action.yml

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: 'Analyze Code Security'
author: 'Google LLC'
description: |-
  Scan and analyze code for security risks using Google Cloud.

inputs:
  organization_id:
    description: |-
      Google Cloud organization ID for the organization which includes the
      resources that you want to modify. For example, '1234'.
    required: true

  scan_file_ref:
    description: |-
      Path to a file, relative to the local workspace, for the IaC file to scan.
      For example:

          ./tf_plan.json

      or

          ./artifacts/tf_plan.json
    required: true

  iac_type:
    description: |-
      The IaC template type. Currently only Terraform is supported.
    default: 'terraform'
    required: true

  scan_timeout:
    description: |-
      The maximum time before the scanning stops. The value must be between "1m"
      and `10m`.
    default: '3m'
    required: false

  ignore_violations:
    description: |-
      Whether violations found in IaC file should be ignored when determining
      the build status. This input doesn't apply to violations that are related
      to generating SARIF reports and determining the `iac_scan_result`.
    default: false
    required: false

  failure_criteria:
    description: |-
      The failure criteria that determines the workflow build status. You can
      set a threshold for the number of critical, high, medium, and low severity
      issues and use an aggregator (either `and` or `or`) to evaluate the
      criteria.

      To determine whether a build has failed, the threshold for each severity
      is evaluated against the count of issues with that severity in the IaC
      scan results and then severity level evaluations are aggregated using
      `AND` or `OR` to arrive at `failure_criteria` value. You must include an
      aggregator in the string. The aggregator value is case-sensitive.

      For example, if you set the failure criteria to `HIGH:1,LOW:1,OPERATOR:OR`,
      the workflow fails if there is 1 or more HIGH severity findings or 1 or
      more LOW severity findings. If you set the failure criteria to
      `HIGH:1,LOW:1,OPERATOR:AND`, the workflow fails if there is 1 or more HIGH
      severity findings and 1 or more LOW severity findings.

      If the `failure_criteria` evaluates to `true`, the workflow is marked as
      `FAILED`. Otherwise, the workflow is marked as `SUCCESS`.
    default: 'Critical:1, High:1, Medium:1, Low:1, Operator:OR'
    required: false

  fail_silently:
    description: |-
      If set to true, the workflow will not fail in case of any internal error
      including invalid credentials and plugin dependency failure.

      Note: This GitHub Action will always fail in case of any input validation
      errors.
    default: false
    required: false

outputs:
  iac_scan_result:
    description: |-
      The result of the security scan. One of:

      - `passed`: No violations were found or the `failure_criteria` was not
      satisfied.

      - `failed`: The `failure_criteria` was satisfied.

      - `error`: The action ran into an execution error, generally due to a
      misconfiguration or invalid credentials.

  iac_scan_result_sarif_path:
    description: |-
      Path for the SARIF report file. This file is only available when
      violations are found in the scan file.

runs:
  using: 'node24'
  main: 'dist/main/index.js'