From d74f13cc0d80af5a8691ebe1060146c6e19e555a Mon Sep 17 00:00:00 2001 From: Nico Koprowski Date: Wed, 29 May 2024 14:29:58 +0800 Subject: [PATCH] cicd: add kics scan to pull request checks --- .github/workflows/kics.yml | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml index 2702261ef..bfb915ded 100644 --- a/.github/workflows/kics.yml +++ b/.github/workflows/kics.yml @@ -17,20 +17,20 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################ -name: "KICS" - +name: "Perform KICS Scan" on: push: branches: - main - - rc/** + - 'release/**' schedule: - cron: "0 0 * * *" workflow_dispatch: - + pull_request: + branches: + - main jobs: - analyze: - name: Analyze + scan: runs-on: ubuntu-latest permissions: actions: read @@ -43,26 +43,14 @@ jobs: - name: KICS scan uses: checkmarx/kics-github-action@master with: - # Scanning directory . path: "./charts" - # Exclude paths from scan by providing the paths as comma separated list - # exclude_paths: "postgres-init.yaml,templates/sharedidp.yaml" - # Exclude queries by providing the query / rule ID as comma separated list - # exclude_queries: "b9c83569-459b-4110-8f79-6305aa33cb37" - # Fail on HIGH severity results fail_on: high - # Disable secrets detection - we use GitGuardian disable_secrets: true - # When provided with a directory on output_path - # it will generate the specified reports file named 'results.{extension}' - # in this example it will generate: - # - results-dir/results.json and results-dir/results.sarif output_path: kicsResults/ output_formats: "json,sarif" - # Upload findings to GitHub Advanced Security Dashboard - name: Upload SARIF file for GitHub Advanced Security Dashboard - if: always() + if: github.event_name != 'pull_request' uses: github/codeql-action/upload-sarif@v3 with: sarif_file: kicsResults/results.sarif