diff --git a/Dockerfile b/Dockerfile index 83e6f06..8a822bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,15 @@ -FROM checkmarx/kics:v2.1.12 as kics-env - + +ARG DOCKERHUB_REGISTRY=docker.io +FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.12 as kics-env + FROM cgr.dev/chainguard/wolfi-base:latest - + COPY --from=kics-env /app /app - + COPY ./entrypoint.sh /entrypoint.sh - + RUN chmod +x /entrypoint.sh - + COPY ./ /app - -ENTRYPOINT ["/entrypoint.sh"] + +ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/action.yml b/action.yml index 58b0223..42e0319 100644 --- a/action.yml +++ b/action.yml @@ -104,45 +104,58 @@ inputs: cloud_provider: description: "list of cloud providers to scan (alicloud, aws, azure, gcp)" required: false + dockerhub_registry: + description: "The Docker registry for the KICS base image. Overridden for private registries." + required: false + default: "docker.io" branding: icon: "shield" color: "green" runs: - using: "docker" - image: Dockerfile - env: - INPUT_TOKEN: ${{ inputs.token }} - INPUT_OUTPUT_PATH: ${{ inputs.output_path }} - INPUT_ENABLE_ANNOTATIONS: ${{ inputs.enable_annotations }} - INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }} - INPUT_ENABLE_JOBS_SUMMARY: ${{ inputs.enable_jobs_summary }} - INPUT_COMMENTS_WITH_QUERIES: ${{ inputs.comments_with_queries }} - INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }} - INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} - WORKSPACE_PATH: $GITHUB_WORKSPACE - args: - - ${{ inputs.path }} - - ${{ inputs.fail_on }} - - ${{ inputs.timeout }} - - ${{ inputs.profiling }} - - ${{ inputs.config }} - - ${{ inputs.platform_type }} - - ${{ inputs.exclude_paths }} - - ${{ inputs.exclude_queries }} - - ${{ inputs.include_queries }} - - ${{ inputs.exclude_categories }} - - ${{ inputs.exclude_results }} - - ${{ inputs.exclude_severities }} - - ${{ inputs.exclude_gitignore}} - - ${{ inputs.output_formats }} - - ${{ inputs.output_path }} - - ${{ inputs.payload_path }} - - ${{ inputs.queries }} - - ${{ inputs.verbose }} - - ${{ inputs.bom }} - - ${{ inputs.ignore_on_exit }} - - ${{ inputs.disable_secrets }} - - ${{ inputs.disable_full_descriptions }} - - ${{ inputs.libraries_path }} - - ${{ inputs.secrets_regexes_path}} - - ${{ inputs.cloud_provider}} + using: "composite" + steps: + - name: Build KICS Action Image + shell: bash + run: docker build --build-arg DOCKERHUB_REGISTRY="${{ inputs.dockerhub_registry }}" -t kics-action:latest "${{ github.action_path }}" + + - name: Run KICS Scan + shell: bash + run: | + docker run --name kics-scan \ + -v "${{ github.workspace }}":"${{ github.workspace }}" \ + -w "${{ github.workspace }}" \ + -e GITHUB_WORKSPACE="${{ github.workspace }}" \ + -e GITHUB_EVENT_PATH="${{ github.event_path }}" \ + -e INPUT_TOKEN="${{ inputs.token }}" \ + -e INPUT_ENABLE_ANNOTATIONS="${{ inputs.enable_annotations }}" \ + -e INPUT_ENABLE_COMMENTS="${{ inputs.enable_comments }}" \ + -e INPUT_ENABLE_JOBS_SUMMARY="${{ inputs.enable_jobs_summary }}" \ + -e INPUT_COMMENTS_WITH_QUERIES="${{ inputs.comments_with_queries }}" \ + -e INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES="${{ inputs.excluded_column_for_comments_with_queries }}" \ + -e INPUT_PATH="${{ inputs.path }}" \ + -e INPUT_IGNORE_ON_EXIT="${{ inputs.ignore_on_exit }}" \ + -e INPUT_FAIL_ON="${{ inputs.fail_on }}" \ + -e INPUT_TIMEOUT="${{ inputs.timeout }}" \ + -e INPUT_PROFILING="${{ inputs.profiling }}" \ + -e INPUT_CONFIG_PATH="${{ inputs.config_path }}" \ + -e INPUT_PLATFORM_TYPE="${{ inputs.platform_type }}" \ + -e INPUT_EXCLUDE_PATHS="${{ inputs.exclude_paths }}" \ + -e INPUT_EXCLUDE_QUERIES="${{ inputs.exclude_queries }}" \ + -e INPUT_EXCLUDE_CATEGORIES="${{ inputs.exclude_categories }}" \ + -e INPUT_EXCLUDE_RESULTS="${{ inputs.exclude_results }}" \ + -e INPUT_EXCLUDE_SEVERITIES="${{ inputs.exclude_severities }}" \ + -e INPUT_EXCLUDE_GITIGNORE="${{ inputs.exclude_gitignore }}" \ + -e INPUT_OUTPUT_FORMATS="${{ inputs.output_formats }}" \ + -e INPUT_OUTPUT_PATH="${{ inputs.output_path }}" \ + -e INPUT_PAYLOAD_PATH="${{ inputs.payload_path }}" \ + -e INPUT_QUERIES="${{ inputs.queries }}" \ + -e INPUT_SECRETS_REGEXES_PATH="${{ inputs.secrets_regexes_path }}" \ + -e INPUT_LIBRARIES_PATH="${{ inputs.libraries_path }}" \ + -e INPUT_DISABLE_FULL_DESCRIPTIONS="${{ inputs.disable_full_descriptions }}" \ + -e INPUT_DISABLE_SECRETS="${{ inputs.disable_secrets }}" \ + -e INPUT_TYPE="${{ inputs.type }}" \ + -e INPUT_VERBOSE="${{ inputs.verbose }}" \ + -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ + -e INPUT_BOM="${{ inputs.bom }}" \ + -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ + kics-action:latest \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index a6131cf..7a7dca8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "license": "GNU GENERAL PUBLIC LICENSE", "dependencies": { - "@actions/core": "^1.10.1", + "@actions/core": "^1.11.1", "@actions/exec": "^1.1.0", "@actions/github": "^5.0.0", "@actions/io": "^1.1.1", @@ -24,12 +24,13 @@ } }, "node_modules/@actions/core": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", - "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz", + "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==", + "license": "MIT", "dependencies": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" + "@actions/exec": "^1.1.1", + "@actions/http-client": "^2.0.1" } }, "node_modules/@actions/core/node_modules/@actions/http-client": { @@ -41,9 +42,10 @@ } }, "node_modules/@actions/exec": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.0.tgz", - "integrity": "sha512-LImpN9AY0J1R1mEYJjVJfSZWU4zYOlEcwSTgPve1rFQqK5AwrEs6uWW5Rv70gbDIQIAUwI86z6B+9mPK4w9Sbg==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "license": "MIT", "dependencies": { "@actions/io": "^1.0.1" } @@ -359,12 +361,12 @@ }, "dependencies": { "@actions/core": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", - "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz", + "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==", "requires": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" + "@actions/exec": "^1.1.1", + "@actions/http-client": "^2.0.1" }, "dependencies": { "@actions/http-client": { @@ -378,9 +380,9 @@ } }, "@actions/exec": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.0.tgz", - "integrity": "sha512-LImpN9AY0J1R1mEYJjVJfSZWU4zYOlEcwSTgPve1rFQqK5AwrEs6uWW5Rv70gbDIQIAUwI86z6B+9mPK4w9Sbg==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", "requires": { "@actions/io": "^1.0.1" } diff --git a/package.json b/package.json index 7b04ac0..8293797 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ }, "homepage": "https://github.com/Checkmarx/kics-github-action#readme", "dependencies": { - "@actions/core": "^1.10.1", + "@actions/core": "^1.11.1", "@actions/exec": "^1.1.0", "@actions/github": "^5.0.0", "@actions/io": "^1.1.1",