Skip to content

Qualys/github_action_qiac

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

dockerfile

dockerfile

 
 

entrypoint.sh

entrypoint.sh

 
 

resultParser.py

resultParser.py

 
 

Repository files navigation

Qualys IaC GitHub Action

Description

Qualys IaC GitHub action is used to scan the Infrastructure-as-Code templates in your GitHub repository using Qualys CloudView (Cloud Security Assessment). It checks for security issues using the Qualys Cloud Infrastructure as Code Scan and displays the failed checks as pipeline annotations.

Note: Qualys IaC GitHub action supports below file formats for scanning.

  • Terraform supported extensions: .tf, .json
  • CloudFormation supported extensions: .template, .yml, .yaml

How to use the Qualys IaC GitHub Action

  1. Visit GitHub configuration a workflow to enable Github Action in your repository.
  2. Subscribe to Qualys CloudView and obtain Qualys credentials.
  3. Create GitHub Secrets for Qualys URL, Qualys Username and Qualys Password. Refer to Encrypted secrets for more details on how to setup secrets.
  4. Configure your workflow. In the actions section use Qualys/github_action_qiac@main Note: the actions/checkout step is required to run before the scan action, otherwise the action does not have access to the IaC files to be scanned.
  5. Optionally, supply parameters to customize GitHub action behaviour.

Usage Examples

Scan IaC in your repository on push event

Note: In case of push event, the scan scope will be limited to the changed or newly added files only. This is to avoid the unnecessary scanning of files which are not part of this push event.

name: Qualys IAC Scan 
on:
  push:
    branches:
      - main
jobs:
    Qualys_iac_scan:
        runs-on: ubuntu-latest
        name: Qualys IaC Scan
        steps:
          - name: Checkout
            uses: actions/checkout@v2 
            with:
                fetch-depth: 0
    
          - name: Qualys IAC scan action step
            uses: Qualys/github_action_qiac@main
            id: qiac
            env:
                URL: ${{ secrets.URL }}
                UNAME: ${{ secrets.USERNAME }}
                PASS: ${{ secrets.PASSWORD }}

Scan IaC in your repository on pull request event

Note: In case of pull request event, the scope of scan will be limited to the files included in the pull request only. This is to avoid the unnecessary scanning of files which are not part of this pull request.

name: Qualys IAC Scan 
on:
  pull_request:
    branches:
      - main 
jobs:
    Qualys_iac_scan:
        runs-on: ubuntu-latest
        name: Qualys IaC Scan
        steps:
          - name: Checkout
            uses: actions/checkout@v2 
            with:
                fetch-depth: 0
    
          - name: Qualys IAC scan action step
            uses: Qualys/github_action_qiac@main
            id: qiac
            env:
                URL: ${{ secrets.URL }}
                UNAME: ${{ secrets.USERNAME }}
                PASS: ${{ secrets.PASSWORD }}

Scan IaC in your repository on scheduled event

Note: In case of scheduled event, the path given in directory input will be scanned. In case the path is not given, the entire repository will be scanned.

name: Qualys IAC Scan 
on:
  schedule:
    - cron:  '*/5 * * * *'
jobs:
    Qualys_iac_scan:
        runs-on: ubuntu-latest
        name: Qualys IaC Scan
        steps:
          - name: Checkout
            uses: actions/checkout@v2 
            with:
                fetch-depth: 0
    
          - name: Qualys IAC scan action step
            uses: Qualys/github_action_qiac@main
            id: qiac
            env:
                URL: ${{ secrets.URL }}
                UNAME: ${{ secrets.USERNAME }}
                PASS: ${{ secrets.PASSWORD }}
            with:
              directory: 'path of directory to scan (optional)'

Scan IaC in your repository on manual trigger

Note: In case of workflow_dispatch event or manual trigger, the path given in directory input will be scanned. In case the path is not given, the entire repository will be scanned.

name: Qualys IAC Scan 
on: workflow_dispatch
jobs:
    Qualys_iac_scan:
        runs-on: ubuntu-latest
        name: Qualys IaC Scan
        steps:
          - name: Checkout
            uses: actions/checkout@v2 
            with:
                fetch-depth: 0
    
          - name: Qualys IAC scan action step
            uses: Qualys/github_action_qiac@main
            id: qiac
            env:
                URL: ${{ secrets.URL }}
                UNAME: ${{ secrets.USERNAME }}
                PASS: ${{ secrets.PASSWORD }}
            with:
              directory: 'path of directory to scan (optional)'

Scan IaC in your repository on push/pull request/scheduled event with the step of uploading SARIF file on GitHub.

Note: Upload SARIF file Step will upload your scan report on GitHub and it will show all security alerts(if any) under Security -> Code scanning alerts tab.

name: Qualys IAC Scan 
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main 
  schedule:
    - cron:  '*/5 * * * *'
jobs:
    Qualys_iac_scan:
        runs-on: ubuntu-latest
        name: Qualys IaC Scan
        steps:
          - name: Checkout
            uses: actions/checkout@v2 
            with:
                fetch-depth: 0
    
          - name: Qualys IAC scan action step
            uses: Qualys/github_action_qiac@main
            id: qiac
            env:
                URL: ${{ secrets.URL }}
                UNAME: ${{ secrets.USERNAME }}
                PASS: ${{ secrets.PASSWORD }}
            with:
              directory: 'path of directory to scan (optional)'
          
          - name: Upload SARIF file
            uses: github/codeql-action/upload-sarif@v1
            if: always() 
            with:
                 sarif_file: response.sarif

Prerequisites for Qualys IaC GithHub Action

  1. Valid Qualys Credentials and subscription of Qualys CloudView module.
  2. Use of actions/checkout@v2 with fetch-depth: 0 before calling Qualys IaC GitHub action.
  3. Qualys URL, Qualys Username , Qualys Password to be added in secrets and provided as environment variables to the Qualys IaC GitHub action.
  4. Self-hosted runners must use a Linux operating system and have Docker installed to run this action.

GitHub action Parameters

Parameter Description Required Default Type
directory IaC root directory to scan. If not provided then entire repository will be scanned in case of manual or scheduled action trigger No "." Input parameter

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases 1

v1.0.0 Latest
May 25, 2022

Packages

No packages published

Contributors 2

  •  
  •  

Languages