From 60d41ec6c604fa3a1482dae262360ad30e3c2435 Mon Sep 17 00:00:00 2001
From: Chase Higgins <chase@redpanda.com>
Date: Tue, 25 Oct 2022 04:40:17 -0400
Subject: [PATCH 1/3] add ignore exit fail for results

---
 .github/workflows/kics-iac.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/kics-iac.yml

diff --git a/.github/workflows/kics-iac.yml b/.github/workflows/kics-iac.yml
new file mode 100644
index 0000000..038e3dc
--- /dev/null
+++ b/.github/workflows/kics-iac.yml
@@ -0,0 +1,29 @@
+name: kics scanning
+on:
+  push:
+    branches: dev
+jobs:
+  kics:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: run kics Scan
+        uses: checkmarx/kics-github-action@v1.6
+        with:
+          path: .
+          ignore_on_exit: results
+          output_path: res/
+      - name: display kics results
+        run: |
+          cat res/results.json
+      - name: upload scan results
+        run: |
+          set -eu
+          apt-get update
+          apt-get install awscli -y
+          KEY="`date +%Y`/`date +%m`/`date +%d`/${GITHUB_REPOSITORY#*/}_${GITHUB_REF#refs/heads/}_kics_`date +%s`.json"
+          echo "[i] writing to s3 object '$KEY'"
+          mv res/results.json res/${KEY#*/*/*/*}
+          export AWS_ACCESS_KEY_ID=${{ secrets.VULN_REPORTS_AWS_KEY_ID }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.VULN_REPORTS_AWS_SECRET_ACCESS_KEY }}
+          aws s3 cp res/${KEY#*/*/*/*} s3://${{ secrets.VULN_REPORTS_AWS_BUCKET }}/$KEY

From 4ededa96a811aa972618453e1d4e743411f4f180 Mon Sep 17 00:00:00 2001
From: Chase Higgins <chase@redpanda.com>
Date: Tue, 25 Oct 2022 11:21:21 -0400
Subject: [PATCH 2/3] add kics scanning

---
 .github/workflows/kics-iac.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/kics-iac.yml b/.github/workflows/kics-iac.yml
index 038e3dc..4857671 100644
--- a/.github/workflows/kics-iac.yml
+++ b/.github/workflows/kics-iac.yml
@@ -1,7 +1,7 @@
 name: kics scanning
 on:
   push:
-    branches: dev
+    branches: master
 jobs:
   kics:
     runs-on: ubuntu-latest

From 71512bae3636aa24318adb1ece951b9ab0ff4d9d Mon Sep 17 00:00:00 2001
From: Chase Higgins <chase@redpanda.com>
Date: Wed, 26 Oct 2022 10:48:14 -0400
Subject: [PATCH 3/3] fix action-specfic issues

---
 .github/workflows/kics-iac.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/kics-iac.yml b/.github/workflows/kics-iac.yml
index 4857671..9e03fc0 100644
--- a/.github/workflows/kics-iac.yml
+++ b/.github/workflows/kics-iac.yml
@@ -5,6 +5,11 @@ on:
 jobs:
   kics:
     runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.VULN_REPORTS_AWS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.VULN_REPORTS_AWS_SECRET_ACCESS_KEY }}
+      VULN_REPORTS_AWS_BUCKET: ${{ secrets.VULN_REPORTS_AWS_BUCKET }}
+      AWS_EC2_METADATA_DISABLED: true
     steps:
       - uses: actions/checkout@v2
       - name: run kics Scan
@@ -19,11 +24,6 @@ jobs:
       - name: upload scan results
         run: |
           set -eu
-          apt-get update
-          apt-get install awscli -y
           KEY="`date +%Y`/`date +%m`/`date +%d`/${GITHUB_REPOSITORY#*/}_${GITHUB_REF#refs/heads/}_kics_`date +%s`.json"
           echo "[i] writing to s3 object '$KEY'"
-          mv res/results.json res/${KEY#*/*/*/*}
-          export AWS_ACCESS_KEY_ID=${{ secrets.VULN_REPORTS_AWS_KEY_ID }}
-          export AWS_SECRET_ACCESS_KEY=${{ secrets.VULN_REPORTS_AWS_SECRET_ACCESS_KEY }}
-          aws s3 cp res/${KEY#*/*/*/*} s3://${{ secrets.VULN_REPORTS_AWS_BUCKET }}/$KEY
+          aws s3 cp res/results.json s3://$VULN_REPORTS_AWS_BUCKET/$KEY