Skip to content

update

update #6

Workflow file for this run

# vars.PCC_CONSOLE_URL
# vars.PRISMA_API_URL
# secrets.PC_ACCESS_KEY
# secrets.PC_SECRET_KEY
name: Prisma Cloud Image scans
on:
pull_request:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
IMAGE_NAME: demo:latest
jobs:
build-and-scan-image:
name: Build & scan image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Container Image Scan
id: scan
uses: PaloAltoNetworks/prisma-cloud-scan@v1
with:
pcc_console_url: ${{ vars.PCC_CONSOLE_URL }}
pcc_user: ${{ secrets.PC_ACCESS_KEY }}
pcc_pass: ${{ secrets.PC_SECRET_KEY }}
image_name: ${{ env.IMAGE_NAME }}
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results twistcli
path: ${{ steps.scan.outputs.sarif_file }}
# # Only for public repos or enterprise accounts
# # (Optional) for compatibility with GitHub's code scanning alerts
# - name: Upload SARIF file
# if: ${{ always() }} # necessary if using failure thresholds in the image scan
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.scan.outputs.sarif_file }}
build-and-scan-image-checkov:
name: Checkov Build & scan image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
quiet: false # optional: display only failed checks
# soft_fail: true # optional: do not return an error code if there are failed checks
docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan
dockerfile_path: "Dockerfile" # path to the Dockerfile
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }} # Bridgecrew API key stored as a GitHub secret
prisma-api-url: ${{ vars.PRISMA_API_URL }}
use_enforcement_rules: true
output_format: cli,sarif
output_file_path: console,results.sarif
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results image scan
path: results.sarif
sandbox-image:
name: Sandbox image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Download Twistcli
if: ${{ always() }}
run: |
chmod +x twistcli_download.sh
./twistcli_download.sh
env:
PCC_URL: ${{ vars.PCC_CONSOLE_URL }}
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }}
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }}
- name: Run Image Sandbox
if: ${{ always() }}
run: sudo -E ./twistcli sandbox --address "${PCC_CONSOLE_URL}" ${{ env.IMAGE_NAME }}
env:
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }}
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }}
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }}