forked from actions/starter-workflows
-
Notifications
You must be signed in to change notification settings - Fork 1
/
prisma.yml
61 lines (56 loc) · 2.54 KB
/
prisma.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow that checks for security issues using
# the Prisma Cloud Infrastructure as Code Scan Action on
# the IaC files present in the repository.
# The results are uploaded to GitHub Security Code Scanning
#
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
name: Prisma Cloud IaC Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
prisma_cloud_iac_scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v4
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
with:
# You will need Prisma Cloud API Access Token
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
# Scan sources on Prisma Cloud are uniquely identified by their name
asset_name: 'my-asset-name'
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
# And alternative it to add `continue-on-error: true` to the previous step
if: success() || failure()
with:
# The SARIF Log file name is configurable on scan action
# therefore the file name is best read from the steps output
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}