# action.yml name: "KICS Github Action" description: "Run KICS scan against IaC projects" inputs: token: description: "The GITHUB_TOKEN for the current workflow run" required: false default: ${{github.token}} enable_comments: required: false default: "false" description: "Enable pull request report comments" path: description: "paths to a file or directories to scan, accepts a comma separated list" required: true ignore_on_exit: description: "defines which non-zero exit codes should be ignored (all, results, errors, none)" required: false fail_on: description: "comma separated list of which severities returns exit code !=0" required: false timeout: description: "number of seconds the query has to execute before being canceled" required: false profiling: description: "turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)" required: false config_path: description: "path to configuration file" required: false platform_type: description: "case insensitive list of platform types to scan" required: false exclude_paths: description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'" required: false exclude_queries: description: exclude queries by providing the query ID required: false exclude_categories: description: exclude categories by providing its name, can be provided multiple times or as a comma separated string required: false exclude_results: description: "exclude results by providing the similarity ID of a result" required: false output_formats: description: "formats in which the results report will be exported (json, sarif)" required: false output_path: description: "directory to store results report" required: false payload_path: description: "file path to store source internal representation in JSON format" required: false queries: description: 'path to directory with queries (default "./assets/queries")' required: false secrets_regexes_path: description: "path to secrets regex rules configuration file" required: false libraries_path: description: "path to directory with Rego libraries" required: false disable_full_descriptions: description: "disable request for full descriptions and use default vulnerability descriptions" required: false disable_secrets: description: "disable secrets detection" required: false type: description: "case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform)" required: false verbose: description: "verbose scan" required: false include_queries: description: "comma separated list of queries ID's to include, cannot be provided with query exclusion flags" required: false bom: description: "include bill of materials (BoM) in results output" required: false branding: icon: "shield" color: "green" runs: using: "composite" steps: - uses: actions/checkout@v2 - name: Run KICS Scan id: kics_scan uses: docker://checkmarx/kics:v1.4.8-alpine env: INPUT_PATH: ${{ inputs.path }} INPUT_FAIL_ON: ${{ inputs.fail_on }} INPUT_TIMEOUT: ${{ inputs.timeout }} INPUT_PROFILING: ${{ inputs.profiling }} INPUT_CONFIG_PATH: ${{ inputs.config }} INPUT_PLATFORM_TYPE: ${{ inputs.platform_type }} INPUT_EXCLUDE_PATHS: ${{ inputs.exclude_paths }} INPUT_EXCLUDE_QUERIES: ${{ inputs.exclude_queries }} INPUT_INCLUDE_QUERIES: ${{ inputs.include_queries }} INPUT_EXCLUDE_CATEGORIES: ${{ inputs.exclude_categories }} INPUT_EXCLUDE_RESULTS: ${{ inputs.exclude_results }} INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} INPUT_OUTPUT_PATH: ${{ inputs.output_path }} INPUT_PAYLOAD_PATH: ${{ inputs.payload_path }} INPUT_QUERIES: ${{ inputs.queries }} INPUT_VERBOSE: ${{ inputs.verbose }} INPUT_BOM: ${{ inputs.bom }} INPUT_IGNORE_ON_EXIT: ${{ inputs.ignore_on_exit }} INPUT_DISABLE_SECRETS: ${{ inputs.disable_secrets }} INPUT_DISABLE_FULL_DESCRIPTIONS: ${{ inputs.disable_full_descriptions }} INPUT_LIBRARIES_PATH: ${{ inputs.libraries_path }} INPUT_SECRETS_REGEXES_PATH: ${{ inputs.secrets_regexes_path}} with: entrypoint: ./entrypoint.sh - name: Run KICS PR Comentator uses: actions/setup-node@v2 with: node-version: 12.x - name: Install dependencies shell: bash run: npm ci - run: | sudo chown -R ${USER} ${{ inputs.output_path }} npm run build --if-present shell: bash - run: node dist/index.js shell: bash env: INPUT_TOKEN: ${{ inputs.token }} INPUT_OUTPUT_PATH: ${{ inputs.output_path }} INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }} INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} KICS_EXIT_CODE: ${{ steps.kics_scan.outputs.exit_code }}