forked from bridgecrewio/checkov-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
141 lines (140 loc) · 5.75 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# action.yml
name: 'Checkov GitHub Action'
author: 'Chris Mavrakis'
description: 'Run Checkov against Terraform/CloudFormation infrastructure code, as a pre-packaged GitHub Action.'
inputs:
file:
description: 'File with infrastructure code to scan'
required: false
directory:
default: '.'
description: 'Directory with infrastructure code to scan'
required: false
check:
description: 'Run scan only on a specific check identifier (comma separated)'
required: false
skip_check:
description: 'Run scan on all checks but a specific check identifier (comma separated)'
required: false
compact:
description: 'Do not display code blocks in output'
required: false
quiet:
description: 'display only failed checks'
required: false
api-key:
description: 'Environment variable name of the Bridgecrew API key from Bridgecrew app'
required: false
soft_fail:
description: 'do not return an error code if there are failed checks'
required: false
framework:
description: 'run only on a specific infrastructure'
required: false
external_checks_dirs:
description: 'comma separated list of external (custom) checks directories'
required: false
external_checks_repos:
description: 'comma separated list of external (custom) checks repositories'
required: false
output_format:
description: 'The format of the output. cli, json, junitxml, github_failed_only, or sarif'
required: false
default: 'sarif'
download_external_modules:
description: 'download external terraform modules from public git repositories and terraform registry:true, false'
required: false
log_level:
description: 'log level'
required: false
default: 'WARNING'
config_file:
description: 'checkov configuration file'
required: false
baseline:
description: 'Path to a .checkov.baseline file to compare. Report will include only failed checks that are not in the baseline'
required: false
soft_fail_on:
description: 'Do not return an error code only for specific check identifiers (comma separated)'
required: false
hard_fail_on:
description: 'Return an error code only for specific check identifiers (comma separated)'
required: false
container_user:
default: 0
description: 'Set the username or UID used and optionally the groupname or GID for the action to run under'
required: false
docker_image:
description: 'Name of the docker image with the tags. Only works with an API and Dockerfile path'
required: false
dockerfile_path:
description: 'Path to the Dockerfile of the scanned docker image'
required: false
var_file:
description: 'Variable files to load in addition to the default files. Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, not --file.'
required: false
github_pat:
description: 'Environment variable name for a Github personal access token for scanning external modules sourced from private repositories'
required: false
tfc_token:
description: 'Environment variable name for a Terraform Cloud token for scanning external modules sourced from private registries'
required: false
vcs_base_url:
description: 'Environment variable name for the base url of a self hosted VCS with external modules. To be used with vcs_username and vcs_token'
required: false
vcs_username:
description: 'Environment variable name for the username for basic auth against a self hosted VCS with external modules. To be used with vcs_base_url and vcs_token'
required: false
vcs_token:
description: 'Environment variable name for the password (personal access token) for basic auth against a self hosted VCS with external modules. To be used with vcs_base_url and vcs_username'
required: false
bitbucket_token:
description: 'Environment variable name for a Bitbucket access token to scan external modules sourced from a private Bitbucket repository'
required: false
bitbucket_app_password:
description: 'Environment variable name for a Bitbucket app password to perform basic auth inorder to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_usernam'
required: false
bitbucket_username:
description: 'Environment variable name for a Bitbucket username to perform basic auth inorder to scan external modules sourced from a private Bitbucket repository. To be used with bitbucket_app_password'
required: false
outputs:
results:
description: 'The results from the infrastructure scan'
branding:
icon: 'shield'
color: 'purple'
runs:
using: 'docker'
image: 'docker://bridgecrew/checkov:2.1.282'
args:
- ${{ inputs.file }}
- ${{ inputs.directory }}
- ${{ inputs.check }}
- ${{ inputs.skip_check }}
- ${{ inputs.compact }}
- ${{ inputs.quiet }}
- ${{ inputs.soft_fail }}
- ${{ inputs.framework }}
- ${{ inputs.external_checks_dirs }}
- ${{ inputs.external_checks_repos }}
- ${{ inputs.output_format }}
- ${{ inputs.download_external_modules }}
- ${{ inputs.log_level }}
- ${{ inputs.config_file }}
- ${{ inputs.baseline }}
- ${{ inputs.hard_fail_on }}
- ${{ inputs.soft_fail_on }}
- ${{ inputs.docker_image }}
- ${{ inputs.dockerfile_path }}
- ${{ inputs.var_file }}
- "--user ${{ inputs.container_user }}"
env:
API_KEY_VARIABLE: ${{ inputs.api-key }}
GITHUB_PAT: ${{ inputs.github_pat }}
TFC_TOKEN: ${{ inputs.tfc_token }}
VCS_USERNAME: ${{ inputs.vcs_username }}
VCS_BASE_URL: ${{ inputs.vcs_base_url }}
VCS_TOKEN: ${{ inputs.vcs_token }}
BITBUCKET_TOKEN: ${{ inputs.bitbucket_token }}
BITBUCKET_USERNAME: ${{ inputs.bitbucket_username }}
BITBUCKET_APP_PASSWORD: ${{ inputs.bitbucket_app_password }}