From 0de790660f3fabe70c0d7d7464afebc3531eb519 Mon Sep 17 00:00:00 2001 From: Kevin Formsma Date: Thu, 4 Nov 2021 13:30:37 -0400 Subject: [PATCH] Update Github Action (#581) * Refactor primary Github Action - Support writing the output to a file - Add a test for uploading sarif to GH code scanning * Updated action readme example --- .github/workflows/github-action.yml | 14 +++++++++++++- action.yml | 3 +++ github-action/Dockerfile | 8 ++------ github-action/README.md | 18 ++++++++++++++++++ github-action/entrypoint.sh | 11 +++++++++++ 5 files changed, 47 insertions(+), 7 deletions(-) create mode 100755 github-action/entrypoint.sh diff --git a/.github/workflows/github-action.yml b/.github/workflows/github-action.yml index aa2a605a..f97ed092 100644 --- a/.github/workflows/github-action.yml +++ b/.github/workflows/github-action.yml @@ -12,8 +12,10 @@ on: jobs: e2e: - name: E2E test + name: Action E2E test runs-on: ubuntu-latest + permissions: + security-events: write steps: - uses: actions/checkout@master @@ -36,3 +38,13 @@ jobs: with: input_path: github-action/tests extra_args: -o json --template-pattern clean + - name: Test with SARIF output + id: sarif + uses: stelligent/cfn_nag@master + with: + input_path: github-action/tests + extra_args: -o sarif + output_path: cfn_nag.sarif + - uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cfn_nag.sarif diff --git a/action.yml b/action.yml index 9b0928f2..bff43d60 100644 --- a/action.yml +++ b/action.yml @@ -11,6 +11,9 @@ inputs: extra_args: description: 'Additional arguments to pass to cfn_nag_scan, separated by space (default: "--print-suppression").' default: '--print-suppression' + output_path: + description: 'Destination file path for cfn_nag_scan output' + default: 'cfn_nag.out' runs: using: docker image: github-action/Dockerfile diff --git a/github-action/Dockerfile b/github-action/Dockerfile index c9a4d7e7..e6a16232 100644 --- a/github-action/Dockerfile +++ b/github-action/Dockerfile @@ -1,9 +1,5 @@ FROM stelligent/cfn_nag:latest -ARG INPUT_EXTRA_ARGS='' -ENV INPUT_EXTRA_ARGS="${INPUT_EXTRA_ARGS}" +COPY entrypoint.sh /entrypoint.sh -ARG INPUT_INPUT_PATH='' -ENV INPUT_INPUT_PATH="${INPUT_INPUT_PATH}" - -ENTRYPOINT ["sh", "-c", "cfn_nag_scan $INPUT_EXTRA_ARGS --input-path $INPUT_INPUT_PATH"] +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/github-action/README.md b/github-action/README.md index 0c0690f3..f34ba17a 100644 --- a/github-action/README.md +++ b/github-action/README.md @@ -20,6 +20,9 @@ The directory of the repo to search for violations. Default: `$GITHUB_WORKSPACE` Additional arguments to pass to `cfn_nag_scan`. See the [usage for `cfn_nag_scan`](https://github.com/stelligent/cfn_nag#usage) for more options. Default: `--print-suppression` +### `output_path` + +Destination file path for cfn_nag_scan output. Default: `cfn_nag.out` ## Example Usages ### Basic @@ -62,6 +65,21 @@ Search the `templates` directory within the GitHub runner's workspace and remove extra_args: '' ``` +### Define path to search and upload to code scanning + +Search the `templates` directory and upload the results to GitHub's Code Scanning. + +``` +- uses: stelligent/cfn_nag@master + with: + input_path: templates + extra_args: -o sarif + output_path: cfn_nag.sarif +- uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cfn_nag.sarif +``` + ## Support To report a bug or request a feature, submit an issue through the GitHub repository via: https://github.com/stelligent/cfn_nag/issues/new diff --git a/github-action/entrypoint.sh b/github-action/entrypoint.sh new file mode 100755 index 00000000..69cd9a4a --- /dev/null +++ b/github-action/entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +echo "::debug::Using input path: ${INPUT_INPUT_PATH}" +echo "::debug::Using output path: ${INPUT_OUTPUT_PATH}" + +if [ -n "${INPUT_EXTRA_ARGS}" ]; then + echo "::debug::Using specified extra args: ${INPUT_EXTRA_ARGS}" + EXTRA_ARGS="${INPUT_EXTRA_ARGS}" +fi + +cfn_nag_scan ${EXTRA_ARGS} --input-path "${INPUT_INPUT_PATH}" | tee "${INPUT_OUTPUT_PATH}" \ No newline at end of file