Skip to content

Commit

Permalink
support for complianceThreshold
Browse files Browse the repository at this point in the history
  • Loading branch information
@slashben
slashben committed Jan 9, 2024
1 parent 1dd909c commit ec64e8d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
5 changes: 5 additions & 0 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ inputs:
Failure threshold is the percent above which the command fails and
returns exit code 1 (default 0 i.e, action fails if any control fails)
required: false
complianceThreshold:
description: |
Compliance threshold is the percent bellow which the command fails and
returns exit code 1 (example: if set to 100 the command will fail if any control fails)
required: false
severityThreshold:
description: |
Severity threshold is the severity of a failed control at or above which
Expand Down
8 changes: 7 additions & 1 deletion entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,13 @@ account_opt=$([ -n "${INPUT_ACCOUNT}" ] && echo --account "${INPUT_ACCOUNT}" ||
artifacts_path="/home/ks/.kubescape"
artifacts_opt=$([ -n "${INPUT_ACCOUNT}" ] && echo "" || echo --use-artifacts-from "${artifacts_path}")

if [ -n "${INPUT_FAILEDTHRESHOLD}" ] && [ -n "${INPUT_COMPLIANCETHRESHOLD}" ]; then
echo "Both failedThreshold and complianceThreshold are specified. Please specify either one of them or neither"
exit 1
fi

fail_threshold_opt=$([ -n "${INPUT_FAILEDTHRESHOLD}" ] && echo --fail-threshold "${INPUT_FAILEDTHRESHOLD}" || echo "")
compliance_threshold_opt=$([ -n "${INPUT_COMPLIANCETHRESHOLD}" ] && echo --compliance-threshold "${INPUT_COMPLIANCETHRESHOLD}" || echo "")

# When a user requests to fix files, the action should not fail because the
# results exceed severity. This is subject to change in the future.
Expand Down Expand Up @@ -146,7 +152,7 @@ if [ -n "${INPUT_IMAGE}" ]; then
fi

# TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved
scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}"
scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${fail_threshold_opt} ${compliance_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}"

echo "${scan_command}"
eval "${scan_command}"
Expand Down

0 comments on commit ec64e8d

Please sign in to comment.