Merge pull request #7 from ksoclabs/outputs

Support results output to be used by other steps of the workflow
ksoclabs · Apr 18, 2023 · 5957a97 · 5957a97
2 parents 46be6d6 + 7279617
commit 5957a97
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,5 @@
+FROM us.gcr.io/ksoc-public/policy-executor:v0.0.6
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README.md b/README.md
@@ -17,14 +17,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: KSOC Guard
-        uses: ksoclabs/guard-action@main
+        uses: ksoclabs/guard-action@v0.0.4
         with:
           ksoc_account_id: <KSOC_ACCOUNT_ID>
           ksoc_access_key_id: ${{ secrets.KSOC_ACCESS_KEY_ID }}
           ksoc_secret_key: ${{ secrets.KSOC_SECRET_KEY }}
 ```
 
-The `ksoc_access_key_id` and `ksoc_secret_key` are the credentials for the KSOC account that will be used to fetch the policies and should be stored as GitHub secrets. The `ksoc_account_id` is the only required workflow input and must match the KSOC account that the credentials are for.
+The `ksoc_access_key_id` and `ksoc_secret_key` are the credentials for the KSOC account that will be used to fetch the policies and should be stored as GitHub secrets. The `ksoc_account_id` must match the KSOC account that the credentials are for.
 
 There are numerous optional inputs that can be used to configure the action:
 - `fail_on_severity`: The severity level that will cause the action to fail. If not provided, the action will never fail.
@@ -34,3 +34,48 @@ There are numerous optional inputs that can be used to configure the action:
 - `paths`: A comma separated list of paths to scan. If not provided, all paths in the repository will be scanned.
 - `policy_ids`: A comma separated list of policy IDs to execute. If not provided, all policies in the KSOC account will be executed.
 - `policy_tags`: A comma separated list of policy tags to execute. If not provided, all policies in the KSOC account will be executed.
+
+KSOC Guard Action is storing the results of the scan in the output called `results`. This can be used to create a comment on the PR with the results of the scan. The following example shows how to do this (note that `pull-resuests` permission is required for this):
+
+```yaml
+name: ksoc-guard
+
+on:
+  pull_request:
+
+jobs:
+  ksoc-guard:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: KSOC Guard
+        uses: ksoclabs/guard-action@main
+        with:
+          ksoc_account_id: <KSOC_ACCOUNT_ID>
+          ksoc_access_key_id: ${{ secrets.KSOC_ACCESS_KEY_ID }}
+          ksoc_secret_key: ${{ secrets.KSOC_SECRET_KEY }}
+      - name: comment
+        if: success() || failure()
+        uses: actions/github-script@v6
+        env:
+          STATUS: ${{ steps.ksoc-guard.outcome == 'success' && 'success ✅' || 'failure ❌' }}
+        with:
+          script: |
+            const output = `
+              Policy Executor: ${{ env.STATUS }}
+
+              \`\`\`
+              ${{ steps.ksoc-guard.outputs.results }}
+              \`\`\`
+              `
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+```
diff --git a/action.yml b/action.yml
@@ -47,10 +47,13 @@ inputs:
     required: false
     description: "Comma separated list of policy tags to execute."
     default: ""
+outputs:
+  results:
+    description: "The results of the policy execution."
 
 runs:
   using: docker
-  image: docker://us.gcr.io/ksoc-public/policy-executor:v0.0.6
+  image: Dockerfile
   env:
     FAIL_ON_SEVERITY: ${{ inputs.fail_on_severity }}
     FORMAT: ${{ inputs.format }}
@@ -63,6 +66,3 @@ runs:
     PATHS: ${{ inputs.paths }}
     POLICY_IDS: ${{ inputs.policy_ids }}
     POLICY_TAGS: ${{ inputs.policy_tags }}
-  args:
-    - policies
-    - execute
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh -l
+
+EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+echo "results<<$EOF" >> $GITHUB_OUTPUT
+/app/policy-executor policies execute >> $GITHUB_OUTPUT
+exit_code=$?
+echo "$EOF" >> $GITHUB_OUTPUT
+cat $GITHUB_OUTPUT
+exit $exit_code