|
Out of the box, the Lacework GitHub Action can output its results in various forms such as SAVE_BUILD_REPORT (HTML) and RESULTS_IN_GITHUB_SUMMARY (GitHub Markdown).
This document outlines how to generate other GitHub actions based on the result of the Lacework GitHub Action.
1) Generate a PR Comment
Custom scripting:
Script Actions can be used in the GitHub pipeline yaml to add comments to a script via pre-built actions such as actions/github-script.
Other comment on PR examples exist as well which could be leveraged to take input from lw-scanner and feed it as input to the added action.
Example Action:
This example yaml and associated action may be of use here as well:
- uses: lacework/lw-scanner-action@v1.4.0
name: Scan container image for vulnerabitilies using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
IMAGE_TAG: ${{ env.GHA_SHA }}
SAVE_RESULTS_IN_LACEWORK: true
RESULTS_IN_GITHUB_SUMMARY: true
- name: Change formatting for PR
run: |
echo "# Lacework Inline Scanner Result" > pr-results.md
echo "<pre>" >> pr-results.md
cat results.stdout >> pr-results.md
echo "</pre>" >> pr-results.md
- name: Comment PR
uses: thollander/actions-comment-pull-request@v2
with:
filePath: pr-results.md
This approach formats the scanner results in Markdown and posts them to the PR comment feed.
2) Stop a build based on scan results
In addition to posting PR comments, you may wish to stop a build based on the results produced by the scanner.
The lw-scanner action by default uses Lacework policies and returns an exit code of 1 of any policy attached that is in blocking mode (for which Action on failure is set to Block)
Thus, you can organize your policies in Lacework, set them to blocking as needed, then the scanner will exit non-zero when finding results for a blocking policy; this non-zero exit status can be leveraged on the GitHub side to block actions such as merge.
|
