diff --git a/Dockerfile b/Dockerfile index 83e6f06..8a822bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,15 @@ -FROM checkmarx/kics:v2.1.12 as kics-env - + +ARG DOCKERHUB_REGISTRY=docker.io +FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.12 as kics-env + FROM cgr.dev/chainguard/wolfi-base:latest - + COPY --from=kics-env /app /app - + COPY ./entrypoint.sh /entrypoint.sh - + RUN chmod +x /entrypoint.sh - + COPY ./ /app - -ENTRYPOINT ["/entrypoint.sh"] + +ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/action.yml b/action.yml index 58b0223..42e0319 100644 --- a/action.yml +++ b/action.yml @@ -104,45 +104,58 @@ inputs: cloud_provider: description: "list of cloud providers to scan (alicloud, aws, azure, gcp)" required: false + dockerhub_registry: + description: "The Docker registry for the KICS base image. Overridden for private registries." + required: false + default: "docker.io" branding: icon: "shield" color: "green" runs: - using: "docker" - image: Dockerfile - env: - INPUT_TOKEN: ${{ inputs.token }} - INPUT_OUTPUT_PATH: ${{ inputs.output_path }} - INPUT_ENABLE_ANNOTATIONS: ${{ inputs.enable_annotations }} - INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }} - INPUT_ENABLE_JOBS_SUMMARY: ${{ inputs.enable_jobs_summary }} - INPUT_COMMENTS_WITH_QUERIES: ${{ inputs.comments_with_queries }} - INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }} - INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} - WORKSPACE_PATH: $GITHUB_WORKSPACE - args: - - ${{ inputs.path }} - - ${{ inputs.fail_on }} - - ${{ inputs.timeout }} - - ${{ inputs.profiling }} - - ${{ inputs.config }} - - ${{ inputs.platform_type }} - - ${{ inputs.exclude_paths }} - - ${{ inputs.exclude_queries }} - - ${{ inputs.include_queries }} - - ${{ inputs.exclude_categories }} - - ${{ inputs.exclude_results }} - - ${{ inputs.exclude_severities }} - - ${{ inputs.exclude_gitignore}} - - ${{ inputs.output_formats }} - - ${{ inputs.output_path }} - - ${{ inputs.payload_path }} - - ${{ inputs.queries }} - - ${{ inputs.verbose }} - - ${{ inputs.bom }} - - ${{ inputs.ignore_on_exit }} - - ${{ inputs.disable_secrets }} - - ${{ inputs.disable_full_descriptions }} - - ${{ inputs.libraries_path }} - - ${{ inputs.secrets_regexes_path}} - - ${{ inputs.cloud_provider}} + using: "composite" + steps: + - name: Build KICS Action Image + shell: bash + run: docker build --build-arg DOCKERHUB_REGISTRY="${{ inputs.dockerhub_registry }}" -t kics-action:latest "${{ github.action_path }}" + + - name: Run KICS Scan + shell: bash + run: | + docker run --name kics-scan \ + -v "${{ github.workspace }}":"${{ github.workspace }}" \ + -w "${{ github.workspace }}" \ + -e GITHUB_WORKSPACE="${{ github.workspace }}" \ + -e GITHUB_EVENT_PATH="${{ github.event_path }}" \ + -e INPUT_TOKEN="${{ inputs.token }}" \ + -e INPUT_ENABLE_ANNOTATIONS="${{ inputs.enable_annotations }}" \ + -e INPUT_ENABLE_COMMENTS="${{ inputs.enable_comments }}" \ + -e INPUT_ENABLE_JOBS_SUMMARY="${{ inputs.enable_jobs_summary }}" \ + -e INPUT_COMMENTS_WITH_QUERIES="${{ inputs.comments_with_queries }}" \ + -e INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES="${{ inputs.excluded_column_for_comments_with_queries }}" \ + -e INPUT_PATH="${{ inputs.path }}" \ + -e INPUT_IGNORE_ON_EXIT="${{ inputs.ignore_on_exit }}" \ + -e INPUT_FAIL_ON="${{ inputs.fail_on }}" \ + -e INPUT_TIMEOUT="${{ inputs.timeout }}" \ + -e INPUT_PROFILING="${{ inputs.profiling }}" \ + -e INPUT_CONFIG_PATH="${{ inputs.config_path }}" \ + -e INPUT_PLATFORM_TYPE="${{ inputs.platform_type }}" \ + -e INPUT_EXCLUDE_PATHS="${{ inputs.exclude_paths }}" \ + -e INPUT_EXCLUDE_QUERIES="${{ inputs.exclude_queries }}" \ + -e INPUT_EXCLUDE_CATEGORIES="${{ inputs.exclude_categories }}" \ + -e INPUT_EXCLUDE_RESULTS="${{ inputs.exclude_results }}" \ + -e INPUT_EXCLUDE_SEVERITIES="${{ inputs.exclude_severities }}" \ + -e INPUT_EXCLUDE_GITIGNORE="${{ inputs.exclude_gitignore }}" \ + -e INPUT_OUTPUT_FORMATS="${{ inputs.output_formats }}" \ + -e INPUT_OUTPUT_PATH="${{ inputs.output_path }}" \ + -e INPUT_PAYLOAD_PATH="${{ inputs.payload_path }}" \ + -e INPUT_QUERIES="${{ inputs.queries }}" \ + -e INPUT_SECRETS_REGEXES_PATH="${{ inputs.secrets_regexes_path }}" \ + -e INPUT_LIBRARIES_PATH="${{ inputs.libraries_path }}" \ + -e INPUT_DISABLE_FULL_DESCRIPTIONS="${{ inputs.disable_full_descriptions }}" \ + -e INPUT_DISABLE_SECRETS="${{ inputs.disable_secrets }}" \ + -e INPUT_TYPE="${{ inputs.type }}" \ + -e INPUT_VERBOSE="${{ inputs.verbose }}" \ + -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ + -e INPUT_BOM="${{ inputs.bom }}" \ + -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ + kics-action:latest \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index a6131cf..635e0f6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "@actions/core": "^1.10.1", "@actions/exec": "^1.1.0", - "@actions/github": "^5.0.0", + "@actions/github": "^5.1.1", "@actions/io": "^1.1.1", "@actions/tool-cache": "^2.0.1", "moment": "^2.29.4", @@ -32,14 +32,6 @@ "uuid": "^8.3.2" } }, - "node_modules/@actions/core/node_modules/@actions/http-client": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", - "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", - "dependencies": { - "tunnel": "^0.0.6" - } - }, "node_modules/@actions/exec": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.0.tgz", @@ -49,22 +41,25 @@ } }, "node_modules/@actions/github": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.0.tgz", - "integrity": "sha512-QvE9eAAfEsS+yOOk0cylLBIO/d6WyWIOvsxxzdrPFaud39G6BOkUwScXZn1iBzQzHyu9SBkkLSWlohDWdsasAQ==", + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", + "license": "MIT", "dependencies": { - "@actions/http-client": "^1.0.11", - "@octokit/core": "^3.4.0", - "@octokit/plugin-paginate-rest": "^2.13.3", - "@octokit/plugin-rest-endpoint-methods": "^5.1.1" + "@actions/http-client": "^2.0.1", + "@octokit/core": "^3.6.0", + "@octokit/plugin-paginate-rest": "^2.17.0", + "@octokit/plugin-rest-endpoint-methods": "^5.13.0" } }, "node_modules/@actions/http-client": { - "version": "1.0.11", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", - "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", + "license": "MIT", "dependencies": { - "tunnel": "0.0.6" + "tunnel": "^0.0.6", + "undici": "^5.25.4" } }, "node_modules/@actions/io": { @@ -85,15 +80,6 @@ "uuid": "^3.3.2" } }, - "node_modules/@actions/tool-cache/node_modules/@actions/http-client": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", - "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", - "dependencies": { - "tunnel": "^0.0.6", - "undici": "^5.25.4" - } - }, "node_modules/@actions/tool-cache/node_modules/semver": { "version": "6.3.0", "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz", @@ -128,13 +114,14 @@ } }, "node_modules/@octokit/core": { - "version": "3.5.1", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.5.1.tgz", - "integrity": "sha512-omncwpLVxMP+GLpLPgeGJBF6IWJFjXDS5flY5VbppePYX9XehevbDykRH9PdCdvqt9TS5AOTiDide7h0qrkHjw==", + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", + "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", + "license": "MIT", "dependencies": { "@octokit/auth-token": "^2.4.4", "@octokit/graphql": "^4.5.8", - "@octokit/request": "^5.6.0", + "@octokit/request": "^5.6.3", "@octokit/request-error": "^2.0.5", "@octokit/types": "^6.0.3", "before-after-hook": "^2.2.0", @@ -190,15 +177,16 @@ } }, "node_modules/@octokit/request": { - "version": "5.6.2", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.2.tgz", - "integrity": "sha512-je66CvSEVf0jCpRISxkUcCa0UkxmFs6eGDRSbfJtAVwbLH5ceqF+YEyC8lj8ystKyZTy8adWr0qmkY52EfOeLA==", + "version": "5.6.3", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", + "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", + "license": "MIT", "dependencies": { "@octokit/endpoint": "^6.0.1", "@octokit/request-error": "^2.1.0", "@octokit/types": "^6.16.1", "is-plain-object": "^5.0.0", - "node-fetch": "^2.6.1", + "node-fetch": "^2.6.7", "universal-user-agent": "^6.0.0" } }, @@ -365,16 +353,6 @@ "requires": { "@actions/http-client": "^2.0.1", "uuid": "^8.3.2" - }, - "dependencies": { - "@actions/http-client": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", - "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", - "requires": { - "tunnel": "^0.0.6" - } - } } }, "@actions/exec": { @@ -386,22 +364,23 @@ } }, "@actions/github": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.0.tgz", - "integrity": "sha512-QvE9eAAfEsS+yOOk0cylLBIO/d6WyWIOvsxxzdrPFaud39G6BOkUwScXZn1iBzQzHyu9SBkkLSWlohDWdsasAQ==", + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", "requires": { - "@actions/http-client": "^1.0.11", - "@octokit/core": "^3.4.0", - "@octokit/plugin-paginate-rest": "^2.13.3", - "@octokit/plugin-rest-endpoint-methods": "^5.1.1" + "@actions/http-client": "^2.0.1", + "@octokit/core": "^3.6.0", + "@octokit/plugin-paginate-rest": "^2.17.0", + "@octokit/plugin-rest-endpoint-methods": "^5.13.0" } }, "@actions/http-client": { - "version": "1.0.11", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", - "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "requires": { - "tunnel": "0.0.6" + "tunnel": "^0.0.6", + "undici": "^5.25.4" } }, "@actions/io": { @@ -422,15 +401,6 @@ "uuid": "^3.3.2" }, "dependencies": { - "@actions/http-client": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", - "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", - "requires": { - "tunnel": "^0.0.6", - "undici": "^5.25.4" - } - }, "semver": { "version": "6.3.0", "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz", @@ -457,13 +427,13 @@ } }, "@octokit/core": { - "version": "3.5.1", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.5.1.tgz", - "integrity": "sha512-omncwpLVxMP+GLpLPgeGJBF6IWJFjXDS5flY5VbppePYX9XehevbDykRH9PdCdvqt9TS5AOTiDide7h0qrkHjw==", + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", + "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", "requires": { "@octokit/auth-token": "^2.4.4", "@octokit/graphql": "^4.5.8", - "@octokit/request": "^5.6.0", + "@octokit/request": "^5.6.3", "@octokit/request-error": "^2.0.5", "@octokit/types": "^6.0.3", "before-after-hook": "^2.2.0", @@ -513,15 +483,15 @@ } }, "@octokit/request": { - "version": "5.6.2", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.2.tgz", - "integrity": "sha512-je66CvSEVf0jCpRISxkUcCa0UkxmFs6eGDRSbfJtAVwbLH5ceqF+YEyC8lj8ystKyZTy8adWr0qmkY52EfOeLA==", + "version": "5.6.3", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", + "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", "requires": { "@octokit/endpoint": "^6.0.1", "@octokit/request-error": "^2.1.0", "@octokit/types": "^6.16.1", "is-plain-object": "^5.0.0", - "node-fetch": "^2.6.1", + "node-fetch": "^2.6.7", "universal-user-agent": "^6.0.0" } }, diff --git a/package.json b/package.json index 7b04ac0..9dbe036 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "@actions/core": "^1.10.1", "@actions/exec": "^1.1.0", - "@actions/github": "^5.0.0", + "@actions/github": "^5.1.1", "@actions/io": "^1.1.1", "@actions/tool-cache": "^2.0.1", "moment": "^2.29.4",