Merge pull request #20 from aquasecurity/owenr-add-optional-repo-scan

feat: tidy up the args and add full repo scan option
aquasecurity · Mar 24, 2022 · 56bc584 · 56bc584
2 parents 5151d83 + 56b9898
commit 56bc584
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 18 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15.2
 
 RUN apk --no-cache --update add bash
 

diff --git a/README.md b/README.md
@@ -35,4 +35,15 @@ jobs:
           sarif_file: tfsec.sarif         
 ```
 
-The `tfsec/tfsec-sarif-action` optionally takes a `config_file` argument to specify the path to a `tfsec` config file that you wish to be run in during the action.
+## Optional inputs
+There are a number of optional inputs that can be used in the `with:` block.
+
+**working_directory** - the directory to scan in, defaults to `.`, ie current working directory
+
+**tfsec_version** - the version of tfsec to use, defaults to `latest`
+
+**tfsec_args** - the args for tfsec to use (space-separated)
+
+**config_file** - The path to the config file. (eg. ./tfsec.yml)
+
+**full_repo_scan** - This is the equivalent of running `--force-all-dirs` and will ensure that a Terraform in the repo will be scanned
diff --git a/action.yml b/action.yml
@@ -1,33 +1,43 @@
-name: 'Run tfsec with sarif upload'
-description: 'Run tfsec against terraform code base and upload the sarif output to the github repo'
-author: 'Owen Rumney'
+name: "Run tfsec with sarif upload"
+description: "Run tfsec against terraform code base and upload the sarif output to the github repo"
+author: "Owen Rumney"
 
 inputs:
   working_directory:
     description: |
       Directory to run the action on, from the repo root.
       Default is . ( root of the repository)
-    default: '.'
+    default: "."
+    required: false
   sarif_file:
     description: The path to write the sarif report, defaults to tfsec.sarif
+    default: tfsec.sarif
+    required: false
   tfvars_file:
     description: The tfvars file to use for the scan
+    required: false
   tfsec_version:
     description: The version of tfsec to use for the scan, defaults to latest
     default: latest
+    required: false
   config_file:
     description: The path to the config file. (eg. ./tfsec.yml)
+    required: false
   tfsec_args:
-    description: | 
+    description: |
       Space seperated args specified here will be added during tfsec execution.
-      (eg. --force-all-dirs --verbose)
+      (eg. --verbose)
+    required: false
+  full_repo_scan:
+    description: Scan the entire repository for Terraform issues
+    required: false
 
 outputs:
   tfsec-return-code:
-    description: 'tfsec command return code'
+    description: "tfsec command return code"
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
+  using: "docker"
+  image: "Dockerfile"
 branding:
-  icon: 'search'
-  color: 'gray-dark'
+  icon: "search"
+  color: "gray-dark"
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -6,13 +6,13 @@ if [ -n "${GITHUB_WORKSPACE}" ]; then
   cd "${GITHUB_WORKSPACE}" || exit
 fi
 
-TFSEC_VERSION="latest"
+TFSEC_VERSION=""
 if [ "$INPUT_TFSEC_VERSION" != "latest" ]; then
   TFSEC_VERSION="tags/${INPUT_TFSEC_VERSION}"
 fi
 
-wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/${TFSEC_VERSION} -O - | grep -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec-linux-amd64
-wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/${TFSEC_VERSION} -O - | grep -o -E "https://.+?tfsec_checksums.txt" | head -n1)" > tfsec.checksums
+wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec-linux-amd64
+wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec_checksums.txt" | head -n1)" > tfsec.checksums
 
 grep tfsec-linux-amd64 tfsec.checksums > tfsec-linux-amd64.checksum
 sha256sum -c tfsec-linux-amd64.checksum
@@ -33,9 +33,14 @@ if [ -n "${INPUT_TFSEC_ARGS}" ]; then
   TFSEC_ARGS_OPTION="${INPUT_TFSEC_ARGS}"
 fi
 
-echo {} >${INPUT_SARIF_FILE}
+if [ -n "${INPUT_FULL_REPO_SCAN}" ]; then
+  echo "::debug:: Forcing all directories to be scanned"
+  TFSEC_ARGS_OPTION="--force-all-dirs ${TFSEC_ARGS_OPTION}"
+fi
+
+echo {} > ${INPUT_SARIF_FILE}
 
-tfsec --soft-fail --force-all-dirs --format=sarif "${INPUT_WORKING_DIRECTORY}" ${CONFIG_FILE_OPTION} ${TFVARS_OPTION} ${TFSEC_ARGS_OPTION} >${INPUT_SARIF_FILE}
+tfsec --soft-fail --out=${INPUT_SARIF_FILE} --format=sarif ${TFSEC_ARGS_OPTION} ${CONFIG_FILE_OPTION} ${TFVARS_OPTION} "${INPUT_WORKING_DIRECTORY}" 
 
 tfsec_return="${PIPESTATUS[0]}" exit_code=$?