Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Allow specifying files in a github actions config file #6813

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

m-wynn
Copy link
Contributor

@m-wynn m-wynn commented Nov 5, 2024

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

If you want to run checkov on multiple files or directories from a github action, you have to hack in the list of input directory or files like:

 - name: Run Checkov action
   id: checkov
   uses: bridgecrewio/checkov-action@master
   with:
     file: foo.tf -f bar.tf -f baz.tf
     # or
     directory: prod -d dev -d staging

This technically works but has a few downsides. It'll fail if an file has a space in it, and if you're using DOWNLOAD_EXTERNAL_MODULES it will delete things you did not expect.

A much more robust alternative is using the .checkov.yaml with:

file:
  - foo.tf
  - bar.tf
  - baz.tf
# or
directory:
  - prod
  - dev
  - staging

In the github action, directory defaults to . but you can pass in directory: ''. As the code is now, this will still call checkov -d --output=... which causes an error.

This is probably not a breaking change because: if both $INPUT_FILE and $INPUT_DIRECTORYare empty (directory has explicitly been set to empty string in bridgecrewio/checkov-action, or a custom github action has been used):

  • Before this change: Error with checkov: error: argument -d/--directory: expected one argument and exit 2.
  • After this change: Either use the files defined in INPUT_CONFIG_FILE or print the logo / version and exit 0.

Fixes bridgecrewio/checkov-action#22

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation

@m-wynn
Copy link
Contributor Author

m-wynn commented Nov 5, 2024

You can kinda test this via:

GITHUB_ACTIONS=true GITHUB_ENV=/dev/null GITHUB_OUTPUT=/dev/null INPUT_DIRECTORY='' INPUT_CONFIG_FILE=config.yaml ./github_action_resources/entrypoint.sh

@m-wynn
Copy link
Contributor Author

m-wynn commented Dec 17, 2024

Could I get a review on this? It would make our workflows a lot cleaner. 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Monorepo support
1 participant