Add code for analyze-code-security-scc action (#2)

Adding code for analyze-code-security-scc action. Currently intergration
tests, unit tests are not added, will add those later.

---------

Co-authored-by: Adish Agarwal <[email protected]>
Co-authored-by: Seth Vargo <[email protected]>

Author: 3 people

.eslintrc.js

@@ -0,0 +1,15 @@
+module.exports = {
+  root: true,
+  parser: '@typescript-eslint/parser',
+  plugins: ['@typescript-eslint'],
+  extends: [
+    'eslint:recommended',
+    'plugin:@typescript-eslint/eslint-recommended',
+    'plugin:@typescript-eslint/recommended',
+    'plugin:prettier/recommended',
+  ],
+
+  rules: {
+    '@typescript-eslint/no-explicit-any': 'off',
+  },
+};

.github/dependabot.yml

@@ -0,0 +1,24 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    rebase-strategy: 'disabled'
+    schedule:
+      interval: 'daily'
+    commit-message:
+      prefix: 'security: '
+    open-pull-requests-limit: 0 # only check security updates

.github/workflows/draft-release.yml

@@ -0,0 +1,38 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Draft release'
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_strategy:
+        description: 'Version strategy: The strategy to used to update the version based on semantic versioning (more info at https://semver.org/).'
+        required: true
+        default: 'patch'
+        type: 'choice'
+        options:
+          - 'major'
+          - 'minor'
+          - 'patch'
+
+jobs:
+  draft-release:
+    name: 'Draft release'
+    uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@v0'
+    with:
+      version_strategy: '${{ github.event.inputs.version_strategy }}'
+    # secrets must be explicitly passed to reusable workflows https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow
+    secrets:
+      ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'

.github/workflows/release.yml

@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Release'
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'release/**/*'
+
+jobs:
+  release:
+    if: "startsWith(github.event.head_commit.message, 'Release: v')"
+    name: 'Release'
+    uses: 'google-github-actions/.github/.github/workflows/release.yml@v0'

.github/workflows/test.yml

@@ -0,0 +1,57 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Test'
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'release/**/*'
+  pull_request:
+    branches:
+      - 'main'
+      - 'release/**/*'
+  workflow_dispatch:
+
+concurrency:
+  group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: 'bash'
+
+jobs:
+  unit:
+    name: 'unit'
+    runs-on: 'ubuntu-latest'
+
+    steps:
+      - uses: 'actions/checkout@v4'
+
+      - uses: 'actions/setup-node@v4'
+        with:
+          node-version: '20.x'
+
+      - name: 'npm build'
+        run: 'npm ci && npm run build'
+
+      - name: 'npm lint'
+        run: 'npm run lint'
+
+      - name: 'npm test'
+        run: 'npm run test'
+
+## TODO : Add functionality specific test

.gitignore

@@ -0,0 +1,45 @@
+node_modules/
+runner/
+
+# Rest of the file pulled from https://github.com/github/gitignore/blob/main/Node.gitignore
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz

.prettierrc.js

@@ -0,0 +1,13 @@
+module.exports = {
+  arrowParens: 'always',
+  bracketSpacing: true,
+  endOfLine: 'auto',
+  jsxSingleQuote: true,
+  printWidth: 100,
+  quoteProps: 'consistent',
+  semi: true,
+  singleQuote: true,
+  tabWidth: 2,
+  trailingComma: 'all',
+  useTabs: false,
+};

CHANGELOG.md

@@ -0,0 +1,2 @@
+# Changelog
+Changelogs for each release are located on the [releases page](https://github.com/google-github-actions/analyze-code-security-scc/releases).

README.md

@@ -1 +1,129 @@
-# analyze-code-security-scc
+# analyze-code-security-scc
+
+## Description
+
+This Github Action scans Infrastructure as Code (IaC) files for security risks. When a scan finds violations, this action will write the report in SARIF format to the workspace.
+Currently only terraform plan files are supported for scanning.
+
+## Prerequisites
+
+-   This action requires a service account which have **Security Posture
+    Shift-Left Validator or Security Posture Admin** Role on the Google Cloud
+    organization to which IaC resources belong's. See
+    [Authorization](#authorization) for more information.
+
+-   This action runs using Node 20. If you are using self-hosted GitHub Actions
+    runners, you must use a [runner
+    version](https://github.com/actions/virtual-environments) that supports this
+    version or newer.
+
+## Usage
+
+```yaml
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: '[email protected]'
+
+    - id: 'analyze-code-security-scc'
+      uses: 'google-github-actions/analyze-code-security-scc@v1'
+      with:
+        organization_id: '123456789'
+        scan_file_ref: './tf_plan.json'
+        iac_type: 'terraform'
+        iac_version: '1.0.0'
+        scan_timeout: '1m'
+        ignore_violations: false
+        failure_criteria: 'High:1,Medium:1,Low:1,Operator:or'
+        fail_silently: true
+
+    - if: ${{ steps.analyze-code-security-scc.outputs.iac_scan_result_sarif_path != '' }}
+        uses: 'actions/upload-artifact@v4'
+        with:
+          name: 'sarif'
+          path: '${{ steps.analyze-code-security-scc.outputs.iac_scan_result_sarif_path }}'
+```
+
+## Inputs
+
+-   `organization_id`: (Required) ID of the Google Cloud organization which owns
+    resources under modification.
+
+-   `scan_file_ref`: (Required) Absolute file path including file name where the
+    IaC file is stored in the workspace. Examples: 'tf_plan.json',
+    'artifacts/tf_plan.json'.
+
+-   `iac_type`: (Required) IaC template type. Currently only Terraform is
+    supported.
+
+-   `iac_version`: (Required) IaC template version. Examples: '1.6.6', '1.6.5'.
+
+-   `scan_timeout`: (Optional) Max time upto which action should run, should be
+    between '1m' and '10m'. Default: 1m.
+
+-   `ignore_violations`: (Optional) If set to true, violations found in IaC file
+    will be ignored to determine build status. Although violations will not be
+    ignored to generate SARIF report and determining iac_scan_result. Default:
+    false.
+
+-   `failure_criteria`: (Optional) Failure criteria evaluates workflow build
+    status. It contains threshold for count of critical, high, medium, and low
+    severity issues and `AND/OR` based aggregator to evaluate the criteria. The
+    threshold for each severity is evaluated against count of issues with
+    similar severity in IaC scan result and then severity level evaluations are
+    aggregated using `AND\OR` to arrive at failure_criteria value.
+
+    If `failure_criteria` evaluates to true, workflow is marked as `FAILED` otherwise workflow is marked as `SUCCESS`. Default: "Critical:1, High:1, Medium:1, Low:1, Operator:or".
+
+-   `fail_silently`: (Optional) If set to true, workflow will not fail in case
+    of any internal error including invalid credentials and plugin dependency
+    failure. Note: Action will always fail in case of any input validation
+    failure. Default: false.
+
+## Outputs
+
+-   `iac_scan_result`: Security Scan Result. One of:
+
+    1.  `passed` - no violations found or the `failure_criteria` was not
+        satisfied.
+    2.  `failed` - `failure_criteria` was satisfied.
+    3.  `error` - Action ran into execution error, generally due to
+        misconfiguration or invalid credentials.
+
+-   `iac_scan_result_sarif_path`: Path for the SARIF Report file. This is only
+    available when violations are found in the scan file.
+
+## Authorization
+
+Use [google-github-actions/auth](https://github.com/google-github-actions/auth)
+to authenticate the action. You can use [Workload Identity Federation][wif] or
+traditional [Service Account Key JSON][sa] authentication.
+
+```yaml
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: '[email protected]'
+
+    - id: 'analyze-code-security-scc'
+      uses: 'google-github-actions/analyze-code-security-scc@v1'
+```
+
+[sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts
+[wif]: https://cloud.google.com/iam/docs/workload-identity-federation