Merge pull request #9 from john-c-schneider/upload-scan-path-only

Zip and upload scan path only
prisma-cloud-shiftleft · Dec 3, 2021 · 99756e2 · 99756e2
2 parents 8794509 + 1893498
commit 99756e2
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -69,6 +69,7 @@ jobs:
 | failure_criteria<br />Default: `High:1,Medium:1,Low:1,Operator:or`   | Enables you to evaluate scan results against set failure criteria to obtain failed or passed verdicts. You can set the count for high, medium, and low severity issues and use `and`/`or` operators to refine your criteria.<br />The IaC scan API checks each severity violation number separately against scan results and applies the operator to each evaluation.<br />The scan triggers a failure if the number of violations is greater than or equal to the failureCriteria values.<br />The Pipeline will be set the Failed if the failure criteria matches. |
 | scan_path<br />Default: `./`                                         | Path of the directory containing the IaC files.<br />The path is relative to the repository root. |
 | use_scan_path_when_pr<br />Default: `false`                          | Specifies if files in scan_path should be scanned in context of a PR, not only changed files.  Otherwise, only files changed in context of PR are scanned, which includes files outside of scan_path and excludes unchanged files in scan_path.  Default is false. |
+| upload_scan_path_only<br />Default: `false`                          | Specifies if only files in scan_path should be uploaded to be scanned.  By default the entire GitHub workspace directory is zipped and uploaded.  This option may be necessary if there are other files in the workspace directory besides IaC template files.  Too many files may cause the  action to timeout.  Default is false. |
 | variables                                                              | Template variables in comma separate key:value pairs.<br />Eg: `k1:v1,k2:v2` |
 | variable_files                                                         | Comma separated list of variable file paths.<br />Paths are relative to the repository root.<br />Eg: `./var1.json,./var2.json` |
 | create_issue<br />Default: `false`                                   | If turned on an Issue will be created with the scan report.<br />Note: Only created on scan failure. |

diff --git a/action.yml b/action.yml
@@ -83,6 +83,15 @@ inputs:
       not only changed files.  Otherwise, only files changed in context of PR
       are scanned, which includes files outside of scan_path and excludes
       unchanged files in scan_path.  Default is false.
+  upload_scan_path_only:
+    required: false
+    default: "false"
+    description: |-
+      Specifies if only files in scan_path should be uploaded to be scanned.
+      By default the entire GitHub workspace directory is zipped and uploaded.
+      This option may be necessary if there are other files in the workspace 
+      directory besides IaC template files.  Too many files may cause the 
+      action to timeout.
   template_type:
     required: true
     description: |-

diff --git a/dist/index.js b/dist/index.js
diff --git a/index.js b/index.js
@@ -57,6 +57,7 @@ async function initAndScan() {
     const variablesInput = core.getInput('variables');
     const variableFilesInput = core.getInput('variable_files');
     const useScanPathWhenPr = core.getInput('use_scan_path_when_pr') == 'true'
+    const uploadScanPathOnly = core.getInput('upload_scan_path_only') == 'true'
     let workspaceDir = github.context.workspace
     if (typeof workspaceDir === 'undefined' || workspaceDir == null) {
       workspaceDir = env.GITHUB_WORKSPACE
@@ -80,6 +81,12 @@ async function initAndScan() {
     if (!fs.existsSync(checkoutPath + '/' + scanPath)) {
       throw "No file found at provided scan_path '" + scanPath + "'";
     }
+    let uploadPath = checkoutPath
+    if (uploadScanPathOnly) {
+      uploadPath = checkoutPath + '/' + scanPath
+      scanPath = ''
+    }
+
     let resultDir = core.getInput('result_path');
     if (resultDir.startsWith('./')) {
       resultDir = resultDir.substring(2);
@@ -172,6 +179,7 @@ async function initAndScan() {
       workspaceDir: workspaceDir,
       resultDir: resultDir,
       checkoutPath: checkoutPath,
+      uploadPath: uploadPath,
       zipName: 'scan-input.zip'
     }
 
@@ -228,7 +236,7 @@ async function initAndScan() {
 
 async function scan(scanCtx) {
   core.info('Creating zip file in: ' + scanCtx.checkoutPath)
-  await zip(scanCtx.checkoutPath, scanCtx.zipName)
+  await zip(scanCtx.uploadPath, scanCtx.zipName)
 
   core.info('Starting scan...')
   const scanInitResult = await initScan(scanCtx)