Update Github Action (#581)

* Refactor primary Github Action
- Support writing the output to a file
- Add a test for uploading sarif to GH code scanning

* Updated action readme example

Author: Kevin Formsma

.github/workflows/github-action.yml

@@ -12,8 +12,10 @@ on:
 
 jobs:
   e2e:
-    name: E2E test
+    name: Action E2E test
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
     steps:
       - uses: actions/checkout@master
@@ -36,3 +38,13 @@ jobs:
         with:
           input_path: github-action/tests
           extra_args: -o json --template-pattern clean
+      - name: Test with SARIF output
+        id: sarif
+        uses: stelligent/cfn_nag@master
+        with:
+          input_path: github-action/tests
+          extra_args: -o sarif
+          output_path: cfn_nag.sarif
+      - uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: cfn_nag.sarif

action.yml

@@ -11,6 +11,9 @@ inputs:
   extra_args:
     description: 'Additional arguments to pass to cfn_nag_scan, separated by space (default: "--print-suppression").'
     default: '--print-suppression'
+  output_path:
+    description: 'Destination file path for cfn_nag_scan output'
+    default: 'cfn_nag.out'
 runs:
   using: docker
   image: github-action/Dockerfile

github-action/Dockerfile

@@ -1,9 +1,5 @@
 FROM stelligent/cfn_nag:latest
 
-ARG INPUT_EXTRA_ARGS=''
-ENV INPUT_EXTRA_ARGS="${INPUT_EXTRA_ARGS}"
+COPY entrypoint.sh /entrypoint.sh
 
-ARG INPUT_INPUT_PATH=''
-ENV INPUT_INPUT_PATH="${INPUT_INPUT_PATH}"
-
-ENTRYPOINT ["sh", "-c", "cfn_nag_scan $INPUT_EXTRA_ARGS --input-path $INPUT_INPUT_PATH"]
+ENTRYPOINT [ "/entrypoint.sh" ]

github-action/README.md

@@ -20,6 +20,9 @@ The directory of the repo to search for violations. Default: `$GITHUB_WORKSPACE`
 
 Additional arguments to pass to `cfn_nag_scan`. See the [usage for `cfn_nag_scan`](https://github.com/stelligent/cfn_nag#usage) for more options. Default: `--print-suppression`
 
+### `output_path`
+
+Destination file path for cfn_nag_scan output. Default: `cfn_nag.out`
 ## Example Usages
 
 ### Basic
@@ -62,6 +65,21 @@ Search the `templates` directory within the GitHub runner's workspace and remove
     extra_args: ''
 ```
 
+### Define path to search and upload to code scanning
+
+Search the `templates` directory and upload the results to GitHub's Code Scanning.
+
+```
+- uses: stelligent/cfn_nag@master
+  with:
+    input_path: templates
+    extra_args: -o sarif
+    output_path: cfn_nag.sarif
+- uses: github/codeql-action/upload-sarif@v1
+  with:
+    sarif_file: cfn_nag.sarif
+```
+
 ## Support
 
 To report a bug or request a feature, submit an issue through the GitHub repository via: https://github.com/stelligent/cfn_nag/issues/new

github-action/entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+echo "::debug::Using input path: ${INPUT_INPUT_PATH}"
+echo "::debug::Using output path: ${INPUT_OUTPUT_PATH}"
+
+if [ -n "${INPUT_EXTRA_ARGS}" ]; then
+  echo "::debug::Using specified extra args: ${INPUT_EXTRA_ARGS}"
+  EXTRA_ARGS="${INPUT_EXTRA_ARGS}"
+fi
+
+cfn_nag_scan ${EXTRA_ARGS} --input-path "${INPUT_INPUT_PATH}" | tee "${INPUT_OUTPUT_PATH}"