charts/.github/workflows/kics.yml at ab03e61fae1f72244560cc00813f62f18df60d1f · synkube/charts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# KICS (Keeping Infrastructure as Code Secure) – whole repo IaC scan.
# Run alongside Trivy (trivy.yml) to compare findings.
# Scans: Kubernetes, Helm, Dockerfile, etc.
#
# ADVANCED_SECURITY (same as trivy.yml): when "true", upload SARIF + artifacts.
#
name: KICS IaC Scan

permissions:
  contents: read
  security-events: write
  actions: read

on:
  push:
    branches: [ main ]
    paths:
      - "**/*.yaml"
      - "**/*.yml"
      - "**/*.tpl"
      - "**/Chart.yaml"
      - "**/Dockerfile"
      - ".github/workflows/kics.yml"
  pull_request:
    branches: [ main ]
    paths:
      - "**/*.yaml"
      - "**/*.yml"
      - "**/*.tpl"
      - "**/Chart.yaml"
      - "**/Dockerfile"
      - ".github/workflows/kics.yml"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  ADVANCED_SECURITY: "false"

jobs:
  kics:
    name: kics-iac
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Create results dir
        run: mkdir -p results-dir

      - name: Run KICS
        uses: synkube/actions/.github/actions/kics-github-action@main
        with:
          path: .
          token: ${{ secrets.GITHUB_TOKEN }}
          output_path: results-dir/
          output_formats: json,sarif
          ignore_on_exit: results
          enable_annotations: "true"
          enable_comments: "false"
          enable_jobs_summary: "true"

      - name: Upload KICS SARIF
        if: env.ADVANCED_SECURITY == 'true'
        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        continue-on-error: true
        with:
          sarif_file: "results-dir/results.sarif"
          category: "kics-iac"
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload KICS results as artifacts
        if: env.ADVANCED_SECURITY == 'true'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: kics-results
          path: results-dir/