diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml new file mode 100644 index 00000000..eaf04dee --- /dev/null +++ b/.github/workflows/kics.yml @@ -0,0 +1,37 @@ +name: kics + +on: + pull_request: + branches: [main] + paths: + - 'charts/**' + - '.github/workflows/kics.yml' + push: + branches: [main] + paths: + - 'charts/**' + - '.github/workflows/kics.yml' + +permissions: + security-events: write + +jobs: + kics: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run KICS Scan + uses: checkmarx/kics-github-action@530ac1f8efe6202b0f12c9a6e952597ae707b755 # v2.1.2 + with: + path: 'charts' + ignore_on_exit: results + output_path: report-dir/ + output_formats: 'sarif' + token: ${{ secrets.GITHUB_TOKEN }} + enable_jobs_summary: true + platform_type: 'kubernetes' + disable_secrets: true + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@323f5ef653b88011bf10e9a0a56d70d742463c9a # v3.26.8 + with: + sarif_file: report-dir/results.sarif