GitHub Action
Steampipe Check
This action runs Steampipe benchmarks and controls from Steampipe Mods.
When running checks for Infrastructure as Code (IaC) mods, this action will create annotations for any controls in alarm state provided they have an additional dimension providing the file path and a start line number in one of the following formats: path/filename.ext:23 or path/name.ext:23-25.
Note: In order to create annotations, the workflow job requires
checks: writeandpull-requests: writepermissions.
For a list of IaC mods, please see IaC mods.
See action.yml.
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "terraform" {
plugin = "terraform"
configuration_file_paths = [ "./**/*.tf" ]
}
- name: Run all Terraform AWS Compliance checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance - name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "terraform" {
plugin = "terraform"
configuration_file_paths = [ "./**/*.tf" ]
}
- name: Run specific Terraform AWS Compliance checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance
mod-checks: |
benchmark.s3
benchmark.kms
control.ecs_task_definition_encryption_in_transit_enabled - name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "aws_tf" {
plugin = "terraform"
configuration_file_paths = [
"cloud_infra/service_billing/aws/**/*.tf",
"cloud_infra/service_orders/aws/**/*.tf"
]
}
connection "gcp_tf" {
plugin = "terraform"
configuration_file_paths = [
"cloud_infra/service_billing/gcp/**/*.tf",
"cloud_infra/service_orders/gcp/**/*.tf"
]
}
- name: Run Terraform AWS Compliance checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance
additional-args: '--search-path-prefix=aws_tf'
- name: Run GCP Terraform Compliance checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-terraform-gcp-compliance
additional-args: '--search-path-prefix=gcp_tf' - name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "terraform" {
plugin = "terraform"
configuration_file_paths = [ "./**/*.tf" ]
}
- name: Run Terraform AWS Compliance v0.18 checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance
mod-branch: v0.18This action can also be used to run benchmarks and controls in mods that don't scan IaC configuration files.
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "github" {
plugin = "github"
token = "${{ secrets.GITHUB_PAT }}"
}
- name: Steampipe Checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-github-compliance
mod-checks: benchmark.cis_supply_chain_v100This example uses an IAM OIDC identity provider with an IAM role.
Note: In order to use OIDC the workflow job will require
id-token: writepermissions. For more information, please see Adding permission settings.
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::1234567890:role/my-role
aws-region: us-east-1
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "aws" {
plugin = "aws"
}
- name: Steampipe Checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-aws-compliance
mod-checks: benchmark.cis_v200The check results can also be created and uploaded as snapshots to Turbot Pipes.
A snapshot is a saved view of benchmark and control results and may be shared with other Turbot Pipes users or with anyone that has the link.
Snapshot visibility is set by the pipes-snapshot-visibility input:
anyone_with_link- Snapshot is shareable with anyone.workspace- Snapshot is created in the user's default workspace. To save the snapshot to a different location, use--snapshot-locationin theadditional-argsinput.
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "terraform" {
plugin = "terraform"
configuration_file_paths = [ "./**/*.tf" ]
}
- name: Run AWS compliance on Terraform resources
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance
pipes-snapshot-visibility: workspace
pipes-token: ${{ secrets.PIPES_TOKEN }}Variables can be passed into Steampipe multiple ways, for more information on how to pass in variables and what order they're loaded in, please see Passing Input Variables.
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::1234567890:role/my-role
aws-region: us-east-1
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "aws" {
plugin = "aws"
}
- name: Run AWS Tags checks
uses: turbot/steampipe-action-check@v1
env:
# Variables can be passed in through env vars
SP_VAR_mandatory_tags: '["Application", "Environment", "Department", "Owner"]'
with:
mod-url: https://github.com/turbot/steampipe-mod-aws-tagsompliance
# Or with CLI flags
additional-args: "--var 'prohibited_tags=[\"Password\", \"Key\"]'"You can execute queries via Turbot Pipes, which is useful if you already have plugin connections setup in your workspaces.
The following example shows how to specify an implicit workspace within the additional-args input.
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "aws" {
plugin = "aws"
}
- name: Steampipe Checks
uses: turbot/steampipe-action-check@v1
with:
mod-url: https://github.com/turbot/steampipe-mod-aws-compliance
pipes-token: ${{ secrets.PIPES_TOKEN }}
pipes-snapshot-visibility: workspace
# The workspace passed here in format <owner>/<workspace> needs to be accessible by your pipes-token
additional-args: '--workspace="username/default"'You can also set the workspace via the STEAMPIPE_WORKSPACE environment variable.
- name: Steampipe Checks
uses: turbot/steampipe-action-check@v1
env:
STEAMPIPE_WORKSPACE: 'username/default'
with:
mod-url: https://github.com/turbot/steampipe-mod-aws-compliance
pipes-token: ${{ secrets.PIPES_TOKEN }}
pipes-snapshot-visibility: workspacejobs:
steampipe-terraform-compliance:
strategy:
matrix:
include:
- cloud: "aws"
search_path: "aws_tf"
- cloud: "azure"
search_path: "azure_tf"
- cloud: "gcp"
search_path: "gcp_tf"
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup Steampipe
uses: turbot/steampipe-action-setup@v1
with:
plugin-connections: |
connection "aws_tf" {
plugin = "terraform"
configuration_file_paths = ["cloud_infra/terraform/aws/**/*.tf"]
}
connection "gcp_tf" {
plugin = "terraform"
configuration_file_paths = ["cloud_infra/terraform/gcp/**/*.tf"]
}
connection "azure_tf" {
plugin = "terraform"
configuration_file_paths = ["cloud_infra/terraform/azure/**/*.tf"]
}
- name: Run Terraform ${{ matrix.cloud }} Compliance
uses: turbot/steampipe-action-check@v1
with:
mod-url: 'https://github.com/turbot/steampipe-mod-terraform-${{ matrix.cloud }}-compliance'
additional-args: '--search-path-prefix=${{ matrix.search_path }}'