#This workflow uses actions that are not certified by GitHub. #They are provided by a third party and are governed by #separate terms of service, privacy policy, and support #documentation. #This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. #Copy the client ID and client secret key generated during the onboarding process and configure. #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. #Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. name: Zscaler IaC Scan on: push: branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] schedule: - cron: $cron-weekly permissions: contents: read jobs: zscaler-iac-scan: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v3 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} #This is the user region specified during the onboarding process within the ZWP Admin Portal. region : 'US' iac_dir : #Enter the IaC directory path from root. iac_file : #Enter the IaC file path from root. output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. fail_build : #Enter true/false #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}