bridgecrewio/checkov-action

[](https://bridge.dev/2WBms5Q) [](https://slack.bridgecrew.io/) # Checkov GitHub Action 此 GitHub Action 对基础设施即代码、开源软件包、容器镜像和 CI/CD 配置运行 [Checkov](https://github.com/bridgecrewio/checkov)，以识别错误配置、漏洞和许可证合规性问题。 ## IaC 和 SCA 的示例用法 ``` name: checkov # 控制工作流的运行时机 on: # Triggers the workflow on push or pull request events but only for the "main" branch push: branches: [ "main", "master" ] pull_request: branches: [ "main", "master" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: # 工作流运行由一个或多个作业组成，这些作业可以顺序或并行运行 jobs: # This workflow contains a single job called "scan" scan: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it - uses: actions/checkout@v3 - name: Checkov GitHub Action uses: bridgecrewio/checkov-action@v12 with: # This will add both a CLI output to the console and create a results.sarif file output_format: cli,sarif output_file_path: console,results.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. Security checks that do not pass will 'fail'. # An alternative is to add `continue-on-error: true` to the previous step # Or 'soft_fail: true' to checkov. if: success() || failure() with: sarif_file: results.sarif ``` ## “with” 块中选项/环境变量的示例用法 ``` on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps: - name: Checkout repo uses: actions/checkout@master - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: directory: example/ file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided. check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all} skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif output_file_path: reports/results.sarif # folder and name of results file output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file` var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans. log_level: DEBUG # optional: set log level. Default WARNING config_file: path/this_file baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline. container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues use_enforcement_rules: true # optional - use enforcement rule configs from the platform ``` ## 容器镜像的示例用法 ``` on: [push] env: IMAGE_NAME: ${{ github.repository }}:${{ github.sha }} IMAGE_PATH: /path/ jobs: checkov-image-scan: runs-on: ubuntu-latest name: checkov-image-scan steps: - name: Checkout repo uses: actions/checkout@master - name: Build the image run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }} - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks log_level: DEBUG # optional: set log level. Default WARNING docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan dockerfile_path: ${{ format('{0}/Dockerfile', env.IMAGE_PATH) }} # path to the Dockerfile container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secret ``` 请注意此示例使用的是最新版本（`master`），但你也可以使用静态版本（例如 `v3`）。 此外，指定给 `--check` 和 `--skip-check` 的检查 ID 必须互斥。 ## 私有 Terraform 模块的示例用法 为了让 `checkov` 能够下载私有 GitHub 模块，你需要传递一个具有所需权限的有效 GitHub PAT。 ``` on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps: - name: Checkout repo uses: actions/checkout@master - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: directory: . soft_fail: true download_external_modules: true github_pat: ${{ secrets.GH_PAT }} env: GITHUB_OVERRIDE_URL: true # optional: this can be used to instruct the action to override the global GIT config to inject the PAT to the URL ```

标签：Bridgecrew, DevSecOps, EC2, GitHub Action, IaC, LNA, SARIF, 上游代理, 子域名突变, 安全扫描, 容器镜像扫描, 开源软件合规, 持续安全, 时序注入, 结构化查询, 自动化安全, 许可证合规, 请求拦截, 软件供应链安全, 远程方法调用, 逆向工具, 配置检查, 静态应用安全测试