feat(queries): add 78 custom Terraform queries for Azure, GCP, IBM Cloud, and OCI #6622
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-checks | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| trivy-file-system: | |
| name: Trivy fs scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 #v0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| format: 'table' | |
| output: './results.txt' | |
| severity: 'CRITICAL,HIGH,MEDIUM,LOW' | |
| skip-dirs: '.github' | |
| exit-code: '1' | |
| # trivy-config: trivy.yaml | |
| - name: Inspect action report | |
| if: always() | |
| run: cat ./results.txt | |
| - name: Upload artifact | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: trivy-fs-scan-results | |
| path: ./results.txt | |
| trivy-docker-image: | |
| name: Trivy docker image scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| kics-docker: [ "Dockerfile" ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build | |
| id: docker_build | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| load: true | |
| context: ./ | |
| file: ./${{ matrix.kics-docker }} | |
| builder: ${{ steps.buildx.outputs.name }} | |
| push: false | |
| tags: kics:sec-trivy-tests-${{ github.sha }} | |
| build-args: | | |
| VERSION=development | |
| COMMIT=${{ github.sha }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 #v0.35.0 | |
| with: | |
| image-ref: kics:sec-trivy-tests-${{ github.sha }} | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| format: 'table' | |
| output: './results.txt' | |
| severity: 'CRITICAL,HIGH,MEDIUM,LOW' | |
| ignore-policy: './trivy-ignore.rego' | |
| # trivy-config: trivy.image.yaml | |
| exit-code: '1' | |
| - name: Inspect action report | |
| if: always() | |
| run: cat ./results.txt | |
| - name: Upload artifact | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: trivy-docker-image-scan-results | |
| path: ./results.txt | |
| grype-file-system: | |
| name: Grype fs scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Grype vulnerability scanner in repo mode | |
| id: grype-fs-scan | |
| uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # 7.2.2 | |
| with: | |
| path: "." | |
| only-fixed: true | |
| output-format: table | |
| severity-cutoff: low | |
| fail-build: true | |
| grype-docker-image: | |
| name: Grype docker image scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| kics-docker: [ "Dockerfile" ] | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build | |
| id: docker_build | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| load: true | |
| context: ./ | |
| file: ./${{ matrix.kics-docker }} | |
| builder: ${{ steps.buildx.outputs.name }} | |
| push: false | |
| tags: kics:sec-tests-${{ github.sha }} | |
| build-args: | | |
| VERSION=development | |
| COMMIT=${{ github.sha }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| - name: Scan image | |
| id: grype-image-scan | |
| uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # 7.2.2 | |
| with: | |
| image: kics:sec-tests-${{ github.sha }} | |
| only-fixed: true | |
| severity-cutoff: low | |
| output-format: table | |
| fail-build: true | |
| govulncheck-file-system: | |
| runs-on: ubuntu-latest | |
| name: govulncheck fs scan | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: 'stable' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck scanner in fs mode | |
| run: | | |
| govulncheck -show verbose -C . ./... > ./results.txt || true | |
| bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh | |
| - name: Inspect action report | |
| if: always() | |
| run: cat ./results.txt | |
| - name: Upload artifact | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: govulncheck-fs-scan-results | |
| path: ./results.txt | |
| govulncheck-binary: | |
| runs-on: ubuntu-latest | |
| name: govulncheck binary scan | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: 'stable' | |
| - name: Build kics | |
| run: go build -ldflags "-s -w" -a -installsuffix cgo -o ./bin/kics ./cmd/console/main.go | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck scanner in binary mode | |
| run: | | |
| govulncheck -show verbose -mode=binary ./bin/kics > ./results.txt || true | |
| bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh | |
| - name: Inspect action report | |
| if: always() | |
| run: cat ./results.txt | |
| - name: Upload artifact | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: govulncheck-binary-scan-results | |
| path: ./results.txt | |
| - name: Inspect final dependencies from binary | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| strings ./bin/kics | grep -P "dep\t" | sort -u > binary_dependencies.txt | |
| cat binary_dependencies.txt | |
| - name: Upload artifact | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: binary-dependencies | |
| path: ./binary_dependencies.txt |