Skip to content
Prisma Cloud Checks

Prisma Cloud All Checks #12

Sign in to view logs

Prisma Cloud All Checks

Prisma Cloud All Checks #12

Workflow file for this run

.github/workflows/scan.yaml at 48824dd
# vars.PCC_CONSOLE_URL
# vars.PRISMA_API_URL
# secrets.PC_ACCESS_KEY
# secrets.PC_SECRET_KEY
name: Prisma Cloud Checks
on:
pull_request:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
IMAGE_NAME: demo:latest
jobs:
build-and-scan-image:
name: Build & scan image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Container Image Scan
id: scan
uses: PaloAltoNetworks/prisma-cloud-scan@v1
with:
pcc_console_url: ${{ vars.PCC_CONSOLE_URL }}
pcc_user: ${{ secrets.PC_ACCESS_KEY }}
pcc_pass: ${{ secrets.PC_SECRET_KEY }}
image_name: ${{ env.IMAGE_NAME }}
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results twistcli
path: ${{ steps.scan.outputs.sarif_file }}
# # Only for public repos or enterprise accounts
# # (Optional) for compatibility with GitHub's code scanning alerts
# - name: Upload SARIF file
# if: ${{ always() }} # necessary if using failure thresholds in the image scan
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.scan.outputs.sarif_file }}
sandbox-image:
name: Sandbox image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Download Twistcli
if: ${{ always() }}
run: |
chmod +x twistcli_download.sh
./twistcli_download.sh
env:
PCC_URL: ${{ vars.PCC_CONSOLE_URL }}
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }}
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }}
- name: Run Image Sandbox
if: ${{ always() }}
run: sudo -E ./twistcli sandbox --address "${PCC_CONSOLE_URL}" ${{ env.IMAGE_NAME }}
env:
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }}
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }}
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }}
openapi-scan:
name: Scan OpenAPI Spec
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Download Twistcli
run: |
chmod +x twistcli_download.sh
./twistcli_download.sh
env:
PCC_URL: ${{ vars.PCC_CONSOLE_URL }}
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }}
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }}
- name: Run Scan
run: ./twistcli waas openapi-scan springboot_spec.yaml --address "${PCC_CONSOLE_URL}"
env:
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }}
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }}
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }}
checkov-scan:
name: Scan Repo with checkov
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Run Bridgecrew Action
id: Bridgecrew
uses: bridgecrewio/bridgecrew-action@master
env:
PRISMA_API_URL: ${{ vars.PRISMA_API_URL }}
with:
api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }}
quiet: true # only show failed
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results Checkov
path: results.sarif
# Only for public repos or enterprise accounts
# Uploads results.sarif to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
pipeline-exploit:
name: Pull Request annotation
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request' }}
permissions: write-all
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Show Pull Request Data
run: |
echo ${{ github.event.pull_request.title }}