{"id":19581175,"url":"https://github.com/google-github-actions/analyze-code-security-scc","last_synced_at":"2025-04-27T09:33:02.245Z","repository":{"id":218939533,"uuid":"740613855","full_name":"google-github-actions/analyze-code-security-scc","owner":"google-github-actions","description":"A GitHub Action to analyze Terraform and IaC configurations in Security Command Center.","archived":false,"fork":false,"pushed_at":"2024-09-18T05:02:07.000Z","size":506,"stargazers_count":2,"open_issues_count":2,"forks_count":10,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-09-18T07:44:08.517Z","etag":null,"topics":["actions","cloud-security","cloud-security-command-center","gcp","github-actions","google-cloud","google-cloud-platform","scc","security","security-command-center"],"latest_commit_sha":null,"homepage":"https://cloud.google.com/security-command-center","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google-github-actions.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-08T17:47:53.000Z","updated_at":"2024-08-05T20:14:47.000Z","dependencies_parsed_at":"2024-05-28T18:41:50.538Z","dependency_job_id":"d9a3c373-45b7-40d5-a949-6ec0625d21f7","html_url":"https://github.com/google-github-actions/analyze-code-security-scc","commit_stats":null,"previous_names":["google-github-actions/analyze-code-security-scc"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fanalyze-code-security-scc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fanalyze-code-security-scc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fanalyze-code-security-scc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fanalyze-code-security-scc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google-github-actions","download_url":"https://codeload.github.com/google-github-actions/analyze-code-security-scc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224067260,"owners_count":17250143,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","cloud-security","cloud-security-command-center","gcp","github-actions","google-cloud","google-cloud-platform","scc","security","security-command-center"],"created_at":"2024-11-11T07:33:21.238Z","updated_at":"2024-11-11T07:33:22.430Z","avatar_url":"https://github.com/google-github-actions.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# analyze-code-security-scc\n\n\n## Description\n\n\nThis GitHub action identifies insecure configurations in Infrastructure as Code (IaC) files for Google Cloud resources. This action requires Terraform plan files in JSON format for scanning.\n\n\nUse this action to detect and remediate issues in IaC files for Google Cloud before you deploy the resources.\n\n\nThis action lets you:\n- Scan IaC template files (such as Terraform plan files).\n- Display issues with their severity as a SARIF Report in the GitHub Workspace after a scan completes.\n- Define severity-based failure criteria for passing or failing the build.\n\n**This is not an officially supported Google product, and it is not covered by a\nGoogle Cloud support contract. To report bugs or request features in a Google\nCloud product, please contact [Google Cloud\nsupport](https://cloud.google.com/support).**\n\n\u003e [!IMPORTANT]\n\u003e This action requires the Security Command Center Premium tier or Enterprise \n\u003e tier. In the Premium tier, you must be a subscription customer to use this \n\u003e action. You must activate Security Command Center at the organization level to\n\u003e use this feature.\n\n\u003e [!CAUTION]\n\u003e Don’t enter any sensitive information such as passwords and other personal identifiable information in the Terraform plan files.\n\n## Prerequisites\n\n\n* This action requires a Google Cloud service account which has the **Security Posture Shift-Left Validator** role or the **Security Posture Admin** role on the Google Cloud organization that includes the IaC resources. For more information, see [Authorization](#authorization).\n\n\n* This action runs using Node 20. If you are using self-hosted GitHub Actions\n  runners, you must use a [runner\n  version](https://github.com/actions/virtual-environments) that supports this\n  version or later.\n\n\n## Usage\n\n\n```yaml\njobs:\n  job_id:\n    permissions:\n      contents: 'read'\n      id-token: 'write'\n\n    steps:\n      - uses: 'actions/checkout@v4'\n      - id: 'auth'\n        uses: 'google-github-actions/auth@v2'\n        with:\n          workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'\n          service_account: 'my-service-account@my-project.iam.gserviceaccount.com'\n\n      - id: 'analyze-code-security-scc'\n        uses: 'google-github-actions/analyze-code-security-scc@v0'\n        with:\n          organization_id: '123456789'\n          scan_file_ref: './tf_plan.json'\n          iac_type: 'terraform'\n          scan_timeout: '1m'\n          ignore_violations: false\n          failure_criteria: 'High:1,Medium:1,Low:1,Operator:or'\n          fail_silently: false\n\n      - if: |-\n          ${{ !cancelled() \u0026\u0026 steps.analyze-code-security-scc.outputs.iac_scan_result_sarif_path != '' }}\n        uses: 'actions/upload-artifact@v4'\n        with:\n          name: 'sarif'\n          path: '${{ steps.analyze-code-security-scc.outputs.iac_scan_result_sarif_path }}'\n```\n\n\n\n\n## Inputs\n\n\u003c!-- BEGIN_AUTOGEN_INPUTS --\u003e\n\n-   \u003ca name=\"organization_id\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-organization_id\"\u003e\u003ccode\u003eorganization_id\u003c/code\u003e\u003c/a\u003e: _(Required)_ Google Cloud organization ID for the organization which includes the\n    resources that you want to modify. For example, '1234'.\n\n-   \u003ca name=\"scan_file_ref\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-scan_file_ref\"\u003e\u003ccode\u003escan_file_ref\u003c/code\u003e\u003c/a\u003e: _(Required)_ Path to a file, relative to the local workspace, for the IaC file to scan.\n    For example:\n\n        ./tf_plan.json\n\n    or\n\n        ./artifacts/tf_plan.json\n\n-   \u003ca name=\"iac_type\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-iac_type\"\u003e\u003ccode\u003eiac_type\u003c/code\u003e\u003c/a\u003e: _(Required, default: `terraform`)_ The IaC template type. Currently only Terraform is supported.\n\n-   \u003ca name=\"scan_timeout\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-scan_timeout\"\u003e\u003ccode\u003escan_timeout\u003c/code\u003e\u003c/a\u003e: _(Optional, default: `3m`)_ The maximum time before the scanning stops. The value must be between \"1m\"\n    and `10m`.\n\n-   \u003ca name=\"ignore_violations\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-ignore_violations\"\u003e\u003ccode\u003eignore_violations\u003c/code\u003e\u003c/a\u003e: _(Optional)_ Whether violations found in IaC file should be ignored when determining\n    the build status. This input doesn't apply to violations that are related\n    to generating SARIF reports and determining the `iac_scan_result`.\n\n-   \u003ca name=\"failure_criteria\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-failure_criteria\"\u003e\u003ccode\u003efailure_criteria\u003c/code\u003e\u003c/a\u003e: _(Optional, default: `Critical:1, High:1, Medium:1, Low:1, Operator:OR`)_ The failure criteria that determines the workflow build status. You can\n    set a threshold for the number of critical, high, medium, and low severity\n    issues and use an aggregator (either `and` or `or`) to evaluate the\n    criteria.\n\n    To determine whether a build has failed, the threshold for each severity\n    is evaluated against the count of issues with that severity in the IaC\n    scan results and then severity level evaluations are aggregated using\n    `AND` or `OR` to arrive at `failure_criteria` value. You must include an\n    aggregator in the string. The aggregator value is case-sensitive.\n\n    For example, if you set the failure criteria to `HIGH:1,LOW:1,OPERATOR:OR`,\n    the workflow fails if there is 1 or more HIGH severity findings or 1 or\n    more LOW severity findings. If you set the failure criteria to\n    `HIGH:1,LOW:1,OPERATOR:AND`, the workflow fails if there is 1 or more HIGH\n    severity findings and 1 or more LOW severity findings.\n\n    If the `failure_criteria` evaluates to `true`, the workflow is marked as\n    `FAILED`. Otherwise, the workflow is marked as `SUCCESS`.\n\n-   \u003ca name=\"fail_silently\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-fail_silently\"\u003e\u003ccode\u003efail_silently\u003c/code\u003e\u003c/a\u003e: _(Optional)_ If set to true, the workflow will not fail in case of any internal error\n    including invalid credentials and plugin dependency failure.\n\n    Note: This GitHub Action will always fail in case of any input validation\n    errors.\n\n\n\u003c!-- END_AUTOGEN_INPUTS --\u003e\n\n\n## Outputs\n\n\u003c!-- BEGIN_AUTOGEN_OUTPUTS --\u003e\n\n-   `iac_scan_result`: The result of the security scan. One of:\n\n    - `passed`: No violations were found or the `failure_criteria` was not\n    satisfied.\n\n    - `failed`: The `failure_criteria` was satisfied.\n\n    - `error`: The action ran into an execution error, generally due to a\n    misconfiguration or invalid credentials.\n\n-   `iac_scan_result_sarif_path`: Path for the SARIF report file. This file is only available when\n    violations are found in the scan file.\n\n\n\u003c!-- END_AUTOGEN_OUTPUTS --\u003e\n\n## Authorization\n\n\nUse [google-github-actions/auth](https://github.com/google-github-actions/auth)\nto authenticate the action. You can use [Workload Identity Federation][wif] or\n[Service account key JSON][sa] for authentication.\n\n\n```yaml\njobs:\n  job_id:\n    permissions:\n      contents: 'read'\n      id-token: 'write'\n\n\n    steps:\n    - id: 'auth'\n      uses: 'google-github-actions/auth@v2'\n      with:\n        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'\n        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'\n\n\n    - id: 'analyze-code-security-scc'\n      uses: 'google-github-actions/analyze-code-security-scc@v0'\n```\n\n\n## Supported asset types and policies\n\n\nFor information about supported asset types and policies, see [IaC Validation - Supported assets and policies](https://www.gstatic.com/cloud_security_posture/iac_validation_supported_assets_and_policies.pdf).\n\n\n[sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts\n[wif]: https://cloud.google.com/iam/docs/workload-identity-federation\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle-github-actions%2Fanalyze-code-security-scc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle-github-actions%2Fanalyze-code-security-scc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle-github-actions%2Fanalyze-code-security-scc/lists"}