Skip to content

Commit

Permalink
Adding access key input
Browse files Browse the repository at this point in the history 
Signed-off-by: David Wertenteil <[email protected]>
  • Loading branch information
David Wertenteil committed Jan 15, 2024
1 parent cb0c547 commit 612161b
Show file tree
Hide file tree
Showing 7 changed files with 20 additions and 4 deletions.
1 change: 1 addition & 0 deletions .github/workflows/example-fix-commit.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
- uses: kubescape/github-action@main
with:
account: ${{secrets.KUBESCAPE_ACCOUNT}}
accessKey: ${{secrets.KUBESCAPE_ACCESS_TOKEN}}
files: ${{ steps.changed-files.outputs.all_changed_files }}
fixFiles: true
format: "sarif"
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/example-fix-pr-review.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
- uses: kubescape/github-action@main
with:
account: ${{secrets.KUBESCAPE_ACCOUNT}}
accessKey: ${{secrets.KUBESCAPE_ACCESS_TOKEN}}
files: ${{ steps.changed-files.outputs.all_changed_files }}
fixFiles: true
format: "sarif"
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/example-scan-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,9 @@ jobs:
# # Password for a private registry with the image
# registryPassword: ${{secrets.REGISTRY_PASSWORD}}
# # Fail at or above the specified vulnerability severity threshold
# Kubescape cloud account ID
# Kubescape Portal credentials
# account: ${{secrets.KUBESCAPE_ACCOUNT}}
# accessKey: ${{secrets.KUBESCAPE_ACCESS_TOKEN}}
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/example-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ jobs:
with:
format: sarif
outputFile: results.sarif
# Kubescape cloud account ID
# Kubescape Portal credentials
account: ${{secrets.KUBESCAPE_ACCOUNT}}
accessKey: ${{secrets.KUBESCAPE_ACCESS_TOKEN}}
# # Optional - Scan a specific path. Default will scan all
# files: "examples/*.yaml"
- name: Upload Kubescape scan results to Github Code Scanning
Expand Down
10 changes: 8 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,9 @@ jobs:
with:
format: sarif
outputFile: results
# # Optional: Specify the Kubescape cloud account ID
# # Optional: Specify the Kubescape Portal credentials
# account: ${{secrets.KUBESCAPE_ACCOUNT}}
# accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
# # Optional: Scan a specific path. Default will scan the whole repository
# files: "examples/*.yaml"
- name: Upload Kubescape scan results to Github Code Scanning
Expand Down Expand Up @@ -65,6 +66,7 @@ jobs:
- uses: kubescape/github-action@main
with:
account: ${{secrets.KUBESCAPE_ACCOUNT}}
accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
files: ${{ steps.changed-files.outputs.all_changed_files }}
fixFiles: true
format: "sarif"
Expand Down Expand Up @@ -103,6 +105,7 @@ jobs:
- uses: kubescape/github-action@main
with:
account: ${{secrets.KUBESCAPE_ACCOUNT}}
accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
files: ${{ steps.changed-files.outputs.all_changed_files }}
fixFiles: true
format: "sarif"
Expand Down Expand Up @@ -162,8 +165,9 @@ jobs:
# # Password for a private registry with the image
# registryPassword: ${{secrets.REGISTRY_PASSWORD}}
# # Fail at or above the specified vulnerability severity threshold
# Kubescape cloud account ID
# Kubescape Portal credentials
# account: ${{secrets.KUBESCAPE_ACCOUNT}}
# accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
Expand All @@ -179,6 +183,7 @@ jobs:
| frameworks | Security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - `nsa,devopsbest`. Run `kubescape list frameworks` in the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all frameworks. Either frameworks have to be specified or controls. | No |
| controls | Security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - `Configured liveness probe,Pods in default namespace`. Run `kubescape list controls` in the [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) to get a list of all controls. You can use either the complete control name or the control ID such as `C-0001` to specify the control you want use. You must specify either the control(s) or the framework(s) you want used in the scan. | No |
| account | Account ID for [Kubescape cloud](https://cloud.armosec.io/). Used for custom configuration, such as frameworks, control configuration, etc. | No |
| accessKey | AccessLKey for [Kubescape cloud](https://cloud.armosec.io/). Used for custom configuration, such as frameworks, control configuration, etc. | No |
| failedThreshold | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) | No (default 0) |
| severityThreshold | Severity threshold is the severity of a failed control at or above which the command terminates with an exit code 1 (default is `high`, i.e. the action fails if any High severity control fails) | No |
| verbose | Display all of the input resources and not only failed resources. Default is off | No |
Expand Down Expand Up @@ -212,6 +217,7 @@ jobs:
outputFile: results
# Specify the Kubescape cloud account ID
account: ${{secrets.KUBESCAPE_ACCOUNT}}
accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down
5 changes: 5 additions & 0 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ inputs:
Account ID for the Kubescape SaaS.
Used for custom configuration, such as frameworks, control configuration, etc.
required: false
accessKey:
description: |
AccessKey for the Kubescape SaaS.
Used for custom configuration, such as frameworks, control configuration, etc.
required: false
exceptions:
description: |
Path to the json file containing exceptions.
Expand Down
1 change: 1 addition & 0 deletions entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ fi
output_file=$([ -n "${INPUT_OUTPUTFILE}" ] && echo "${INPUT_OUTPUTFILE}" || echo "results")

account_opt=$([ -n "${INPUT_ACCOUNT}" ] && echo --account "${INPUT_ACCOUNT}" || echo "")
access_key_opt=$([ -n "${INPUT_ACCESSKEY}" ] && echo --access-key "${INPUT_ACCESSKEY}" || echo "")

# If account ID is empty, we load artifacts from the local path, otherwise we
# load from the cloud (this will enable custom framework support)
Expand Down

0 comments on commit 612161b

Please sign in to comment.