Feature Request: file-by-file checks for Pull Requests

action.yml

@@ -1,7 +1,7 @@
 # action.yml
 name: 'Checkov Github Action'
-author: 'Chris Mavrakis'
-description: 'Run Checkov against Terraform/CloudFormation infrastructure code, as a pre-packaged Github Action.'
+author: 'Chris Mavrakis, Libertyy'
+description: 'TEST: DO NOT USE: Run Checkov against Terraform/CloudFormation infrastructure code, as a pre-packaged Github Action.'
 inputs:
   directory:
     description: 'directory with infrastructure code to scan'

entrypoint.sh

@@ -14,6 +14,10 @@ if [ ! -z "$INPUT_SOFT_FAIL" ] && [ "$INPUT_SOFT_FAIL" =  "true" ]; then
   SOFT_FAIL_FLAG="--soft-fail"
 fi
 
+RC=0 #return code
+
+CHECKOV_REPORT=${INPUT_CHECKOV_REPORT:-"$HOME/report.out"}
+
 EXTCHECK_DIRS_FLAG=""
 if [ ! -z "$INPUT_EXTERNAL_CHECKS_DIRS" ]; then
   IFS=', ' read -r -a extchecks_dir <<< "$INPUT_EXTERNAL_CHECKS_DIRS"
@@ -41,5 +45,43 @@ if [ ! -z "$INPUT_SOFT_FAIL" ]; then
 fi
 
 echo "::add-matcher::checkov-problem-matcher.json"
-echo "running checkov on directory: $1"
-checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG
+
+echo $(checkov --version )
+
+if [ -z "$GITHUB_HEAD_REF" ]; then
+  # No different commits, not a PR
+  # Check everything, not just a PR diff (there is no PR diff in this context).
+  # NOTE: this file scope may need to be expanded or refined further.
+  echo "running checkov on directory: $1"
+  checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG
+  RC=$?
+else
+  pushd $GITHUB_WORKSPACE/$INPUT_DIRECTORY #&>/dev/null
+
+  git fetch ${GITHUB_BASE_REF/#/'origin '} #&>/dev/null
+  git fetch ${GITHUB_HEAD_REF/#/'origin '} #&>/dev/null
+  BASE_REF=$(git rev-parse ${GITHUB_BASE_REF/#/'origin/'})
+  HEAD_REF=$(git rev-parse ${GITHUB_HEAD_REF/#/'origin/'})
+  DIFF_FILES=$(git diff --diff-filter=d --name-only $BASE_REF $HEAD_REF | tr '\n' ' ')
+
+  IFS=' ' read -r -a files2scan <<< "$DIFF_FILES"
+
+  SCAN_FILES_FLAG=""
+  if [ -z "$DIFF_FILES" ]; then
+    echo "No files to scan"
+    RC=0
+  else
+    echo "running checkov on files: $DIFF_FILES"
+    for f in "${files2scan[@]}"
+    do
+      SCAN_FILES_FLAG="$SCAN_FILES_FLAG -f $f"
+    done
+    checkov $SCAN_FILES_FLAG  $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG
+    RC=$?
+  fi
+
+fi
+
+echo "exiting script: $RC"
+exit $RC
+

requirements.txt

@@ -1 +1 @@
-checkov==1.0.833
+checkov==1.0.865