GitHub Code Scanning

Overview

Bridgecrew's GitHub Action can execute as native GitHub Code Scanning to scan infrastructure-as-code (IaC) files. You can enable code scanning in your repos and set up the Bridgecrew integration, to receive inline code scanning results directly into the Security tab in GitHub.

Bridgecrew IaC errors in the code scanning interfaceBridgecrew IaC errors in the code scanning interface

Bridgecrew IaC errors in the code scanning interface

Errors detected by Bridgecrew will include the policy names as well as links to additional guidelines for how to fix them.

Investigating a single error in the code scanning interfaceInvestigating a single error in the code scanning interface

Investigating a single error in the code scanning interface

Setup

  1. You will first need to ensure code scanning is enabled in your repo. For more information on how to enable code scanning visit GitHub Docs.

  2. Once enabled, code scanning should appear in the menu on the left side of your screen.

Make sure code scanning is available by visiting the the Security tabMake sure code scanning is available by visiting the the Security tab

Make sure code scanning is available by visiting the the Security tab

  1. Go to the Actions tab and Select New Workflow.
Select New WorkflowSelect New Workflow

Select New Workflow

  1. The code scanning integration is accomplished by integrating the Bridgecrew GitHub Action and configuring it to send results in the proper format (SARIF). Use the template YAML code below to create the action. Make sure you use your Bridgecrew API Token and save it as a GitHub Secret.

When finished, make sure to commit the changes to your main branch.

Add the bridgecrew-code-scanning-yamlAdd the bridgecrew-code-scanning-yaml

Add the bridgecrew-code-scanning-yaml

# This is a workflow to help you setup Bridgecrew in github code scanning 

name: CI

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
   bridgecrew:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/[email protected]
    - name: Run Bridgecrew 
      id: Bridgecrew
      uses: bridgecrewio/[email protected]
      with:
        api-key: ${{ secrets.API_KEY }}
        soft-fail: true
    - name: Expose report
      uses: actions/[email protected]
      with:
        name: SARIF results
        path: results.sarif
    # Uploads results.sarif to GitHub repository using the upload-sarif action
    - uses: github/codeql-action/[email protected]
      with:
        # Path to SARIF file relative to the root of the repository
        sarif_file: results.sarif

Did this page help you?