# action.yml
name: "KICS Github Action"
description: "Run KICS scan against IaC projects"
inputs:
  token:
    description: "The GITHUB_TOKEN for the current workflow run"
    required: false
    default: ${{github.token}}
  enable_comments:
    required: false
    default: "false"
    description: "Enable pull request report comments"
  path:
    description: "paths to a file or directories to scan, accepts a comma separated list"
    required: true
  ignore_on_exit:
    description: "defines which non-zero exit codes should be ignored (all, results, errors, none)"
    required: false
  fail_on:
    description: "comma separated list of which severities returns exit code !=0"
    required: false
  timeout:
    description: "number of seconds the query has to execute before being canceled"
    required: false
  profiling:
    description: "turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)"
    required: false
  config_path:
    description: "path to configuration file"
    required: false
  platform_type:
    description: "case insensitive list of platform types to scan"
    required: false
  exclude_paths:
    description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'"
    required: false
  exclude_queries:
    description: exclude queries by providing the query ID
    required: false
  exclude_categories:
    description: exclude categories by providing its name, can be provided multiple times or as a comma separated string
    required: false
  exclude_results:
    description: "exclude results by providing the similarity ID of a result"
    required: false
  output_formats:
    description: "formats in which the results report will be exported (json, sarif)"
    required: false
  output_path:
    description: "directory to store results report"
    required: false
  payload_path:
    description: "file path to store source internal representation in JSON format"
    required: false
  queries:
    description: 'path to directory with queries (default "./assets/queries")'
    required: false
  secrets_regexes_path:
    description: "path to secrets regex rules configuration file"
    required: false
  libraries_path:
    description: "path to directory with Rego libraries"
    required: false
  disable_full_descriptions:
    description: "disable request for full descriptions and use default vulnerability descriptions"
    required: false
  disable_secrets:
    description: "disable secrets detection"
    required: false
  type:
    description: "case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform)"
    required: false
  verbose:
    description: "verbose scan"
    required: false
  include_queries:
    description: "comma separated list of queries ID's to include, cannot be provided with query exclusion flags"
    required: false
  bom:
    description: "include bill of materials (BoM) in results output"
    required: false
branding:
  icon: "shield"
  color: "green"
runs:
  using: "composite"
  steps:
    - uses: actions/checkout@v2
    - name: Run KICS Scan
      id: kics_scan
      uses: docker://checkmarx/kics:v1.4.8-alpine
      env:
        INPUT_PATH: ${{ inputs.path }}
        INPUT_FAIL_ON: ${{ inputs.fail_on }}
        INPUT_TIMEOUT: ${{ inputs.timeout }}
        INPUT_PROFILING: ${{ inputs.profiling }}
        INPUT_CONFIG_PATH: ${{ inputs.config }}
        INPUT_PLATFORM_TYPE: ${{ inputs.platform_type }}
        INPUT_EXCLUDE_PATHS: ${{ inputs.exclude_paths }}
        INPUT_EXCLUDE_QUERIES: ${{ inputs.exclude_queries }}
        INPUT_INCLUDE_QUERIES: ${{ inputs.include_queries }}
        INPUT_EXCLUDE_CATEGORIES: ${{ inputs.exclude_categories }}
        INPUT_EXCLUDE_RESULTS: ${{ inputs.exclude_results }}
        INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }}
        INPUT_OUTPUT_PATH: ${{ inputs.output_path }}
        INPUT_PAYLOAD_PATH: ${{ inputs.payload_path }}
        INPUT_QUERIES: ${{ inputs.queries }}
        INPUT_VERBOSE: ${{ inputs.verbose }}
        INPUT_BOM: ${{ inputs.bom }}
        INPUT_IGNORE_ON_EXIT: ${{ inputs.ignore_on_exit }}
        INPUT_DISABLE_SECRETS: ${{ inputs.disable_secrets }}
        INPUT_DISABLE_FULL_DESCRIPTIONS: ${{ inputs.disable_full_descriptions }}
        INPUT_LIBRARIES_PATH: ${{ inputs.libraries_path }}
        INPUT_SECRETS_REGEXES_PATH: ${{ inputs.secrets_regexes_path}}
      with:
        entrypoint: ./entrypoint.sh
    - name: Run KICS PR Comentator
      uses: actions/setup-node@v2
      with:
        node-version: 12.x
    - name: Install dependencies
      shell: bash
      run: npm ci
    - run: |
        sudo chown -R ${USER} ${{ inputs.output_path }}
        npm run build --if-present
      shell: bash
    - run: node dist/index.js
      shell: bash
      env:
        INPUT_TOKEN: ${{ inputs.token }}
        INPUT_OUTPUT_PATH: ${{ inputs.output_path }}
        INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }}
        INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }}
        KICS_EXIT_CODE: ${{ steps.kics_scan.outputs.exit_code }}