You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+43-13Lines changed: 43 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -82,42 +82,72 @@ jobs:
82
82
83
83
## Inputs
84
84
85
+
<!-- BEGIN_AUTOGEN_INPUTS -->
85
86
86
-
* `organization_id`: (Required) The Google Cloud organization ID for the organization which includes the resources that you want to modify.
87
+
- <a name="organization_id"></a><a href="#user-content-organization_id"><code>organization_id</code></a>: _(Required)_ Google Cloud organization ID for the organization which includes the
88
+
resources that you want to modify.
87
89
90
+
- <a name="scan_file_ref"></a><a href="#user-content-scan_file_ref"><code>scan_file_ref</code></a>: _(Required)_ Path to a file, relative to the local workspace, for the IaC file to scan.
91
+
For example:
88
92
89
-
* `scan_file_ref`: (Required) The absolute file path, including the file name, for the IaC file in the workspace. For example: './tf_plan.json', or './artifacts/tf_plan.json'.
93
+
./tf_plan.json
90
94
95
+
or
91
96
92
-
* `iac_type`: (Required) The IaC template type. Currently only Terraform is supported.
97
+
./artifacts/tf_plan.json
93
98
99
+
- <a name="iac_type"></a><a href="#user-content-iac_type"><code>iac_type</code></a>: _(Required, default: `terraform`)_ IaC template type. Currently only `terraform` is supported.
94
100
95
-
* `scan_time_out`: (Optional) The maximum time before the action stops. The time must be between '1m' and '10m'. The default is `1m`.
101
+
- <a name="scan_timeout"></a><a href="#user-content-scan_timeout"><code>scan_timeout</code></a>: _(Optional, default: `1m`)_ Maximum time before the scanning stops. This is specified as a time
102
+
duration value, such as "1m" or "5s". The value must be between "1m" and
103
+
"10m".
96
104
105
+
- <a name="ignore_violations"></a><a href="#user-content-ignore_violations"><code>ignore_violations</code></a>: _(Optional)_ Whether violations found in IaC file should be ignored when determining
106
+
the build status. This input does not apply to violations that are related
107
+
to generating SARIF reports and determining the `iac_scan_result`.
97
108
98
-
* `ignore_violations`: (Optional) Whether violations found in IaC file should be ignored when determining the build status. This input doesn’t apply to violations that are related to generating SARIF reports and determining the `iac_scan_result`. The default is `false`.
109
+
- <a name="failure_criteria"></a><a href="#user-content-failure_criteria"><code>failure_criteria</code></a>: _(Optional, default: `Critical:1, High:1, Medium:1, Low:1, Operator:OR`)_ Ffailure criteria that determines the workflow build status. You can set a
110
+
threshold for the number of critical, high, medium, and low severity
111
+
issues and use an aggregator (either `and` or `or`) to evaluate the
112
+
criteria.
99
113
114
+
To determine whether a build has failed, the threshold for each severity
115
+
is evaluated against the count of issues with that severity in the IaC
116
+
scan results and then severity level evaluations are aggregated using
117
+
`AND`or `OR` to arrive at `failure_criteria` value.
100
118
101
-
* `failure_criteria`: (Optional) The failure criteria that determines the workflow build status. You can set a threshold for the number of critical, high, medium, and low severity issues and use an aggregator (either `and` or `or`) to evaluate the criteria. To determine whether a build has failed, the threshold for each severity is evaluated against the count of issues with that severity in the IaC scan results and then severity level evaluations are aggregated using `AND` or `OR` to arrive at `failure_criteria` value.
119
+
If the `failure_criteria` evaluates to `true`, the workflow is marked as
120
+
`FAILED`. Otherwise, the workflow is marked as `SUCCESS`.
102
121
122
+
- <a name="fail_silently"></a><a href="#user-content-fail_silently"><code>fail_silently</code></a>: _(Optional)_ If set to true, the workflow will not fail in case of any internal error
123
+
including invalid credentials and plugin dependency failure.
103
124
104
-
If the `failure_criteria` evaluates to `true`, the workflow is marked as `FAILED`. Otherwise, the workflow is marked as `SUCCESS`. The default is "Critical:1, High:1, Medium:1, Low:1, Operator:or".
125
+
Note: This GitHub Action will always fail in case of any input validation
126
+
errors.
105
127
106
128
107
-
* `fail_silently`: (Optional) Whether the workflow passes when an internal error (such as an invalid credential or plugin dependency failure) occurs. Note: The action always fails when the input is invalid. The default is `false`.
129
+
<!-- END_AUTOGEN_INPUTS -->
108
130
109
131
110
132
## Outputs
111
133
134
+
<!-- BEGIN_AUTOGEN_OUTPUTS -->
112
135
113
-
* `iac_scan_result`: The result of the security scan. One of:
114
-
1. `passed` - No violations were found or the `failure_criteria` was not satisfied.
115
-
2. `failed` - The `failure_criteria` was satisfied.
116
-
3. `error` - The action ran into an execution error, generally due to a misconfiguration or invalid credentials.
136
+
- `iac_scan_result`: The result of the security scan. One of:
117
137
138
+
- `passed`: No violations were found or the `failure_criteria` was not
139
+
satisfied.
118
140
119
-
* `iac_scan_result_sarif_path`: The path for the SARIF report file. This file is only available when violations are found in the scan file.
141
+
- `failed`: The `failure_criteria` was satisfied.
120
142
143
+
- `error`: The action ran into an execution error, generally due to a
144
+
misconfiguration or invalid credentials.
145
+
146
+
- `iac_scan_result_sarif_path`: Path for the SARIF report file. This file is only available when
0 commit comments