From 9b15effb9b5fb177ca90f981954ef7f08e979ece Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D2=89=CE=B1k=CE=B1=20x=E2=A0=A0=E2=A0=B5?=
 <32862241+4k4xs4pH1r3@users.noreply.github.com>
Date: Wed, 31 Jan 2024 20:29:47 +0300
Subject: [PATCH] Create zscaler-iac-scan.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: ҉αkα x⠠⠵ <32862241+4k4xs4pH1r3@users.noreply.github.com>
---
 .github/workflows/zscaler-iac-scan.yml | 56 ++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/workflows/zscaler-iac-scan.yml

diff --git a/.github/workflows/zscaler-iac-scan.yml b/.github/workflows/zscaler-iac-scan.yml
new file mode 100644
index 000000000..83fac5e18
--- /dev/null
+++ b/.github/workflows/zscaler-iac-scan.yml
@@ -0,0 +1,56 @@
+#This workflow uses actions that are not certified by GitHub.
+#They are provided by a third party and are governed by
+#separate terms of service, privacy policy, and support
+#documentation.
+
+#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
+#which detects security misconfigurations in IaC templates and publishes the findings
+#under the code scanning alerts section within the repository.
+
+#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process.
+#Copy the client ID and client secret key generated during the onboarding process and configure.
+#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
+
+#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
+#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
+
+name: Zscaler IaC Scan
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '26 13 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  zscaler-iac-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - name : Code Checkout
+        uses: actions/checkout@v3
+      - name : Zscaler IAC Scan
+        uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087
+        id : zscaler-iac-scan
+        with:
+          client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
+          client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
+          #This is the user region specified during the onboarding process within the ZPC Admin Portal.
+          region : 'US'
+          iac_dir : #Enter the IaC directory path from root.
+          iac_file : #Enter the IaC file path from root.
+          output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
+          #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
+          fail_build : #Enter true/false
+      #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
+      - name: Upload SARIF file
+        if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}