Release: v0.1.5 (#53) #144

Summary
Jobs
- unit
- integration
Run details
- Usage
- Workflow file

Workflow file for this run

	# Copyright 2024 Google LLC
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	name: 'Test'

	on:
	push:
	branches:
	- 'main'
	- 'release/*/'
	pull_request:
	branches:
	- 'main'
	- 'release/*/'
	workflow_dispatch:

	concurrency:
	group: '${{ github.workflow }}-${{ github.head_ref \|\| github.ref }}'
	cancel-in-progress: true

	defaults:
	run:
	shell: 'bash'

	jobs:
	unit:
	name: 'unit'
	runs-on: 'ubuntu-latest'
	permissions:
	contents: 'read'
	id-token: 'write'

	steps:
	- uses: 'actions/checkout@v4'

	- uses: 'actions/setup-node@v4'
	with:
	node-version: '20.x'

	- name: 'npm build'
	run: 'npm ci && npm run build'

	- name: 'npm lint'
	run: 'npm run lint'

	- uses: 'google-github-actions/auth@v2'
	with:
	workload_identity_provider: 'projects/251902844862/locations/global/workloadIdentityPools/github/providers/my-repo'
	service_account: 'iac-scan-plugins@iac-scan-integration-test.iam.gserviceaccount.com'

	- name: 'npm test'
	run: 'npm run test'

	integration:
	permissions:
	contents: 'read'
	id-token: 'write'
	runs-on: 'ubuntu-latest'

	env:
	ORGANIZATION_ID: '627849321070'

	steps:
	- uses: 'actions/checkout@v4'

	- uses: 'actions/setup-node@v4'
	with:
	node-version: '20.x'

	- name: 'npm build'
	run: 'npm ci && npm run build'

	- uses: 'google-github-actions/auth@v2'
	with:
	workload_identity_provider: 'projects/251902844862/locations/global/workloadIdentityPools/github/providers/my-repo'
	service_account: 'iac-scan-plugins@iac-scan-integration-test.iam.gserviceaccount.com'

	- id: 'violations-found'
	name: 'Violations found in plan file'
	uses: './'
	with:
	organization_id: '${{ env.ORGANIZATION_ID }}'
	# plan file has 1 UNSPECIFIED, 1 HIGH severity vulnerabilites
	scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
	iac_type: 'terraform'
	failure_criteria: 'CRITICAL:2, Operator:OR'
	ignore_violations: 'false'
	fail_silently: 'false'
	scan_timeout: '1m'
	- name: 'Check scan result and compare sarif report generated.'
	run: \|
	report_expected="tests/resources/sarif.json"
	report_generated="${{ steps.violations-found.outputs.iac_scan_result_sarif_path }}"
	if cmp -s "$report_expected" "$report_generated"; then
	exit 1
	fi
	if [ "${{ steps.violations-found.outputs.iac_scan_result }}" != "passed" ]; then
	exit 1
	fi

	- id: 'no-violations-found'
	name: 'No violations found in plan file'
	uses: './'
	with:
	organization_id: '${{ env.ORGANIZATION_ID }}'
	scan_file_ref: 'tests/resources/no-violations-tf_plan.json'
	iac_type: 'terraform'
	failure_criteria: 'CRITICAL:2, Operator:OR'
	- name: 'Check scan result and report not generated.'
	run: \|
	report_expected="tests/resources/zero_violations_sarif.json"
	report_generated="${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}"
	if cmp -s "$report_expected" "$report_generated"; then
	exit 1
	fi
	if [ "${{ steps.no-violations-found.outputs.iac_scan_result }}" != "passed" ]; then
	exit 1
	fi

	- id: 'failure-criteria-satisfied'
	name: 'Failure criteria satisfied'
	uses: './'
	with:
	organization_id: '${{ env.ORGANIZATION_ID }}'
	# plan file has 1 UNSPECIFIED, 1 HIGH severity vulnerabilites
	scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
	iac_type: 'terraform'
	failure_criteria: 'HIGH:1, Operator:OR'
	continue-on-error: true
	- name: 'Check scan result and action build status'
	run: \|
	if [ "${{ steps.failure-criteria-satisfied.outputs.iac_scan_result }}" != "failed" ]; then
	exit 1
	fi
	if [ "${{ steps.failure-criteria-satisfied.outcome }}" != "failure"]; then
	exit 1
	fi

	- id: 'failure-criteria-satisfied-ignore-violations-true'
	name: 'Failure criteria satisfied, ignore violations true'
	uses: './'
	with:
	organization_id: '${{ env.ORGANIZATION_ID }}'
	# plan file has 1 UNSPECIFIED, 1 HIGH severity vulnerabilites
	scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
	iac_type: 'terraform'
	ignore_violations: 'true'
	failure_criteria: 'HIGH:1, Operator:OR'
	- name: 'Check scan result'
	run: \|
	if [ "${{ steps.failure-criteria-satisfied-ignore-violations-true.outputs.iac_scan_result }}" != "failed" ]; then
	exit 1
	fi

	- id: 'action-internal-error'
	name: 'Action internal error'
	uses: './'
	with:
	# Invalid org id, will cause an internal error in action
	organization_id: 'invalid-id'
	scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
	iac_type: 'terraform'
	continue-on-error: true
	- name: 'Check scan result and build status'
	run: \|
	if [ "${{ steps.action-internal-error.outputs.iac_scan_result }}" != "error" ]; then
	exit 1
	fi
	if [ "${{ steps.action-internal-error.outcome }}" != "failure" ]; then
	exit 1
	fi

	- id: 'action-internal-error-fail-silently-true'
	name: 'Action internal error, fail silently true'
	uses: './'
	with:
	organization_id: 'invalid-id'
	scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
	iac_type: 'terraform'
	fail_silently: 'true'
	- name: Check scan result
	run: \|
	if [ "${{ steps.action-internal-error-fail-silently-true.outputs.iac_scan_result }}" != "error" ]; then
	exit 1
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release: v0.1.5 (#53) #144

Workflow file

Release: v0.1.5 (#53) #144

Jobs

Run details

Workflow file for this run