Merge pull request #11 from accurics/nitumore-patch-1

APE-8009 - support cloud.tenable.com endpoint , support scan mode , plan mode, pipeline scan

Dockerfile

@@ -4,9 +4,19 @@ FROM alpine:3.13
 # Copies your code file from your action repository to the filesystem path `/` of the container
 COPY entrypoint.sh /entrypoint.sh
 
-RUN apk update && apk add --upgrade --no-cache ca-certificates curl jq && \
-  curl -s https://downloads.accurics.com/cli/1.0.4/accurics_linux -o /usr/bin/accurics && \
+ARG TERRASCAN_VERSION=1.15.0
+ARG CLI_VERSION=1.0.37
+RUN apk update && apk add --upgrade --no-cache ca-certificates curl jq git && \
+  curl -s https://downloads.accurics.com/cli/dev/${CLI_VERSION}/accurics_linux -o /usr/bin/accurics && \
   chmod 755 /entrypoint.sh /usr/bin/accurics
+
+RUN curl --location https://github.com/accurics/terrascan/releases/download/v${TERRASCAN_VERSION}/terrascan_${TERRASCAN_VERSION}_Linux_x86_64.tar.gz -o terrascan.tar.gz && \
+    tar xvfz terrascan.tar.gz && \
+    rm -f terrascan.tar.gz && \
+    mv terrascan /usr/bin/ && \
+    terrascan version
+
+
 
 # Code file to execute when the docker container starts up (`entrypoint.sh`)
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -3,8 +3,8 @@
 ## Description
 The Accurics GitHub action runs an Accurics scan against the IaC (Infrastructure-as-Code) files found within the applied repository.
 This action can be used to fail a pipeline build when violations or errors are found.
-The scan results can be viewed in the pipeline results or in the Accurics Console itself at https://app.accurics.com
-
+The scan results can be viewed in the pipeline results or in the Accurics Console itself at https://cloud.tenable.com/cns or https://app.accurics.com
+ depending on url configured. 
 See examples below.
 
 ## Setup
@@ -47,6 +47,10 @@ The Accurics GitHub action runs as a Linux container, which means it accumulates
 | directories | A list of directories to scan within this repository separated by a space | ./ | 
 | fail-on-violations | Allows the Accurics Action to fail the build when violations are found | true |
 | fail-on-all-errors | Allows the Accurics Action to fail the build when any errors are encountered | true |
+| scan-mode | Allows the Accurics Action to use either terraform or terrascan for scanning(plan/scan) | plan |
+| url | Allows the Accurics Action to point to different target endpoint of the product e.g. https://cloud.tenable.com/cns | https://app.accurics.com |
+| pipeline | Allows the Accurics Action to choose mode as pipeline | false |
+
 
 ### Notes
 - Variable values within the plan-args setting should be stripped of double-quote (") characters
@@ -62,10 +66,6 @@ The Accurics GitHub action runs as a Linux container, which means it accumulates
 | Medium-Severity Violations | $medium |
 | Low-Severity Violations | $low |
 | Native Resources | $native |
-| Inherited Resources | $inherited |
-| Drift | $drift |
-| IaC Drift | $iacdrift |
-| Cloud Drift | $clouddrift |
 | has-errors | $has_errors |
 
 ## Examples
@@ -85,13 +85,17 @@ This example configures an Accurics Scan with a custom Terraform version and var
           # Required by Terraform
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          REPO_URL: ${{ github.repositoryUrl }}
+          GIT_BRANCH:  ${{ github.ref_name }}
+          GIT_COMMIT:  ${{ github.sha }}
         with:
           # Required by Accurics
           app-id: ${{ secrets.ACCURICS_APP_ID }}
           env-id: ${{ secrets.ACCURICS_ENV_ID }}
           # Optional args
           terraform-version: 0.14.7
           plan-args: '-var myvar1=val1 -var myvar2=val2'
+          url: "https://cloud.tenable.com/cns"
 ```
 
 ### Example 2:
@@ -107,6 +111,9 @@ This example configures an Accurics Scan using the latest Terraform version, cus
           # Required by Terraform
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          REPO_URL: ${{ github.repositoryUrl }}
+          GIT_BRANCH:  ${{ github.ref_name }}
+          GIT_COMMIT:  ${{ github.sha }}
         with:
           # Required by Accurics
           app-id: ${{ secrets.ACCURICS_APP_ID }}
@@ -115,10 +122,13 @@ This example configures an Accurics Scan using the latest Terraform version, cus
           # Optional args
           plan-args: '-var myvar1=val1 -var myvar2=val2'
           fail-on-violations: false
+          url: "https://cloud.tenable.com/cns"
+          scan-mode: "plan"
+          pipeline: true
 ```
 
 ### Example 3:
-This is the same configuration as before, but it now includes an extra build step to display the output scan status.
+This is the same configuration as before, but it now includes an extra build step to display the output scan status, also sets scan mode to terrascan scan.
 ```yaml
     steps:
       - name: Checkout
@@ -130,6 +140,9 @@ This is the same configuration as before, but it now includes an extra build ste
           # Required by Terraform
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          REPO_URL: ${{ github.repositoryUrl }}
+          GIT_BRANCH:  ${{ github.ref_name }}
+          GIT_COMMIT:  ${{ github.sha }}
         with:
           # Required by Accurics
           app-id: ${{ secrets.ACCURICS_APP_ID }}
@@ -138,6 +151,9 @@ This is the same configuration as before, but it now includes an extra build ste
           # Optional args
           plan-args: '-var myvar1=val1 -var myvar2=val2'
           fail-on-violations: false
+          url: "https://cloud.tenable.com/cns"
+          scan-mode: "scan"
+          pipeline: true
       - name: Display statistics
         run: '
             echo ""
@@ -159,4 +175,70 @@ This is the same configuration as before, but it now includes an extra build ste
             echo ""
           '
 ```
+### Example 4: This is the example to check number of violations and fail the build in case not satisfied.
+```yaml
+    steps:
+      - run: touch config
+      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
+      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
+      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
+      - name: Check out repository code
+        uses: actions/checkout@v2
+      - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
+      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: List files in the repository
+        run: |
+          ls ${{ github.workspace }}
+      - name: Get git branch
+        run: |
+          git branch
+      - name: Accurics
+
+        uses: accurics/accurics-action@v2.25
+        id: accurics
+        env:
+          # Required by Terraform
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          REPO_URL: ${{ github.repositoryUrl }}
+          GIT_BRANCH:  ${{ github.ref_name }}
+          GIT_COMMIT:  ${{ github.sha }}
+
+        with:
+          # Required by Accurics
+          app-id: ${{ secrets.ACCURICS_APP_ID }}
+          env-id: ${{ secrets.ACCURICS_ENV_ID }}
+          repo: "your-repo-name-from-web-console"
+          url: "https://cloud.tenable.com/cns"
+          fail-on-violations: false
+          scan-mode: "plan"
+          pipeline: false
+      - name: Display statistics
+        run: '
+            echo ""
+            echo "Environment Name           : ${{ steps.accurics.outputs.env-name }}";
+            echo "Repository                 : ${{ steps.accurics.outputs.repo }}";
+            echo "Violation Count            : ${{ steps.accurics.outputs.num-violations }}";
+            echo "Resource Count             : ${{ steps.accurics.outputs.num-resources }}";
+            echo ""
+            echo "Native Resources           : ${{ steps.accurics.outputs.native }}";
+            echo "Inherited Resources        : ${{ steps.accurics.outputs.inherited }}";
+            echo ""
+            echo "High-Severity Violations   : ${{ steps.accurics.outputs.high }}";
+            echo "Medium-Severity Violations : ${{ steps.accurics.outputs.medium }}";
+            echo "Low-Severity Violations    : ${{ steps.accurics.outputs.low }}";
+            echo ""
+            echo "Drift                      : ${{ steps.accurics.outputs.drift }}";
+            echo "IaC Drift                  : ${{ steps.accurics.outputs.iacdrift }}";
+            echo "Cloud Drift                : ${{ steps.accurics.outputs.clouddrift }}";
+            echo ""
+          '
+      - name: Check Number Of violations
+        if: ${{ steps.accurics.outputs.num-violations > 10 }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+              core.setFailed('Coverage test below tolerance')
+
+```
 

action.yml

@@ -45,6 +45,14 @@ inputs:
     description: 'Allows Accurics to fail the build when any errors are encountered (default=true)'
     required: false
     default: true
+  scan-mode:
+    description: 'Allows Accurics to switch to terrascan based analysis'
+    required: false
+    default: "plan"
+  pipeline:
+    description: 'Allows Accurics to put data into pipeline tab in tenable.cs web consile values accepted(true/false)'
+    required: false
+    default: false
 outputs:
   env-name:
     description: 'Environment Name'
@@ -86,4 +94,6 @@ runs:
     - ${{ inputs.url }}
     - ${{ inputs.fail-on-violations }}
     - ${{ inputs.fail-on-all-errors }}
+    - ${{ inputs.scan-mode }}
+    - ${{ inputs.pipeline }}
 

entrypoint.sh

@@ -13,7 +13,9 @@ process_args() {
   INPUT_REPO_NAME=$7
   INPUT_URL=$8
   INPUT_FAIL_ON_VIOLATIONS=$9
-  INPUT_FAIL_ON_ALL_ERRORS=$10
+  INPUT_FAIL_ON_ALL_ERRORS=${10}
+  INPUT_SCAN_MODE=${11}
+  INPUT_PIPELINE=${12}
 
   # If all config parameters are specified, use the config params passed in instead of the config file checked into the repository
   [ "$INPUT_ENV_ID" = "" ]    && echo "Error: The env-id parameter is required and not set." && exit 1
@@ -47,11 +49,32 @@ install_terraform() {
 run_accurics() {
   local params=$1
   local plan_args=$2
+  touch config
+  terrascan version
+
+  local runMode="plan"
+  local pipeline_mode=""
+
+  if [ "$INPUT_SCAN_MODE" = "scan" ]; then
+     echo "running scan mode"
+     runMode="scan"
+  else
+     echo "running plan mode"
+     accurics init
+  fi
+
+
+  if [ "$INPUT_PIPELINE" = true ]; then
+     echo "INPUT_PIPELINE="$INPUT_PIPELINE
+     echo "running pipeline mode"
+     pipeline_mode="-mode=pipeline"
+  else
+     echo "INPUT_PIPELINE="$INPUT_PIPELINE
+  fi
+
+   # Run accurics plan
+  accurics $runMode $params $plan_args $pipeline_mode
 
-  accurics init
-
-  # Run accurics plan
-  accurics plan $params $plan_args
   ACCURICS_PLAN_ERR=$?
 }
 
@@ -100,7 +123,7 @@ process_output() {
 INPUT_DEBUG_MODE=$1
 [ "$INPUT_DEBUG_MODE" = "true" ] && set -x
 
-process_args "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10"
+process_args "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "${10}" "${11}" "${12}"
 
 install_terraform $INPUT_TERRAFORM_VERSION
 

example-workflow.yml

@@ -20,6 +20,7 @@ jobs:
           # Credentials are required by Terraform. They can be specified using any method that Terraform accepts
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          REPO_URL: ${{ github.repositoryUrl }}
         with:
           # A specific Terraform version can be chosen (default=latest)
           terraform-version: 0.14.7