Prisma Cloud IaC Scan #69
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow uses actions that are not certified by GitHub. | |
# They are provided by a third-party and are governed by | |
# separate terms of service, privacy policy, and support | |
# documentation. | |
# A sample workflow that checks for security issues using | |
# the Prisma Cloud Infrastructure as Code Scan Action on | |
# the IaC files present in the repository. | |
# The results are uploaded to GitHub Security Code Scanning | |
# | |
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action | |
name: Prisma Cloud IaC Scan | |
on: | |
push: | |
branches: [ "master" ] | |
pull_request: | |
# The branches below must be a subset of the branches above | |
branches: [ "master" ] | |
schedule: | |
- cron: '31 12 * * 6' | |
permissions: | |
contents: read | |
jobs: | |
prisma_cloud_iac_scan: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
runs-on: ubuntu-latest | |
name: Run Prisma Cloud IaC Scan to check | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- id: iac-scan | |
name: Run Scan on CFT files in the repository | |
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 | |
with: | |
# You will need Prisma Cloud API Access Token | |
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action | |
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} | |
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} | |
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} | |
# Scan sources on Prisma Cloud are uniquely identified by their name | |
asset_name: 'my-asset-name' | |
# The service need to know the type of IaC being scanned | |
template_type: 'CFT' | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@v2 | |
# Results are generated only on a success or failure | |
# this is required since GitHub by default won't run the next step | |
# when the previous one has failed. | |
# And alternative it to add `continue-on-error: true` to the previous step | |
if: success() || failure() | |
with: | |
# The SARIF Log file name is configurable on scan action | |
# therefore the file name is best read from the steps output | |
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} |