-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
122 lines (122 loc) · 4.83 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: 'lacework-code-security'
description: "Scan code with Lacework's Code Security offering"
author: 'Lacework'
inputs:
sources:
description: 'Sources directory to analyze'
required: false
default: '.'
target:
description: 'One of old or new to represent which is being analyzed'
required: false
debug:
description: 'Set to true to enable debug logging'
required: false
default: false
token:
description: 'Set to a GitHub token for the repository with write permissions for PRs to enable PR comments'
required: false
footer:
description: 'A block of Markdown that will be appended to any PR comments posted'
required: false
eval-indirect-dependencies:
description: 'Show vulnerabilities found in transitive dependencies'
required: false
default: false
autofix:
description: 'Set to true to enable automated pull-requests for fix suggestions'
required: false
default: false
outputs:
old-completed:
description: 'If running a target called old, whether the analysis for this was completed'
value: ${{ steps.run-analysis.outputs.old-completed }}
new-completed:
description: 'If running a target called new, whether the analysis for this was completed'
value: ${{ steps.run-analysis.outputs.new-completed }}
push-completed:
description: 'If running a target called push, whether the analysis for this was completed'
value: ${{ steps.run-analysis.outputs.push-completed }}
display-completed:
description: 'If displaying results, whether this was completed'
value: ${{ steps.run-analysis.outputs.display-completed }}
comment-posted:
description: 'If a comment was posted, a link to this comment'
value: ${{ steps.run-analysis.outputs.comment-posted }}
runs:
using: 'composite'
steps:
- if: runner.os == 'Linux'
shell: bash
run: echo "LACEWORK_START_TIME=$(date --rfc-3339=seconds)" >> $GITHUB_ENV
- if: runner.os == 'macOS'
shell: bash
run: |
brew install coreutils
echo "LACEWORK_START_TIME=$(gdate --rfc-3339=seconds)" >> $GITHUB_ENV
- id: init
shell: bash
env:
LACEWORK_ACTION_REF: '${{ github.action_ref }}'
run: |
LACEWORK_CONTEXT_ID=`echo $RANDOM | md5sum | head -c 32`
echo "Lacework context ID: $LACEWORK_CONTEXT_ID"
echo "LACEWORK_CONTEXT_ID=$(echo $LACEWORK_CONTEXT_ID)" >> $GITHUB_ENV
echo "LACEWORK_ACTION_REF=$(echo $LACEWORK_ACTION_REF)" >> $GITHUB_ENV
SCA_VERSION=0.1.23
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
KEY="$(date +'%Y-%m-%d')"
KEY="$KEY-$RUNNER_OS-$RUNNER_ARCH"
KEY="$KEY-sca-$SCA_VERSION"
echo "sca-version=$SCA_VERSION" >> $GITHUB_OUTPUT
HASH="$(echo $KEY | md5sum | head -c 8)"
echo "cache-key=$HASH" >> $GITHUB_OUTPUT
- id: cache
uses: actions/cache/restore@v3
with:
path: ~/.config/lacework/components
key: lacework-${{ steps.init.outputs.cache-key }}
- name: Sets LW_LOG var for debug
shell: bash
if: ${{ inputs.debug == 'true' }}
run: |
echo "LW_LOG=debug" >> $GITHUB_ENV
- if: steps.cache.outputs.cache-hit != 'true'
shell: bash
run: |
echo "::group::Installing Lacework CLI components"
if [[ "${{ steps.init.outputs.sca-version }}" != "" ]]; then
lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" component install sca --version "${{ steps.init.outputs.sca-version }}"
fi
echo "::endgroup::"
echo "::group::Printing Lacework CLI information"
lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" version
echo "::endgroup::"
env:
CDK_DOWNLOAD_TIMEOUT_MINUTES: 2
- if: steps.cache.outputs.cache-hit != 'true'
uses: actions/cache/save@v3
with:
path: ~/.config/lacework/components
key: lacework-${{ steps.init.outputs.cache-key }}
- uses: actions/setup-node@v3
with:
node-version: 16
- shell: bash
run: |
rm -rf ../lacework-code-security
cp -r "${{ github.action_path }}" ../lacework-code-security
cd ../lacework-code-security
HUSKY=0 npm install
npm run compile
yq -i -o yaml 'del(.runs.steps) | del(.outputs) | .runs.using="node16" | .runs.main="dist/src/index.js" | .runs.post="dist/src/post.js"' action.yaml
- id: run-analysis
uses: './../lacework-code-security'
with:
sources: '${{ inputs.sources }}'
target: '${{ inputs.target }}'
debug: '${{ inputs.debug }}'
token: '${{ inputs.token || github.token }}'
footer: '${{ inputs.footer }}'
eval-indirect-dependencies: '${{ inputs.eval-indirect-dependencies }}'
autofix: '${{ inputs.autofix }}'