mirror of
https://github.com/actions/download-artifact.git
synced 2024-11-22 21:55:29 +00:00
Create prisma-analysis.yml
This commit is contained in:
Juri Burakov
GitHub
parent
57ad1f5336
commit
14dd14c754
49
.github/workflows/prisma-analysis.yml
vendored
Normal file
49
.github/workflows/prisma-analysis.yml
vendored
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# A sample workflow that checks for security issues using
|
||||||
|
# the Prisma Cloud Infrastructure as Code Scan Action on
|
||||||
|
# the IaC files present in the repository.
|
||||||
|
# The results are uploaded to GitHub Security Code Scanning
|
||||||
|
#
|
||||||
|
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
|
||||||
|
|
||||||
|
name: Prisma Cloud IaC Scan
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [ main ]
|
||||||
|
pull_request:
|
||||||
|
# The branches below must be a subset of the branches above
|
||||||
|
branches: [ main ]
|
||||||
|
schedule:
|
||||||
|
- cron: '41 19 * * 6'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
prisma_cloud_iac_scan:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
name: Run Prisma Cloud IaC Scan to check
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- id: iac-scan
|
||||||
|
name: Run Scan on CFT files in the repository
|
||||||
|
uses: prisma-cloud-shiftleft/iac-scan-action@v1
|
||||||
|
with:
|
||||||
|
# You will need Prisma Cloud API Access Token
|
||||||
|
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
|
||||||
|
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
|
||||||
|
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
|
||||||
|
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
|
||||||
|
# Scan sources on Prisma Cloud are uniquely identified by their name
|
||||||
|
asset_name: 'my-asset-name'
|
||||||
|
# The service need to know the type of IaC being scanned
|
||||||
|
template_type: 'CFT'
|
||||||
|
- name: Upload SARIF file
|
||||||
|
uses: github/codeql-action/upload-sarif@v1
|
||||||
|
# Results are generated only on a success or failure
|
||||||
|
# this is required since GitHub by default won't run the next step
|
||||||
|
# when the previous one has failed.
|
||||||
|
# And alternative it to add `continue-on-error: true` to the previous step
|
||||||
|
if: success() || failure()
|
||||||
|
with:
|
||||||
|
# The SARIF Log file name is configurable on scan action
|
||||||
|
# therefore the file name is best read from the steps output
|
||||||
|
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
|
||||||
Loading…
Reference in New Issue
Block a user