profiler at a time, CPU or MEM.
cat results.json cat results.json
``` ```
## Example using docker-runner and SARIF report ## Uploading SARIF report
checkmarx/kics-action@docker-runner branch runs an alpine based linux container (`checkmarx/kics:nightly-alpine`) that doesn't require downloading kics binaries and queries in the `entrypoint.sh`
```yaml ```yaml
name: scan with KICS docker-runner name: scan with KICS and upload SARIF
on: on:
pull_request: pull_request:
@ -152,7 +151,7 @@ jobs:
# make sure results dir is created # make sure results dir is created
run: mkdir -p results-dir run: mkdir -p results-dir
- name: Run KICS Scan with SARIF result - name: Run KICS Scan with SARIF result
uses: checkmarx/kics-action@docker-runner uses: checkmarx/kics-action@v1.2
with: with:
path: 'terraform' path: 'terraform'
# when provided with a directory on output_path # when provided with a directory on output_path
@ -176,7 +175,7 @@ jobs:
sarif_file: results-dir/results.sarif sarif_file: results-dir/results.sarif
``` ```
## Example using docker-runner and a config file ## Using configuration file
Check [configuration file](https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md) reference for more options. Check [configuration file](https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md) reference for more options.
@ -217,7 +216,7 @@ jobs:
} }
EOF EOF
- name: Run KICS Scan using config - name: Run KICS Scan using config
uses: checkmarx/kics-action@docker-runner uses: checkmarx/kics-action@v1.2
with: with:
path: 'terraform' path: 'terraform'
config_path: ./kics.config config_path: ./kics.config

18
entrypoint.sh
View File

@ -1,4 +1,4 @@
#!/bin/bash #!/bin/ash
DATETIME="`date '+%H:%M'`" DATETIME="`date '+%H:%M'`"
if [ -z "$INPUT_PATH" ] if [ -z "$INPUT_PATH" ]
@ -18,8 +18,8 @@ fi
[[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES" [[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES"
[[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS" [[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS"
[[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE" [[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE"
[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore_on_exit $INPUT_IGNORE_ON_EXIT" [[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore-on-exit $INPUT_IGNORE_ON_EXIT"
[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail_on $INPUT_FAIL_ON" [[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail-on $INPUT_FAIL_ON"
[[ ! -z "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT" [[ ! -z "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT"
[[ ! -z "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING" [[ ! -z "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING"
@ -29,18 +29,10 @@ if [ ! -z "$INPUT_QUERIES" ]
then then
QUERIES_PARAM="-q $INPUT_QUERIES" QUERIES_PARAM="-q $INPUT_QUERIES"
else else
QUERIES_PARAM="-q /usr/bin/assets/queries" QUERIES_PARAM="-q /app/bin/assets/queries"
fi fi
tag=`curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/'` cd $GITHUB_WORKSPACE
echo "${DATETIME} - INF latest tag is $tag"
version=`echo $tag | sed -r 's/^.{1}//'`
echo "${DATETIME} - INF version is $version"
echo "${DATETIME} - INF downloading latest kics binaries kics_${version}_linux_x64.tar.gz"
wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${version}_linux_x64.tar.gz" -O - | tar -xz --directory /usr/bin &>/dev/null
echo "${DATETIME} - INF : current directory - ${PWD}"
echo "${DATETIME} - INF : about to scan directory $INPUT_PATH" echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM" echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM"
kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM