Merge pull request #6 from john-c-schneider/use-scan-path-on-pr

Use scan_path in context of Pull Request
prisma-cloud-shiftleft · Apr 28, 2021 · 8794509 · 8794509
2 parents f54570a + e2dbbce
commit 8794509
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -68,6 +68,7 @@ jobs:
 | tags                                                                   | Prisma Cloud tags are different from cloud tags that you might have included in your IaC templates.<br />Prisma Cloud tags will facilitate use of upcoming Prisma Cloud features like role-based access control and policy selection.<br />Eg: `owner:johndoe,team:creditapp,env:dev` |
 | failure_criteria<br />Default: `High:1,Medium:1,Low:1,Operator:or`   | Enables you to evaluate scan results against set failure criteria to obtain failed or passed verdicts. You can set the count for high, medium, and low severity issues and use `and`/`or` operators to refine your criteria.<br />The IaC scan API checks each severity violation number separately against scan results and applies the operator to each evaluation.<br />The scan triggers a failure if the number of violations is greater than or equal to the failureCriteria values.<br />The Pipeline will be set the Failed if the failure criteria matches. |
 | scan_path<br />Default: `./`                                         | Path of the directory containing the IaC files.<br />The path is relative to the repository root. |
+| use_scan_path_when_pr<br />Default: `false`                          | Specifies if files in scan_path should be scanned in context of a PR, not only changed files.  Otherwise, only files changed in context of PR are scanned, which includes files outside of scan_path and excludes unchanged files in scan_path.  Default is false. |
 | variables                                                              | Template variables in comma separate key:value pairs.<br />Eg: `k1:v1,k2:v2` |
 | variable_files                                                         | Comma separated list of variable file paths.<br />Paths are relative to the repository root.<br />Eg: `./var1.json,./var2.json` |
 | create_issue<br />Default: `false`                                   | If turned on an Issue will be created with the scan report.<br />Note: Only created on scan failure. |

diff --git a/action.yml b/action.yml
@@ -75,6 +75,14 @@ inputs:
     description: |-
       Path of the directory containing the IaC files.
       The path is relative to the repository root.
+  use_scan_path_when_pr:
+    required: false
+    default: "false"
+    description: |-
+      Specifies if files in scan_path should be scanned in context of a PR,
+      not only changed files.  Otherwise, only files changed in context of PR
+      are scanned, which includes files outside of scan_path and excludes
+      unchanged files in scan_path.  Default is false.
   template_type:
     required: true
     description: |-

diff --git a/dist/index.js b/dist/index.js
diff --git a/index.js b/index.js
@@ -56,6 +56,7 @@ async function initAndScan() {
     const failureCriteriaInput = core.getInput('failure_criteria');
     const variablesInput = core.getInput('variables');
     const variableFilesInput = core.getInput('variable_files');
+    const useScanPathWhenPr = core.getInput('use_scan_path_when_pr') == 'true'
     let workspaceDir = github.context.workspace
     if (typeof workspaceDir === 'undefined' || workspaceDir == null) {
       workspaceDir = env.GITHUB_WORKSPACE
@@ -175,7 +176,7 @@ async function initAndScan() {
     }
 
     // get modified files 
-    if (is_pr) {
+    if (is_pr && !useScanPathWhenPr) {
       if (tokenMissing) {
         core.warning('Without githubToken scan cannot be restricted to Pull Request changed files')
       } else {