57 lines
2.6 KiB
YAML
57 lines
2.6 KiB
YAML
#This workflow uses actions that are not certified by GitHub.
|
|
#They are provided by a third party and are governed by
|
|
#separate terms of service, privacy policy, and support
|
|
#documentation.
|
|
|
|
#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
|
|
#which detects security misconfigurations in IaC templates and publishes the findings
|
|
#under the code scanning alerts section within the repository.
|
|
|
|
#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process.
|
|
#Copy the client ID and client secret key generated during the onboarding process and configure.
|
|
#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
|
|
|
|
#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
|
|
#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
|
|
|
|
name: Zscaler IaC Scan
|
|
on:
|
|
push:
|
|
branches: [ $default-branch, $protected-branches ]
|
|
pull_request:
|
|
branches: [ $default-branch ]
|
|
schedule:
|
|
- cron: $cron-weekly
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
zscaler-iac-scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name : Code Checkout
|
|
uses: actions/checkout@v4
|
|
- name : Zscaler IAC Scan
|
|
uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087
|
|
id : zscaler-iac-scan
|
|
with:
|
|
client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
|
|
client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
|
|
#This is the user region specified during the onboarding process within the ZPC Admin Portal.
|
|
region : 'US'
|
|
iac_dir : #Enter the IaC directory path from root.
|
|
iac_file : #Enter the IaC file path from root.
|
|
output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
|
|
#To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
|
|
fail_build : #Enter true/false
|
|
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
|
|
- name: Upload SARIF file
|
|
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
|