-
Notifications
You must be signed in to change notification settings - Fork 35
/
entrypoint.sh
executable file
·59 lines (44 loc) · 2.16 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/bin/bash
set -xe
# Check for a github workkspace, exit if not found
if [ -n "${GITHUB_WORKSPACE}" ]; then
cd "${GITHUB_WORKSPACE}" || exit
fi
# default to latest
TFSEC_VERSION="latest"
# if INPUT_TFSEC_VERSION set and not latest
if [[ -n "${INPUT_TFSEC_VERSION}" && "$INPUT_TFSEC_VERSION" != "latest" ]]; then
TFSEC_VERSION="tags/${INPUT_TFSEC_VERSION}"
fi
# # Pull https://api.github.com/repos/aquasecurity/tfsec/releases for the full list of releases. NOTE no trailing slash
# wget --inet4-only -O - -q "$(wget --inet4-only -q https://api.github.com/repos/aquasecurity/tfsec/releases/${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec-linux-amd64
# wget --inet4-only -O - -q "$(wget --inet4-only -q https://api.github.com/repos/aquasecurity/tfsec/releases/${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec_checksums.txt" | head -n1)" > tfsec.checksums
# # pipe out the checksum and validate
# grep tfsec-linux-amd64 tfsec.checksums > tfsec-linux-amd64.checksum
# sha256sum -c tfsec-linux-amd64.checksum
# install tfsec-linux-amd64 /usr/local/bin/tfsec
# if input vars file then add to arguments
if [ -n "${INPUT_TFVARS_FILE}" ]; then
echo "Using tfvars file ${INPUT_TFVARS_FILE}"
TFVARS_OPTION="--tfvars-file ${INPUT_TFVARS_FILE}"
fi
# if config file passed, add config to the arguments
if [ -n "${INPUT_CONFIG_FILE}" ]; then
echo "Using config file ${INPUT_CONFIG_FILE}"
CONFIG_FILE_OPTION="--config-file ${INPUT_CONFIG_FILE}"
fi
# if any additional args included, add them on
if [ -n "${INPUT_TFSEC_ARGS}" ]; then
echo "Using specified args: ${INPUT_TFSEC_ARGS}"
TFSEC_ARGS_OPTION="${INPUT_TFSEC_ARGS}"
fi
# if set, all dirs to be included,
if [ -n "${INPUT_FULL_REPO_SCAN}" ]; then
echo "Forcing all directories to be scanned"
TFSEC_ARGS_OPTION="--force-all-dirs ${TFSEC_ARGS_OPTION}"
fi
# prime the sarif file with empty results
echo {} > ${INPUT_SARIF_FILE}
tfsec --soft-fail --out=${INPUT_SARIF_FILE} --format=sarif ${TFSEC_ARGS_OPTION} ${CONFIG_FILE_OPTION} ${TFVARS_OPTION} "${INPUT_WORKING_DIRECTORY}"
tfsec_return="${PIPESTATUS[0]}" exit_code=$?
echo "tfsec-return-code=${tfsec_return}" >> $GITHUB_OUTPUT