-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
84 lines (68 loc) · 3.6 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: 'wizcli-wrapper'
author: "Aikashev Aleksei"
description: "A simple wrapper for wiz-cli"
inputs:
# IaC scan inputs
iac_scan_path:
description: "Set the relative path in the repo to the root folder of the IaC files. Wiz scan is recursive and scans all subfolders. To increase the quality of the scan of terraform scan you can point it to the plan.tfplanjson file: terraform plan -out plan.tfplan && terraform show -json plan.tfplan > plan.tfplanjson"
required: false
default: "."
wiz_iac_policy:
description: "Set the desired Wiz-cli IaC policy to use. You can add more policies to use by separating them with comma ','."
required: false
default: "Default IaC policy"
wiz_iac_report_name:
description: "Create a Wiz report with the specified name. The report can be viewed in the Wiz console under Reports -> CI/CD Scans."
required: false
default: "${{ github.repository }}-${{ github.run_number }}"
wiz_iac_tags:
description: "Set the desired tags to use"
required: false
default: "repo=${{ github.repository }},commit_sha=${{ github.sha }},pr_title=${{ github.event.pull_request.title }},pr_number=${{ github.event.number}},event_name=${{ github.event_name }},github_workflow=${{ github.workflow }}"
skip_iac_scan:
description: "Set to 'skip' to skip the IaC scan"
required: false
# Docker images vulnerability scan inputs
docker_scan_path:
description: "Set the relative path in the repo to the folder with Dockerfile. We need this step as wizcli build a docker image locally using your Dockerfile. Important! It supports only one Dockerfile per action."
required: false
default: "."
wiz_docker_vulnerabilities_policy:
description: "Set the desired Wiz-cli vulnerabilities policy to use. You can add more policies to use by separating them with comma ','."
required: false
default: "Default vulnerabilities policy"
wiz_docker_report_name:
description: "Create a Wiz report with the specified name. The report can be viewed in the Wiz console under Reports -> CI/CD Scans. Since the name of the report is used as the name of the docker image, please make sure that you use only allowed lowercase characters."
required: false
default: "${{ github.repository }}-${{ github.run_number }}"
skip_docker_scan:
description: "Set to 'skip' to skip the docker scan"
required: false
# Common inputs
wiz_client_id:
description: "Set Wiz service account id"
required: true
wiz_client_secret:
description: "Set Wiz service account secret"
required: true
runs:
using: "composite"
steps:
- name: Download wiz-cli binary
run: curl -o wizcli https://wizcli.app.wiz.io/latest/wizcli && chmod +x wizcli
shell: bash
- name: Authenticate to Wiz
run: ./wizcli auth --id ${{ inputs.wiz_client_id }} --secret ${{ inputs.wiz_client_secret }}
shell: bash
- name: Run IaC scan
if: inputs.skip_iac_scan != 'skip'
run: ./wizcli iac scan --show-secret-snippets --path ${{ inputs.iac_scan_path }} --policy "${{ inputs.wiz_iac_policy }}" --tag "${{ inputs.wiz_iac_tags }}" --name "${{ inputs.wiz_iac_report_name }}"
shell: bash
- name: Build the Docker image
if: inputs.skip_docker_scan != 'skip'
run: cd ${{ inputs.docker_scan_path }} && docker build . --tag ${{ inputs.wiz_docker_report_name }}
shell: bash
- name: Run wiz-cli docker image scan
if: inputs.skip_docker_scan != 'skip'
run: ./wizcli docker scan --policy "${{ inputs.wiz_docker_vulnerabilities_policy }}" --image ${{ inputs.wiz_docker_report_name }}
shell: bash