147 lines
5.3 KiB
YAML
147 lines
5.3 KiB
YAML
# action.yml
|
|
name: "KICS Github Action"
|
|
description: "Run KICS scan against IaC projects"
|
|
inputs:
|
|
token:
|
|
description: "The GITHUB_TOKEN for the current workflow run"
|
|
required: false
|
|
default: ${{github.token}}
|
|
enable_annotations:
|
|
required: false
|
|
default: "true"
|
|
description: "Enable annotations report"
|
|
enable_comments:
|
|
required: false
|
|
default: "false"
|
|
description: "Enable pull request report comments"
|
|
enable_jobs_summary:
|
|
required: false
|
|
default: "false"
|
|
description: "Enable report as jobs summary"
|
|
comments_with_queries:
|
|
required: false
|
|
default: "false"
|
|
description: "Add queries in th pull request report comments (available when enable_comments = true)"
|
|
excluded_column_for_comments_with_queries:
|
|
required: false
|
|
default: "description_id,similarity_id,search_line,search_value"
|
|
description: "Excluded columns for the comment with queries, accepts a comma separated list"
|
|
path:
|
|
description: "paths to a file or directories to scan, accepts a comma separated list"
|
|
required: true
|
|
ignore_on_exit:
|
|
description: "defines which non-zero exit codes should be ignored (all, results, errors, none)"
|
|
required: false
|
|
fail_on:
|
|
description: "comma separated list of which severities returns exit code !=0"
|
|
required: false
|
|
timeout:
|
|
description: "number of seconds the query has to execute before being canceled"
|
|
required: false
|
|
profiling:
|
|
description: "turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)"
|
|
required: false
|
|
config_path:
|
|
description: "path to configuration file"
|
|
required: false
|
|
platform_type:
|
|
description: "case insensitive list of platform types to scan"
|
|
required: false
|
|
exclude_paths:
|
|
description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'"
|
|
required: false
|
|
exclude_queries:
|
|
description: exclude queries by providing the query ID
|
|
required: false
|
|
exclude_categories:
|
|
description: exclude categories by providing its name, can be provided multiple times or as a comma separated string
|
|
required: false
|
|
exclude_results:
|
|
description: "exclude results by providing the similarity ID of a result"
|
|
required: false
|
|
exclude_severities:
|
|
description: "exclude results by providing the severity of a result"
|
|
required: false
|
|
exclude_gitignore:
|
|
description: "disables the exclusion of paths specified within .gitignore file"
|
|
required: false
|
|
output_formats:
|
|
description: "formats in which the results report will be exported (json, sarif)"
|
|
required: false
|
|
output_path:
|
|
description: "directory to store results report"
|
|
required: false
|
|
payload_path:
|
|
description: "file path to store source internal representation in JSON format"
|
|
required: false
|
|
queries:
|
|
description: 'path to directory with queries (default "./assets/queries")'
|
|
required: false
|
|
secrets_regexes_path:
|
|
description: "path to secrets regex rules configuration file"
|
|
required: false
|
|
libraries_path:
|
|
description: "path to directory with Rego libraries"
|
|
required: false
|
|
disable_full_descriptions:
|
|
description: "disable request for full descriptions and use default vulnerability descriptions"
|
|
required: false
|
|
disable_secrets:
|
|
description: "disable secrets detection"
|
|
required: false
|
|
type:
|
|
description: "case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform)"
|
|
required: false
|
|
verbose:
|
|
description: "verbose scan"
|
|
required: false
|
|
include_queries:
|
|
description: "comma separated list of queries ID's to include, cannot be provided with query exclusion flags"
|
|
required: false
|
|
bom:
|
|
description: "include bill of materials (BoM) in results output"
|
|
required: false
|
|
cloud_provider:
|
|
description: "list of cloud providers to scan (alicloud, aws, azure, gcp)"
|
|
required: false
|
|
branding:
|
|
icon: "shield"
|
|
color: "green"
|
|
runs:
|
|
using: "docker"
|
|
image: Dockerfile
|
|
env:
|
|
INPUT_TOKEN: ${{ inputs.token }}
|
|
INPUT_ENABLE_ANNOTATIONS: ${{ inputs.enable_annotations }}
|
|
INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }}
|
|
INPUT_ENABLE_JOBS_SUMMARY: ${{ inputs.enable_jobs_summary }}
|
|
INPUT_COMMENTS_WITH_QUERIES: ${{ inputs.comments_with_queries }}
|
|
INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }}
|
|
WORKSPACE_PATH: $GITHUB_WORKSPACE
|
|
args:
|
|
- ${{ inputs.path }}
|
|
- ${{ inputs.fail_on }}
|
|
- ${{ inputs.timeout }}
|
|
- ${{ inputs.profiling }}
|
|
- ${{ inputs.config }}
|
|
- ${{ inputs.platform_type }}
|
|
- ${{ inputs.exclude_paths }}
|
|
- ${{ inputs.exclude_queries }}
|
|
- ${{ inputs.include_queries }}
|
|
- ${{ inputs.exclude_categories }}
|
|
- ${{ inputs.exclude_results }}
|
|
- ${{ inputs.exclude_severities }}
|
|
- ${{ inputs.exclude_gitignore}}
|
|
- ${{ inputs.output_formats }}
|
|
- ${{ inputs.output_path }}
|
|
- ${{ inputs.payload_path }}
|
|
- ${{ inputs.queries }}
|
|
- ${{ inputs.verbose }}
|
|
- ${{ inputs.bom }}
|
|
- ${{ inputs.ignore_on_exit }}
|
|
- ${{ inputs.disable_secrets }}
|
|
- ${{ inputs.disable_full_descriptions }}
|
|
- ${{ inputs.libraries_path }}
|
|
- ${{ inputs.secrets_regexes_path}}
|
|
- ${{ inputs.cloud_provider}}
|