{"id":18995604,"url":"https://github.com/turbot/powerpipe-action-check","last_synced_at":"2025-04-22T13:42:25.653Z","repository":{"id":256949359,"uuid":"777826344","full_name":"turbot/powerpipe-action-check","owner":"turbot","description":"Run Powerpipe benchmarks and controls against your Infrastructure as Code, deployed infrastructure, and more.","archived":false,"fork":false,"pushed_at":"2025-02-12T14:55:06.000Z","size":951,"stargazers_count":3,"open_issues_count":6,"forks_count":1,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-17T03:06:03.562Z","etag":null,"topics":["compliance","github-actions","powerpipe","security"],"latest_commit_sha":null,"homepage":"https://powerpipe.io/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/turbot.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-03-26T15:17:25.000Z","updated_at":"2025-02-12T14:46:29.000Z","dependencies_parsed_at":"2024-09-14T03:16:15.444Z","dependency_job_id":"764330cb-5624-4213-9393-ccb7b8ec7cb4","html_url":"https://github.com/turbot/powerpipe-action-check","commit_stats":null,"previous_names":["turbot/powerpipe-action-check"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fpowerpipe-action-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fpowerpipe-action-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fpowerpipe-action-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fpowerpipe-action-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/turbot","download_url":"https://codeload.github.com/turbot/powerpipe-action-check/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250250651,"owners_count":21399680,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","github-actions","powerpipe","security"],"created_at":"2024-11-08T17:31:55.094Z","updated_at":"2025-04-22T13:42:25.632Z","avatar_url":"https://github.com/turbot.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Powerpipe Check for GitHub Actions\n\nThis action runs [Powerpipe](https://powerpipe.io/) benchmarks and controls from [Powerpipe Mods](https://hub.powerpipe.io/).\n\n\u003cimg src=\"images/summary_output.png\" width=\"80%\"\u003e\n\nWhen running checks for Infrastructure as Code (IaC) mods, this action will create annotations for any controls in `alarm` state provided they have an [additional dimension](https://powerpipe.io/docs/powerpipe-hcl/control#additional-control-columns--dimensions) providing the file path and a start line number in one of the following formats: `path/filename.ext:23` or `path/name.ext:23-25`.\n\n\u003e Note: In order to create annotations, the workflow job requires `checks: write` and `pull-requests: write` [permissions](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs).\n\nFor a list of IaC mods, please see [IaC mods](https://hub.powerpipe.io/mods?categories=iac).\n\n\u003cimg src=\"images/example_annotations.png\" width=\"80%\" /\u003e\n\n## Usage\n\nSee [action.yml](action.yml).\n\n## Examples\n\n### Run specific controls\n\n```yaml\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: | # setup your steampipe plugin \u0026 connections\n        connection \"aws\" {\n          plugin     = \"aws\"\n          access_key = \"${{ secrets.AWS_ACCESS_KEY_ID }}\"\n          secret_key = \"${{ secrets.AWS_SECRET_ACCESS_KEY }}\"\n          regions    = [\"ap-south-1\"]\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run specific AWS Compliance controls\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-compliance\n      controls: |\n        ebs_volume_unused\n        foundational_security_s3_1\n```\n\n### Run specific benchmarks\n\n```yaml\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: | # setup your steampipe plugin \u0026 connections\n        connection \"aws\" {\n          plugin     = \"aws\"\n          access_key = \"${{ secrets.AWS_ACCESS_KEY_ID }}\"\n          secret_key = \"${{ secrets.AWS_SECRET_ACCESS_KEY }}\"\n          regions    = [\"ap-south-1\"]\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run specific AWS Compliance benchmarks\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-compliance\n      benchmarks: |\n        cis_v150\n        foundational_security_s3\n```\n\n### Run benchmarks and controls from multiple mods\n\n```yaml\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"aws_tf\" {\n          plugin = \"terraform\"\n          configuration_file_paths = [\n            \"cloud_infra/service_billing/aws/**/*.tf\",\n            \"cloud_infra/service_orders/aws/**/*.tf\"\n          ]\n        }\n\n        connection \"gcp_tf\" {\n          plugin = \"terraform\"\n          configuration_file_paths = [\n            \"cloud_infra/service_billing/gcp/**/*.tf\",\n            \"cloud_infra/service_orders/gcp/**/*.tf\"\n          ]\n        }\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Run Terraform AWS Compliance control\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance\n      controls: |\n        ec2_ebs_default_encryption_enabled\n      additional-args: '--search-path-prefix=aws_tf'\n\n  - name: Run GCP Terraform Compliance benchmark\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-terraform-gcp-compliance\n      benchmarks: |\n        compute\n      additional-args: '--search-path-prefix=gcp_tf'\n```\n\n### Use a specific tag version of a mod\n\n```yaml\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"terraform\" {\n          plugin = \"terraform\"\n          configuration_file_paths = [ \"./**/*.tf\" ]\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run Terraform AWS Compliance v0.18 control\n    uses: turbot/steampipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance\n      mod-branch: v0.18\n      controls: |\n        ec2_ebs_default_encryption_enabled\n```\n\n### Run GitHub Compliance checks\n\nThis action can also be used to run benchmarks and controls in mods that don't scan IaC configuration files.\n\n```yaml\n  - name: Checkout\n    uses: actions/checkout@v4\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"github\" {\n          plugin = \"github\"\n          token  = \"${{ secrets.GITHUB_PAT }}\"\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run Powerpipe benchmarks\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-github-compliance\n      benchmarks: |\n        cis_supply_chain_v100_2\n        cis_supply_chain_v100_2_3\n```\n\n### Run AWS CIS v2.0.0 benchmark\n\nThis example uses an [IAM OIDC identity provider](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) with an IAM role.\n\n\u003e Note: In order to use OIDC the workflow job will require `id-token: write` permissions. For more information, please see [Adding permission settings](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings).\n\n\n```yaml\nsteps:\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup AWS Credentials\n    uses: aws-actions/configure-aws-credentials@v4\n    with:\n      role-to-assume: arn:aws:iam::1234567890:role/my-role\n      aws-region: us-east-1\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"aws\" {\n          plugin = \"aws\"\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run Powerpipe benchmark\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-compliance\n      benchmarks: |\n        benchmark.cis_v200\n```\n\n### Create Turbot Pipes snapshot\n\nThe check results can also be created and uploaded as snapshots to [Turbot Pipes](https://turbot.com/pipes).\n\nA snapshot is a saved view of benchmark and control results and may be shared with other Turbot Pipes users or with anyone that has the link.\n\nSnapshot visibility is set by the `pipes-snapshot-visibility` input:\n  - `anyone_with_link` - Snapshot is shareable with anyone.\n  - `workspace` - Snapshot is created in the user's default workspace. To save the snapshot to a different location, use `--snapshot-location` in the `additional-args` input.\n\n```yaml\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup AWS Credentials\n    uses: aws-actions/configure-aws-credentials@v4\n    with:\n      role-to-assume: arn:aws:iam::1234567890:role/my-role\n      aws-region: us-east-1\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"aws\" {\n          plugin = \"aws\"\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run Powerpipe benchmarks\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-compliance\n      benchmarks: |\n        benchmark.cis_v200\n      pipes-snapshot-visibility: workspace\n      pipes-token: ${{ secrets.PIPES_TOKEN }}\n```\n\n### Pass in Powerpipe variables\n\nVariables can be passed into Powerpipe multiple ways, for more information on how to pass in variables and what order they're loaded in, please see [Passing Input Variables](https://powerpipe.io/docs/build/mod-variables#passing-input-variables).\n\n\n```yaml\n  - name: Checkout repo\n    uses: actions/checkout@v4\n\n  - name: Setup AWS Credentials\n    uses: aws-actions/configure-aws-credentials@v4\n    with:\n      role-to-assume: arn:aws:iam::1234567890:role/my-role\n      aws-region: us-east-1\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"aws\" {\n          plugin = \"aws\"\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run AWS Tags benchmarks\n    uses: turbot/powerpipe-action-check@v1\n    env:\n      # Variables can be passed in through env vars\n      PP_VAR_mandatory_tags: '[\"Application\", \"Environment\", \"Department\", \"Owner\"]'\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-tags\n      benchmarks: |\n        mandatory\n        prohibited\n      # Or with CLI flags\n      additional-args: \"--var 'prohibited_tags=[\\\"Password\\\", \\\"Key\\\"]'\"\n```\n\n## Advanced Examples\n\n### Run a control against a DuckDB Backend\n\nConnect to a DuckDB backend and run controls.\n\n```yaml\n  - uses: actions/checkout@v4\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Run Powerpipe\n    run: |\n      powerpipe -v\n\n  - name: Run Control\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: \"https://github.com/pskrbasu/powerpipe-mod-duckdb-demo\"\n      controls: |\n        testing_control\n      pipes-snapshot-visibility: 'anyone_with_link'\n      pipes-token: \"${{ secrets.PIPES_TOKEN }}\"\n      database: \"duckdb:///$(pwd)/test_data/employee.duckdb\"\n```\n\n### Run a control against a SQLite Backend\n\nConnect to a SQLite backend and run controls.\n\n```yaml\n  - uses: actions/checkout@v4\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Run Powerpipe\n    run: |\n      powerpipe -v\n\n  - name: Run Control\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: \"https://github.com/pskrbasu/powerpipe-mod-sqlite-demo\"\n      controls: |\n        testing_control\n      pipes-snapshot-visibility: 'anyone_with_link'\n      pipes-token: \"${{ secrets.PIPES_TOKEN }}\"\n      database: \"duckdb:///$(pwd)/test_data/employee.db\"\n```\n\n### Run checks in a Turbot Pipes workspace\n\nYou can execute queries via Turbot Pipes, which is useful if you already have plugin connections setup in your workspaces.\n\nThe following example shows how to specify an [implicit workspace](https://powerpipe.io/docs/run/workspaces#implicit-workspaces) within the `additional-args` input.\n\n```yaml\nsteps:\n  - name: Checkout\n    uses: actions/checkout@v4\n\n  - name: Setup Steampipe\n    uses: turbot/steampipe-action-setup@v1\n    with:\n      plugin-connections: |\n        connection \"aws\" {\n          plugin = \"aws\"\n        }\n\n  - name: Install Powerpipe\n    uses: turbot/powerpipe-action-setup@v1\n\n  - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n    run: |\n      steampipe service start\n\n  - name: Run Powerpipe control\n    uses: turbot/powerpipe-action-check@v1\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-compliance\n      controls: |\n        ebs_volume_unused\n      pipes-token: ${{ secrets.PIPES_TOKEN }}\n      pipes-snapshot-visibility: workspace\n      # The workspace passed here in format \u003cowner\u003e/\u003cworkspace\u003e needs to be accessible by your pipes-token\n      additional-args: '--workspace=\"username/default\"'\n```\n\nYou can also set the workspace via the `POWERPIPE_WORKSPACE` environment variable.\n\n```yaml\n  - name: Run Powerpipe control\n    uses: turbot/powerpipe-action-check@v1\n    env:\n      POWERPIPE_WORKSPACE: 'username/default'\n    with:\n      mod-url: https://github.com/turbot/steampipe-mod-aws-compliance\n      controls: |\n        ebs_volume_unused\n      pipes-token: ${{ secrets.PIPES_TOKEN }}\n      pipes-snapshot-visibility: workspace\n```\n\n### Use a matrix to run controls from multiple mods\n\n```yaml\njobs:\n  powerpipe-terraform-compliance:\n    strategy:\n      matrix:\n        include:\n          - cloud: \"aws\"\n            control: \"ec2_ami_copy_encrypted_with_kms_cmk\"\n            search_path: \"aws_tf\"\n          - cloud: \"azure\"\n            control: \"compute_managed_disk_set_encryption_enabled\"\n            search_path: \"azure_tf\"\n          - cloud: \"gcp\"\n            control: \"compute_disk_encrypted_with_csk\"\n            search_path: \"gcp_tf\"\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Steampipe\n        uses: turbot/steampipe-action-setup@v1\n        with:\n          plugin-connections: |\n            connection \"aws_tf\" {\n              plugin = \"terraform\"\n              configuration_file_paths = [\"cloud_infra/terraform/aws/**/*.tf\"]\n            }\n            connection \"gcp_tf\" {\n              plugin = \"terraform\"\n              configuration_file_paths = [\"cloud_infra/terraform/gcp/**/*.tf\"]\n            }\n            connection \"azure_tf\" {\n              plugin = \"terraform\"\n              configuration_file_paths = [\"cloud_infra/terraform/azure/**/*.tf\"]\n            }\n\n      - name: Install Powerpipe\n        uses: turbot/powerpipe-action-setup@v1\n\n      - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database\n        run: |\n          steampipe service start\n\n      - name: Run Terraform ${{ matrix.cloud }} Compliance\n        uses: turbot/steampipe-action-check@v1\n        with:\n          mod-url: 'https://github.com/turbot/steampipe-mod-terraform-${{ matrix.cloud }}-compliance'\n          controls: |\n            ${{ matrix.control }}\n          additional-args: '--search-path-prefix=${{ matrix.search_path }}'\n```\n\n## Helpful links\n\n- [Powerpipe docs](https://powerpipe.io/docs)\n- [Steampipe plugins](https://hub.steampipe.io/plugins)\n- [Powerpipe mods](https://hub.powerpipe.io/mods)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturbot%2Fpowerpipe-action-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fturbot%2Fpowerpipe-action-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturbot%2Fpowerpipe-action-check/lists"}