From 1f6a5e5b7266537d3df7c65446f8553ef9f225dc Mon Sep 17 00:00:00 2001 From: Tom Haynes Date: Thu, 17 Jul 2025 13:02:03 +0100 Subject: [PATCH 1/9] support override of dockerhub registry --- Dockerfile | 17 +++++++++-------- action.yml | 8 ++++++-- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index ba85009..047dd75 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,14 @@ -FROM checkmarx/kics:v2.1.11 as kics-env - +ARG DOCKERHUB_REGISTRY=docker.io +FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.11 as kics-env + FROM cgr.dev/chainguard/wolfi-base:latest - + COPY --from=kics-env /app /app - + COPY ./entrypoint.sh /entrypoint.sh - + RUN chmod +x /entrypoint.sh - + COPY ./ /app - -ENTRYPOINT ["/entrypoint.sh"] + +ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/action.yml b/action.yml index 58b0223..3e2accb 100644 --- a/action.yml +++ b/action.yml @@ -1,4 +1,3 @@ -# action.yml name: "KICS Github Action" description: "Run KICS scan against IaC projects" inputs: @@ -26,6 +25,10 @@ inputs: required: false default: "description_id,similarity_id,search_line,search_value" description: "Excluded columns for the comment with queries, accepts a comma separated list" + dockerhub_registry: + description: "Override the Docker Hub registry (default: docker.io)" + required: false + default: "docker.io" path: description: "paths to a file or directories to scan, accepts a comma separated list" required: true @@ -120,6 +123,7 @@ runs: INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }} INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} WORKSPACE_PATH: $GITHUB_WORKSPACE + DOCKERHUB_REGISTRY: ${{ inputs.dockerhub_registry }} args: - ${{ inputs.path }} - ${{ inputs.fail_on }} @@ -145,4 +149,4 @@ runs: - ${{ inputs.disable_full_descriptions }} - ${{ inputs.libraries_path }} - ${{ inputs.secrets_regexes_path}} - - ${{ inputs.cloud_provider}} + - ${{ inputs.cloud_provider}} \ No newline at end of file From c35b29025058e417a06887a92a6e0c71480be3fe Mon Sep 17 00:00:00 2001 From: Tom Haynes Date: Thu, 17 Jul 2025 13:21:52 +0100 Subject: [PATCH 2/9] use build-arg --- action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 3e2accb..0c8c75e 100644 --- a/action.yml +++ b/action.yml @@ -123,7 +123,8 @@ runs: INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }} INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} WORKSPACE_PATH: $GITHUB_WORKSPACE - DOCKERHUB_REGISTRY: ${{ inputs.dockerhub_registry }} + build-args: + - DOCKERHUB_REGISTRY=${{ inputs.dockerhub_registry }} args: - ${{ inputs.path }} - ${{ inputs.fail_on }} From dc8a80f1c77e67f6bde0e469b8236668aaf36188 Mon Sep 17 00:00:00 2001 From: Tom Haynes Date: Thu, 17 Jul 2025 13:28:19 +0100 Subject: [PATCH 3/9] use build-arg --- action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 0c8c75e..b793b3f 100644 --- a/action.yml +++ b/action.yml @@ -123,9 +123,8 @@ runs: INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }} INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} WORKSPACE_PATH: $GITHUB_WORKSPACE - build-args: - - DOCKERHUB_REGISTRY=${{ inputs.dockerhub_registry }} args: + - DOCKERHUB_REGISTRY=${{ inputs.dockerhub_registry }} - ${{ inputs.path }} - ${{ inputs.fail_on }} - ${{ inputs.timeout }} From 669fdbdc5534fb1480d5b9de4971d7a54798ec29 Mon Sep 17 00:00:00 2001 From: derrick Date: Wed, 23 Jul 2025 21:25:57 +0100 Subject: [PATCH 4/9] update dockerfile and actions to build run --- Dockerfile | 5 +-- action.yml | 99 ++++++++++++++++++++++++++++-------------------------- 2 files changed, 54 insertions(+), 50 deletions(-) diff --git a/Dockerfile b/Dockerfile index 047dd75..fa6374e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ -ARG DOCKERHUB_REGISTRY=docker.io -FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.11 as kics-env +ARG DOCKERHUB_REGISTRY + +FROM ${DOCKERHUB_REGISTRY}:v2.1.11 as kics-env FROM cgr.dev/chainguard/wolfi-base:latest diff --git a/action.yml b/action.yml index b793b3f..15916ff 100644 --- a/action.yml +++ b/action.yml @@ -7,28 +7,19 @@ inputs: default: ${{github.token}} enable_annotations: required: false - default: "true" description: "Enable annotations report" enable_comments: required: false - default: "false" description: "Enable pull request report comments" enable_jobs_summary: required: false - default: "false" description: "Enable report as jobs summary" comments_with_queries: required: false - default: "false" description: "Add queries in th pull request report comments (available when enable_comments = true)" excluded_column_for_comments_with_queries: required: false - default: "description_id,similarity_id,search_line,search_value" description: "Excluded columns for the comment with queries, accepts a comma separated list" - dockerhub_registry: - description: "Override the Docker Hub registry (default: docker.io)" - required: false - default: "docker.io" path: description: "paths to a file or directories to scan, accepts a comma separated list" required: true @@ -107,46 +98,58 @@ inputs: cloud_provider: description: "list of cloud providers to scan (alicloud, aws, azure, gcp)" required: false + dockerhub_registry: + description: "The Docker registry for the KICS base image. Overridden for private registries." + required: false + default: 'checkmarx/kics' branding: icon: "shield" color: "green" runs: - using: "docker" - image: Dockerfile - env: - INPUT_TOKEN: ${{ inputs.token }} - INPUT_OUTPUT_PATH: ${{ inputs.output_path }} - INPUT_ENABLE_ANNOTATIONS: ${{ inputs.enable_annotations }} - INPUT_ENABLE_COMMENTS: ${{ inputs.enable_comments }} - INPUT_ENABLE_JOBS_SUMMARY: ${{ inputs.enable_jobs_summary }} - INPUT_COMMENTS_WITH_QUERIES: ${{ inputs.comments_with_queries }} - INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES: ${{ inputs.excluded_column_for_comments_with_queries }} - INPUT_OUTPUT_FORMATS: ${{ inputs.output_formats }} - WORKSPACE_PATH: $GITHUB_WORKSPACE - args: - - DOCKERHUB_REGISTRY=${{ inputs.dockerhub_registry }} - - ${{ inputs.path }} - - ${{ inputs.fail_on }} - - ${{ inputs.timeout }} - - ${{ inputs.profiling }} - - ${{ inputs.config }} - - ${{ inputs.platform_type }} - - ${{ inputs.exclude_paths }} - - ${{ inputs.exclude_queries }} - - ${{ inputs.include_queries }} - - ${{ inputs.exclude_categories }} - - ${{ inputs.exclude_results }} - - ${{ inputs.exclude_severities }} - - ${{ inputs.exclude_gitignore}} - - ${{ inputs.output_formats }} - - ${{ inputs.output_path }} - - ${{ inputs.payload_path }} - - ${{ inputs.queries }} - - ${{ inputs.verbose }} - - ${{ inputs.bom }} - - ${{ inputs.ignore_on_exit }} - - ${{ inputs.disable_secrets }} - - ${{ inputs.disable_full_descriptions }} - - ${{ inputs.libraries_path }} - - ${{ inputs.secrets_regexes_path}} - - ${{ inputs.cloud_provider}} \ No newline at end of file + using: "composite" + steps: + - name: Build KICS Action Image + shell: bash + run: docker build --build-arg DOCKERHUB_REGISTRY=${{ inputs.dockerhub_registry }} -t kics-action:latest "${{ github.action_path }}" + + - name: Run KICS Scan + shell: bash + run: | + docker run --name kics-scan \ + -v "${{ github.workspace }}":"${{ github.workspace }}" \ + -w "${{ github.workspace }}" \ + -e GITHUB_WORKSPACE="${{ github.workspace }}" \ + -e GITHUB_EVENT_PATH="${{ github.event_path }}" \ + -e INPUT_TOKEN="${{ inputs.token }}" \ + -e INPUT_ENABLE_ANNOTATIONS="${{ inputs.enable_annotations }}" \ + -e INPUT_ENABLE_COMMENTS="${{ inputs.enable_comments }}" \ + -e INPUT_ENABLE_JOBS_SUMMARY="${{ inputs.enable_jobs_summary }}" \ + -e INPUT_COMMENTS_WITH_QUERIES="${{ inputs.comments_with_queries }}" \ + -e INPUT_EXCLUDED_COLUMNS_FOR_COMMENTS_WITH_QUERIES="${{ inputs.excluded_column_for_comments_with_queries }}" \ + -e INPUT_PATH="${{ inputs.path }}" \ + -e INPUT_IGNORE_ON_EXIT="${{ inputs.ignore_on_exit }}" \ + -e INPUT_FAIL_ON="${{ inputs.fail_on }}" \ + -e INPUT_TIMEOUT="${{ inputs.timeout }}" \ + -e INPUT_PROFILING="${{ inputs.profiling }}" \ + -e INPUT_CONFIG_PATH="${{ inputs.config_path }}" \ + -e INPUT_PLATFORM_TYPE="${{ inputs.platform_type }}" \ + -e INPUT_EXCLUDE_PATHS="${{ inputs.exclude_paths }}" \ + -e INPUT_EXCLUDE_QUERIES="${{ inputs.exclude_queries }}" \ + -e INPUT_EXCLUDE_CATEGORIES="${{ inputs.exclude_categories }}" \ + -e INPUT_EXCLUDE_RESULTS="${{ inputs.exclude_results }}" \ + -e INPUT_EXCLUDE_SEVERITIES="${{ inputs.exclude_severities }}" \ + -e INPUT_EXCLUDE_GITIGNORE="${{ inputs.exclude_gitignore }}" \ + -e INPUT_OUTPUT_FORMATS="${{ inputs.output_formats }}" \ + -e INPUT_OUTPUT_PATH="${{ inputs.output_path }}" \ + -e INPUT_PAYLOAD_PATH="${{ inputs.payload_path }}" \ + -e INPUT_QUERIES="${{ inputs.queries }}" \ + -e INPUT_SECRETS_REGEXES_PATH="${{ inputs.secrets_regexes_path }}" \ + -e INPUT_LIBRARIES_PATH="${{ inputs.libraries_path }}" \ + -e INPUT_DISABLE_FULL_DESCRIPTIONS="${{ inputs.disable_full_descriptions }}" \ + -e INPUT_DISABLE_SECRETS="${{ inputs.disable_secrets }}" \ + -e INPUT_TYPE="${{ inputs.type }}" \ + -e INPUT_VERBOSE="${{ inputs.verbose }}" \ + -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ + -e INPUT_BOM="${{ inputs.bom }}" \ + -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ + kics-action:latest \ No newline at end of file From 84429c32014ae26b09e349dc413504431be1696c Mon Sep 17 00:00:00 2001 From: derrick Date: Thu, 24 Jul 2025 10:14:56 +0100 Subject: [PATCH 5/9] defaults --- action.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/action.yml b/action.yml index 15916ff..93681f3 100644 --- a/action.yml +++ b/action.yml @@ -1,3 +1,4 @@ +# action.yml name: "KICS Github Action" description: "Run KICS scan against IaC projects" inputs: @@ -7,18 +8,23 @@ inputs: default: ${{github.token}} enable_annotations: required: false + default: "true" description: "Enable annotations report" enable_comments: required: false + default: "false" description: "Enable pull request report comments" enable_jobs_summary: required: false + default: "false" description: "Enable report as jobs summary" comments_with_queries: required: false + default: "false" description: "Add queries in th pull request report comments (available when enable_comments = true)" excluded_column_for_comments_with_queries: required: false + default: "description_id,similarity_id,search_line,search_value" description: "Excluded columns for the comment with queries, accepts a comma separated list" path: description: "paths to a file or directories to scan, accepts a comma separated list" From cf12485c0fc1461e8a398968c34193328aea12a3 Mon Sep 17 00:00:00 2001 From: derrick Date: Thu, 24 Jul 2025 11:41:11 +0100 Subject: [PATCH 6/9] update build arg --- Dockerfile | 5 ++--- action.yml | 1 - 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index fa6374e..047dd75 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ -ARG DOCKERHUB_REGISTRY - -FROM ${DOCKERHUB_REGISTRY}:v2.1.11 as kics-env +ARG DOCKERHUB_REGISTRY=docker.io +FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.11 as kics-env FROM cgr.dev/chainguard/wolfi-base:latest diff --git a/action.yml b/action.yml index 93681f3..b49827b 100644 --- a/action.yml +++ b/action.yml @@ -107,7 +107,6 @@ inputs: dockerhub_registry: description: "The Docker registry for the KICS base image. Overridden for private registries." required: false - default: 'checkmarx/kics' branding: icon: "shield" color: "green" From c940a77fb3ecb1ebbe41a1cb14daeb959061dc7b Mon Sep 17 00:00:00 2001 From: derrick Date: Thu, 24 Jul 2025 12:02:45 +0100 Subject: [PATCH 7/9] give default to input --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index b49827b..21e88bd 100644 --- a/action.yml +++ b/action.yml @@ -107,6 +107,7 @@ inputs: dockerhub_registry: description: "The Docker registry for the KICS base image. Overridden for private registries." required: false + default: 'docker.io' branding: icon: "shield" color: "green" From b8e09e49e3c030a6704fefb9a0955fb79f54fbae Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Wed, 30 Jul 2025 17:23:52 +0100 Subject: [PATCH 8/9] fix: Fix default dockerhub_registry string --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 21e88bd..42e0319 100644 --- a/action.yml +++ b/action.yml @@ -107,7 +107,7 @@ inputs: dockerhub_registry: description: "The Docker registry for the KICS base image. Overridden for private registries." required: false - default: 'docker.io' + default: "docker.io" branding: icon: "shield" color: "green" @@ -116,7 +116,7 @@ runs: steps: - name: Build KICS Action Image shell: bash - run: docker build --build-arg DOCKERHUB_REGISTRY=${{ inputs.dockerhub_registry }} -t kics-action:latest "${{ github.action_path }}" + run: docker build --build-arg DOCKERHUB_REGISTRY="${{ inputs.dockerhub_registry }}" -t kics-action:latest "${{ github.action_path }}" - name: Run KICS Scan shell: bash From 2351a50f40b077bc1132bdae2a878010a1804e1b Mon Sep 17 00:00:00 2001 From: "snyk-io-eu[bot]" <151849532+snyk-io-eu[bot]@users.noreply.github.com> Date: Fri, 1 Aug 2025 21:34:30 +0000 Subject: [PATCH 9/9] fix: upgrade @actions/exec from 1.1.0 to 1.1.1 Snyk has created this PR to upgrade @actions/exec from 1.1.0 to 1.1.1. See this package in npm: @actions/exec See this project in Snyk: https://app.eu.snyk.io/org/security/project/6c831a2f-19f7-4543-a7d0-58e6c8f72903?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr --- package-lock.json | 15 ++++++++------- package.json | 2 +- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index a6131cf..5c2ee0d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,7 +10,7 @@ "license": "GNU GENERAL PUBLIC LICENSE", "dependencies": { "@actions/core": "^1.10.1", - "@actions/exec": "^1.1.0", + "@actions/exec": "^1.1.1", "@actions/github": "^5.0.0", "@actions/io": "^1.1.1", "@actions/tool-cache": "^2.0.1", @@ -41,9 +41,10 @@ } }, "node_modules/@actions/exec": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.0.tgz", - "integrity": "sha512-LImpN9AY0J1R1mEYJjVJfSZWU4zYOlEcwSTgPve1rFQqK5AwrEs6uWW5Rv70gbDIQIAUwI86z6B+9mPK4w9Sbg==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "license": "MIT", "dependencies": { "@actions/io": "^1.0.1" } @@ -378,9 +379,9 @@ } }, "@actions/exec": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.0.tgz", - "integrity": "sha512-LImpN9AY0J1R1mEYJjVJfSZWU4zYOlEcwSTgPve1rFQqK5AwrEs6uWW5Rv70gbDIQIAUwI86z6B+9mPK4w9Sbg==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", "requires": { "@actions/io": "^1.0.1" } diff --git a/package.json b/package.json index 7b04ac0..f6f76b4 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "homepage": "https://github.com/Checkmarx/kics-github-action#readme", "dependencies": { "@actions/core": "^1.10.1", - "@actions/exec": "^1.1.0", + "@actions/exec": "^1.1.1", "@actions/github": "^5.0.0", "@actions/io": "^1.1.1", "@actions/tool-cache": "^2.0.1",