Prisma Cloud All Checks #19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vars.PCC_CONSOLE_URL | |
# vars.PRISMA_API_URL | |
# secrets.PC_ACCESS_KEY | |
# secrets.PC_SECRET_KEY | |
name: Prisma Cloud Checks | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
env: | |
IMAGE_NAME: demo:latest | |
jobs: | |
build-and-scan-image: | |
name: Build & scan image | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write # For SARIF | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v2 | |
- name: Build the image | |
run: docker build -t $IMAGE_NAME . | |
- name: Container Image Scan | |
id: scan | |
uses: PaloAltoNetworks/prisma-cloud-scan@v1 | |
with: | |
pcc_console_url: ${{ vars.PCC_CONSOLE_URL }} | |
pcc_user: ${{ secrets.PC_ACCESS_KEY }} | |
pcc_pass: ${{ secrets.PC_SECRET_KEY }} | |
image_name: ${{ env.IMAGE_NAME }} | |
- name: Upload SARIF report | |
uses: actions/upload-artifact@v2 | |
if: ${{ always() }} | |
with: | |
name: SARIF results twistcli | |
path: ${{ steps.scan.outputs.sarif_file }} | |
# # Only for public repos or enterprise accounts | |
# # (Optional) for compatibility with GitHub's code scanning alerts | |
# - name: Upload SARIF file | |
# if: ${{ always() }} # necessary if using failure thresholds in the image scan | |
# uses: github/codeql-action/upload-sarif@v2 | |
# with: | |
# sarif_file: ${{ steps.scan.outputs.sarif_file }} | |
build-and-scan-image-checkov: | |
name: Checkov Build & scan image | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write # For SARIF | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v2 | |
- name: Build the image | |
run: docker build -t $IMAGE_NAME . | |
- name: Run Checkov action | |
id: checkov | |
uses: bridgecrewio/checkov-action@master | |
with: | |
quiet: true # optional: display only failed checks | |
soft_fail: true # optional: do not return an error code if there are failed checks | |
docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan | |
dockerfile_path: "Dockerfile" # path to the Dockerfile | |
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues | |
api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }} # Bridgecrew API key stored as a GitHub secret | |
prisma-api-url: ${{ vars.PRISMA_API_URL }} | |
use_enforcement_rules: true | |
- name: Upload SARIF report | |
uses: actions/upload-artifact@v2 | |
if: ${{ always() }} | |
with: | |
name: SARIF results twistcli | |
path: ${{ steps.scan.outputs.sarif_file }} | |
sandbox-image: | |
name: Sandbox image | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v2 | |
- name: Build the image | |
run: docker build -t $IMAGE_NAME . | |
- name: Download Twistcli | |
if: ${{ always() }} | |
run: | | |
chmod +x twistcli_download.sh | |
./twistcli_download.sh | |
env: | |
PCC_URL: ${{ vars.PCC_CONSOLE_URL }} | |
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }} | |
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }} | |
- name: Run Image Sandbox | |
if: ${{ always() }} | |
run: sudo -E ./twistcli sandbox --address "${PCC_CONSOLE_URL}" ${{ env.IMAGE_NAME }} | |
env: | |
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }} | |
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }} | |
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }} | |
openapi-scan: | |
name: Scan OpenAPI Spec | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v2 | |
- name: Download Twistcli | |
run: | | |
chmod +x twistcli_download.sh | |
./twistcli_download.sh | |
env: | |
PCC_URL: ${{ vars.PCC_CONSOLE_URL }} | |
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }} | |
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }} | |
- name: Run Scan | |
run: ./twistcli waas openapi-scan springboot_spec.yaml --address "${PCC_CONSOLE_URL}" | |
env: | |
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }} | |
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }} | |
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }} | |
checkov-scan: | |
name: Scan Repo with checkov | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write # For SARIF | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v2 | |
- name: Run Bridgecrew Action | |
id: Bridgecrew | |
uses: bridgecrewio/bridgecrew-action@master | |
env: | |
PRISMA_API_URL: ${{ vars.PRISMA_API_URL }} | |
with: | |
api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }} | |
quiet: true # only show failed | |
- name: Upload SARIF report | |
uses: actions/upload-artifact@v2 | |
if: ${{ always() }} | |
with: | |
name: SARIF results Checkov | |
path: results.sarif | |
# Only for public repos or enterprise accounts | |
# Uploads results.sarif to GitHub repository using the upload-sarif action | |
- uses: github/codeql-action/upload-sarif@v2 | |
with: | |
# Path to SARIF file relative to the root of the repository | |
sarif_file: results.sarif | |
pipeline-exploit: | |
name: Pull Request annotation | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'pull_request' }} | |
permissions: write-all | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v2 | |
- name: Show Pull Request Data | |
run: | | |
echo ${{ github.event.pull_request.title }} |