Zscaler IaC Scan #27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #This workflow uses actions that are not certified by GitHub. | |
| #They are provided by a third party and are governed by | |
| #separate terms of service, privacy policy, and support | |
| #documentation. | |
| #This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, | |
| #which detects security misconfigurations in IaC templates and publishes the findings | |
| #under the code scanning alerts section within the repository. | |
| #Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. | |
| #Copy the client ID and client secret key generated during the onboarding process and configure. | |
| #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). | |
| #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. | |
| #Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. | |
| name: Zscaler IaC Scan | |
| on: | |
| push: | |
| branches: [ "main", "Map" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '19 16 * * 1' | |
| permissions: | |
| contents: read | |
| jobs: | |
| zscaler-iac-scan: | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name : Code Checkout | |
| uses: actions/checkout@v3 | |
| - name : Zscaler IAC Scan | |
| uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 | |
| id : zscaler-iac-scan | |
| with: | |
| client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} | |
| client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} | |
| #This is the user region specified during the onboarding process within the ZPC Admin Portal. | |
| region : 'US' | |
| iac_dir : #Enter the IaC directory path from root. | |
| iac_file : #Enter the IaC file path from root. | |
| output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. | |
| #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. | |
| fail_build : #Enter true/false | |
| #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. | |
| - name: Upload SARIF file | |
| if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} |