Merge pull request #19 from ksoclabs/sarif-support

Support for SARIF output format
ksoclabs · May 9, 2023 · e27a1ee · e27a1ee
2 parents ec8bffd + 8ba316b
commit e27a1ee
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 17 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM us.gcr.io/ksoc-public/policy-executor:v0.0.9
+FROM us.gcr.io/ksoc-public/policy-executor:v0.0.11
 
 COPY entrypoint.sh /entrypoint.sh
 

diff --git a/README.md b/README.md
@@ -17,8 +17,7 @@ This action is used to execute a set of KSOC policies against the Kubernetes man
 ```yaml
 name: ksoc-guard
 
-on:
-  pull_request:
+on: [ push ]
 
 jobs:
   ksoc-guard:
@@ -29,7 +28,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: KSOC Guard
-        uses: ksoclabs/guard-action@v0.0.8
+        uses: ksoclabs/guard-action@v0.0.9
         with:
           ksoc_account_id: <KSOC_ACCOUNT_ID>
           ksoc_access_key_id: ${{ secrets.KSOC_ACCESS_KEY_ID }}
@@ -41,8 +40,7 @@ jobs:
 ```yaml
 name: ksoc-guard
 
-on:
-  pull_request:
+on: [ push ]
 
 jobs:
   ksoc-guard:
@@ -53,7 +51,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: KSOC Guard
-        uses: ksoclabs/guard-action@v0.0.8
+        uses: ksoclabs/guard-action@v0.0.9
         with:
           policy_dir: /policies
 ```
@@ -62,7 +60,7 @@ jobs:
 
 There are numerous optional inputs that can be used to configure the action:
 - `fail_on_severity`: The severity level that will cause the action to fail. If not provided, the action will never fail.
-- `format`: The format of the output. If not provided, the default `ci-table` format will be used which is suitable for use in a CI environment.
+- `format`: The format of the output, valid options are `ci-table` and `sarif`. If not provided, the default `ci-table` will be used.
 - `ignored_paths`: A comma separated list of paths to ignore. If not provided, no paths will be ignored.
 - `ksoc_api_url`: The URL of the KSOC API. If not provided, the default `https://api.ksoc.com` will be used.
 - `paths`: A comma separated list of paths to scan. If not provided, all paths in the repository will be scanned.
@@ -71,13 +69,12 @@ There are numerous optional inputs that can be used to configure the action:
 
 ## Outputs
 
-KSOC Guard Action is storing the results of the scan in the output called `results`. This can be used to create a comment on the PR with the results of the scan. The following example shows how to do this (note that `pull-resuests` permission is required for this):
+KSOC Guard Action can store the results of the scan depending on the `format` input provided. If `format` is `ci-table` it will store outputs as multi-line string in the `results` output variable. This can be used to create a comment on the PR with the results of the scan. The following example shows how to do this (note that `pull-resuests` permission is required for this):
 
 ```yaml
 name: ksoc-guard
 
-on:
-  pull_request:
+on: [ push ]
 
 jobs:
   ksoc-guard:
@@ -89,7 +86,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: KSOC Guard
-        uses: ksoclabs/guard-action@v0.0.8
+        id: ksoc-guard
+        uses: ksoclabs/guard-action@v0.0.9
         with:
           ksoc_account_id: <KSOC_ACCOUNT_ID>
           ksoc_access_key_id: ${{ secrets.KSOC_ACCESS_KEY_ID }}
@@ -116,6 +114,39 @@ jobs:
             })
 ```
 
+Another option is to use the `sarif` format. This will store the results of the scan as a file and the `sarif` output variable will hold a path to that file. This can be used to upload the results of the scan as a GitHub Code Scanning Alert. The following example shows how to do this (note that `security-events` permission is required for this):
+
+```yaml
+name: ksoc-guard
+
+on: [ push ]
+
+jobs:
+  ksoc-guard:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: KSOC Guard
+        id: ksoc-guard
+        uses: ksoclabs/guard-action@v0.0.9
+        with:
+          fail_on_severity: low
+          format: sarif
+          ksoc_account_id: <KSOC_ACCOUNT_ID>
+          ksoc_access_key_id: ${{ secrets.KSOC_ACCESS_KEY_ID }}
+          ksoc_secret_key: ${{ secrets.KSOC_SECRET_KEY }}
+      - name: Upload KSOC Guard SARIF Report
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.ksoc-guard.outputs.sarif }}
+          checkout_path: /github/workspace
+```
+
 ## Embedded Policies
 
 The following policies are embedded in this action if used with the `policy_dir` input:

diff --git a/action.yml b/action.yml
@@ -49,6 +49,8 @@ inputs:
 outputs:
   results:
     description: "The results of the policy execution."
+  sarif:
+    description: "Path to a SARIF report file with the policy execution results."
 
 runs:
   using: docker

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,9 +1,15 @@
 #!/bin/sh -l
 
 EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
-echo "results<<$EOF" >> $GITHUB_OUTPUT
-/app/policy-executor policies execute >> $GITHUB_OUTPUT
-exit_code=$?
-echo "$EOF" >> $GITHUB_OUTPUT
-cat $GITHUB_OUTPUT
+if [ $FORMAT = "sarif" ]; then
+  SARIF_OUTPUT_FILE_NAME="./report.sarif"
+  /app/policy-executor policies execute > $SARIF_OUTPUT_FILE_NAME
+  exit_code=$?
+  echo "sarif=$SARIF_OUTPUT_FILE_NAME" >> $GITHUB_OUTPUT
+else
+  echo "results<<$EOF" >> $GITHUB_OUTPUT
+  /app/policy-executor policies execute >> $GITHUB_OUTPUT
+  exit_code=$?
+  echo "$EOF" >> $GITHUB_OUTPUT
+fi
 exit $exit_code