Files
starter-workflows/code-scanning/zscaler-iac-scan.yml
T

57 lines
2.6 KiB
YAML
Raw Normal View History

2022-04-04 12:38:39 +05:30
#This workflow uses actions that are not certified by GitHub.
#They are provided by a third party and are governed by
#separate terms of service, privacy policy, and support
#documentation.
#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
#which detects security misconfigurations in IaC templates and publishes the findings
#under the code scanning alerts section within the repository.
2022-04-21 15:20:01 +05:30
#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process.
#Copy the client ID and client secret key generated during the onboarding process and configure.
#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
2022-04-21 15:26:09 +05:30
#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
2022-04-21 15:20:01 +05:30
2022-04-04 16:26:19 +05:30
name: Zscaler IaC Scan
2022-04-04 12:38:39 +05:30
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
2022-04-05 13:21:24 +05:30
permissions:
contents: read
2022-04-04 12:38:39 +05:30
jobs:
zscaler-iac-scan:
2022-04-05 13:21:24 +05:30
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
2022-04-04 12:38:39 +05:30
runs-on: ubuntu-latest
steps:
- name : Code Checkout
2022-04-21 15:20:01 +05:30
uses: actions/checkout@v3
2022-04-04 12:38:39 +05:30
- name : Zscaler IAC Scan
2022-04-05 13:21:24 +05:30
uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc
2022-04-04 12:38:39 +05:30
id : zscaler-iac-scan
with:
client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
#This is the user region specified during the onboarding process within the ZWP Admin Portal.
region : 'US'
iac_dir : #Enter the IaC directory path from root.
iac_file : #Enter the IaC file path from root.
output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
#To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
fail_build : #Enter true/false
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
- name: Upload SARIF file
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
2022-04-21 15:20:01 +05:30
uses: github/codeql-action/upload-sarif@v2
2022-04-04 12:38:39 +05:30
with:
2022-04-21 15:26:09 +05:30
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}