Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(general): Allow specifying files in a github actions config file #6813

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(general): Allow specifying files in a github actions config file #6813

wants to merge 1 commit into from

Conversation

m-wynn
Copy link
Contributor

@m-wynn m-wynn commented Nov 5, 2024
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

If you want to run checkov on multiple files or directories from a github action, you have to hack in the list of input directory or files like:

 - name: Run Checkov action
   id: checkov
   uses: bridgecrewio/checkov-action@master
   with:
     file: foo.tf -f bar.tf -f baz.tf
     # or
     directory: prod -d dev -d staging

This technically works but has a few downsides. It'll fail if an file has a space in it, and if you're using DOWNLOAD_EXTERNAL_MODULES it will delete things you did not expect.

A much more robust alternative is using the .checkov.yaml with:

file:
  - foo.tf
  - bar.tf
  - baz.tf
# or
directory:
  - prod
  - dev
  - staging

In the github action, directory defaults to . but you can pass in directory: ''. As the code is now, this will still call checkov -d --output=... which causes an error.

This is probably not a breaking change because: if both $INPUT_FILE and $INPUT_DIRECTORYare empty (directory has explicitly been set to empty string in bridgecrewio/checkov-action, or a custom github action has been used):

  • Before this change: Error with checkov: error: argument -d/--directory: expected one argument and exit 2.
  • After this change: Either use the files defined in INPUT_CONFIG_FILE or print the logo / version and exit 0.

Fixes bridgecrewio/checkov-action#22

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Enhances the Checkov GitHub Action to support specifying files in a configuration file. Modifies the entrypoint.sh script to handle input from a .checkov.yaml file, improving flexibility and robustness when scanning multiple files or directories. Adds error handling for empty input scenarios and refines the cleanup process for external modules.

TopicDetails
Input handling Improves handling of input parameters for file and directory scanning
Modified files (1)
  • github_action_resources/entrypoint.sh
Latest Contributors(2)
UserCommitDate
28880387+tsmithv11@use...feat-general-Add-metad...July 21, 2024
34912231+achiar99@user...chore-general-fix-secu...January 29, 2024
Config file support Adds support for specifying files to scan using a .checkov.yaml configuration file
Modified files (1)
  • github_action_resources/entrypoint.sh
Latest Contributors(2)
UserCommitDate
28880387+tsmithv11@use...feat-general-Add-metad...July 21, 2024
34912231+achiar99@user...chore-general-fix-secu...January 29, 2024
Cleanup refinement Refines the cleanup process for external modules
Modified files (1)
  • github_action_resources/entrypoint.sh
Latest Contributors(2)
UserCommitDate
28880387+tsmithv11@use...feat-general-Add-metad...July 21, 2024
34912231+achiar99@user...chore-general-fix-secu...January 29, 2024
This pull request is reviewed by Baz. Join @m-wynn and the rest of your team on (Baz).

@m-wynn
Copy link
Contributor Author

m-wynn commented Nov 5, 2024

You can kinda test this via:

GITHUB_ACTIONS=true GITHUB_ENV=/dev/null GITHUB_OUTPUT=/dev/null INPUT_DIRECTORY='' INPUT_CONFIG_FILE=config.yaml ./github_action_resources/entrypoint.sh

@m-wynn
Copy link
Contributor Author

m-wynn commented Dec 17, 2024

Could I get a review on this? It would make our workflows a lot cleaner. 🙏

@MaryArmaly
Copy link
Contributor

Hey @m-wynn,
Could you please merge the latest changes from the main branch into your branch? Thanks!

@m-wynn m-wynn force-pushed the checkov-entrypoint-file branch from 00f1043 to e2a509d Compare January 15, 2025 19:47
@tsmithv11 tsmithv11 changed the title fix: Allow specifying files in a github actions config file fix(general): Allow specifying files in a github actions config file Jan 15, 2025
@tsmithv11
Copy link
Collaborator

@m-wynn thanks for the contribution and I like the idea! Can you run a test in another repository using your branch from a modified version of the checkov-action? Just to be certain this won't break anything and works properly.

@m-wynn
Copy link
Contributor Author

m-wynn commented Jan 16, 2025
edited
Loading

Thanks @tsmithv11 I created a POC at https://github.com/m-wynn/checkov-entrypoint-poc/actions/runs/12800088545/job/35687294253 comparing upstream (main) to my PR
and the workflow definition https://github.com/m-wynn/checkov-entrypoint-poc/blob/main/.github/workflows/checkov.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Monorepo support
3 participants
@m-wynn @MaryArmaly @tsmithv11