Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: file-by-file checks for Pull Requests #31

Draft
wants to merge 34 commits into
base: master
Choose a base branch
from
Draft

Feature Request: file-by-file checks for Pull Requests #31

wants to merge 34 commits into from

Conversation

libertyy
Copy link
Contributor

@libertyy libertyy commented Mar 9, 2021

This github action will do full scans against the target repo when a commit is merged into a main/release branch. This action will scan only those files changed in a PullRequest.

this resolves: #16

To test:
In a GitHub PR, this action will report that it scanned only those files (or no files scanned) changed in a PR. When the PR is merged into main, the action will run a full-scan on the target repo.

libertyy and others added 30 commits August 31, 2020 17:35
@libertyy
Merge pull request #1 from bridgecrewio/master
2df0148 
Merge upstream 1.0.512
@libertyy
scan only changed files
2c7c24b
@libertyy
allow this to be published for testing purposes
036dd23
@libertyy
Update action.yml
81ec058
@libertyy
Update action.yml
4ec5e53
@libertyy
undo change to action.yml
52d7e87
@libertyy
GITHUB_HEAD_REF is empty, then not a PR. do dir check
3cb4015
@libertyy
debug flag
293c1f0
@libertyy
cd into the directory before running git commands
eb6a5b7
@libertyy
debug
605a1a7
@libertyy
debug
a143a06
@libertyy
tr line endings into spaces
959976f
@libertyy
munge git output into a bash array
2dc4b61
@libertyy
cleanup on git output
486ed42
@libertyy
remove debug
06748d3
@libertyy
use INPUT_DIRECTORY in both PR or full scan mode
c8e9549
@libertyy
default's with input_directory
c3a97d9
@libertyy
try this
8ec3979
@libertyy
Merge remote-tracking branch 'upstream/master'
7cefda6
@libertyy
Merge branch 'master' into feat/pr_only_scans_changed_files
f4545a5
@libertyy
upgrade checkov to latest
6f97797
@libertyy
remove set -x and add version check
be5e4c9
@libertyy
git diff to exclude deleted files
ea086b6
@libertyy
debug
43b03c1
@libertyy
flip the git diff references to properly exclude deletes
63d7773
@libertyy
remove debug
5137a76
@libertyy
flip references to correct order
c8f916e
@libertyy
bump up version
70e7237
@libertyy
Merge pull request #2 from libertyy/feat/pr_only_scans_changed_files
796c7ec 
Feat/pr only scans changed files
@conuigwe
Updated checkov version in requirement.txt
af707aa
@nwhobart
Copy link

When the PR is merged into main, the action will run a full-scan on the target repo.

Is this something that could be optional with a flag? For us monorepo folks this could be quite time-consuming.

billyjbryant
billyjbryant reviewed Oct 23, 2023
View reviewed changes
action.yml
@@ -1,7 +1,7 @@
# action.yml
name: 'Checkov Github Action'
author: 'Chris Mavrakis'
description: 'Run Checkov against Terraform/CloudFormation infrastructure code, as a pre-packaged Github Action.'
author: 'Chris Mavrakis, Libertyy'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Contributors should not add themselves as author for making singular changes.

entrypoint.sh
do
SCAN_FILES_FLAG="$SCAN_FILES_FLAG -f $f"
done
checkov $SCAN_FILES_FLAG $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be more efficient to copy the $DIFF_FILES to a temporary directory and scan all of them at once instead of individually? For mono-repos this could be a very time consuming (and thus costly) change.

entrypoint.sh
echo "running checkov on directory: $1"
checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG

echo $(checkov --version )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you arbitrarily echoing the version here with no added context. If this was intended for debugging, it is best to remove it.

@Saarett
Copy link
Contributor

Saarett commented Nov 8, 2023

@libertyy Hey, are you still planning on working on this PR, or can I close it?

@krewenki
Copy link

krewenki commented Nov 9, 2023

@Saarett @libertyy I stumbled on this as i'm trying to run the action in a monorepo with hundreds of individual terraform roots. If this PR is dead, i'd like to open one pursuing the same objective (scan only directories that were modified by the PR, not the entire repository)

@billyjbryant
Copy link
Contributor

@krewenki I would say go for it, if there are competing PRs its all about which one gets there (as in gets past approvals) and does the job the best way, first.

One thing I'd contribute, is make this type of scan optional, possibly via an input or envar that sets a flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@billyjbryant billyjbryant billyjbryant left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature Request: file-by-file checks for Pull Requests
6 participants
@libertyy @nwhobart @Saarett @krewenki @billyjbryant @conuigwe