forked from Checkmarx/kics-github-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
148 lines (148 loc) · 5.42 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# action.yml
name: "KICS Github Action"
description: "Run KICS scan against IaC projects"
inputs:
token:
description: "The GITHUB_TOKEN for the current workflow run"
required: false
default: ${{github.token}}
enable_annotations:
required: false
default: "true"
description: "Enable annotations report"
enable_comments:
required: false
default: "false"
description: "Enable pull request report comments"
enable_jobs_summary:
required: false
default: "false"
description: "Enable report as jobs summary"
comments_with_queries:
required: false
default: "false"
description: "Add queries in th pull request report comments (available when enable_comments = true)"
excluded_column_for_comments_with_queries:
required: false
default: "description_id,similarity_id,search_line,search_value"
description: "Excluded columns for the comment with queries, accepts a comma separated list"
path:
description: "paths to a file or directories to scan, accepts a comma separated list"
required: true
ignore_on_exit:
description: "defines which non-zero exit codes should be ignored (all, results, errors, none)"
required: false
fail_on:
description: "comma separated list of which severities returns exit code !=0"
required: false
timeout:
description: "number of seconds the query has to execute before being canceled"
required: false
profiling:
description: "turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)"
required: false
config_path:
description: "path to configuration file"
required: false
platform_type:
description: "case insensitive list of platform types to scan"
required: false
exclude_paths:
description: "exclude paths from scan, supports glob, quoted comma separated string example: './shouldNotScan/*,somefile.txt'"
required: false
exclude_queries:
description: exclude queries by providing the query ID
required: false
exclude_categories:
description: exclude categories by providing its name, can be provided multiple times or as a comma separated string
required: false
exclude_results:
description: "exclude results by providing the similarity ID of a result"
required: false
exclude_severities:
description: "exclude results by providing the severity of a result"
required: false
exclude_gitignore:
description: "disables the exclusion of paths specified within .gitignore file"
required: false
output_formats:
description: "formats in which the results report will be exported (json, sarif)"
required: false
output_path:
description: "directory to store results report"
required: false
payload_path:
description: "file path to store source internal representation in JSON format"
required: false
queries:
description: 'path to directory with queries (default "./assets/queries")'
required: false
secrets_regexes_path:
description: "path to secrets regex rules configuration file"
required: false
libraries_path:
description: "path to directory with Rego libraries"
required: false
disable_full_descriptions:
description: "disable request for full descriptions and use default vulnerability descriptions"
required: false
disable_secrets:
description: "disable secrets detection"
required: false
type:
description: "case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform)"
required: false
verbose:
description: "verbose scan"
required: false
include_queries:
description: "comma separated list of queries ID's to include, cannot be provided with query exclusion flags"
required: false
bom:
description: "include bill of materials (BoM) in results output"
required: false
cloud_provider:
description: "list of cloud providers to scan (alicloud, aws, azure, gcp)"
required: false
branding:
icon: "shield"
color: "green"
runs:
using: "docker"
image: Dockerfile
env:
INPUT_TOKEN: ${{ inputs.token }}
INPUT_OUTPUT_PATH: ${{ inputs.output_path }}
INPUT_ENABLE_ANNOTATIONS: ${{ inputs.enable_annotations }}
INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }}
INPUT_ENABLE_JOBS_SUMMARY: ${{ inputs.enable_jobs_summary }}
INPUT_COMMENTS_WITH_QUERIES: ${{ inputs.comments_with_queries }}
INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }}
INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }}
WORKSPACE_PATH: $GITHUB_WORKSPACE
args:
- ${{ inputs.path }}
- ${{ inputs.fail_on }}
- ${{ inputs.timeout }}
- ${{ inputs.profiling }}
- ${{ inputs.config }}
- ${{ inputs.platform_type }}
- ${{ inputs.exclude_paths }}
- ${{ inputs.exclude_queries }}
- ${{ inputs.include_queries }}
- ${{ inputs.exclude_categories }}
- ${{ inputs.exclude_results }}
- ${{ inputs.exclude_severities }}
- ${{ inputs.exclude_gitignore}}
- ${{ inputs.output_formats }}
- ${{ inputs.output_path }}
- ${{ inputs.payload_path }}
- ${{ inputs.queries }}
- ${{ inputs.verbose }}
- ${{ inputs.bom }}
- ${{ inputs.ignore_on_exit }}
- ${{ inputs.disable_secrets }}
- ${{ inputs.disable_full_descriptions }}
- ${{ inputs.libraries_path }}
- ${{ inputs.secrets_regexes_path}}
- ${{ inputs.cloud_provider}}