GitHub Code Scanning

Overview

Bridgecrew's GitHub Action can execute as native GitHub Code Scanning to scan infrastructure-as-code (IaC) files. You can enable code scanning in your repos and set up the Bridgecrew integration, to receive inline code scanning results directly into the Security tab in GitHub.

2032

Bridgecrew IaC errors in the code scanning interface

Errors detected by Bridgecrew will include the policy names as well as links to additional guidelines for how to fix them.

2032

Investigating a single error in the code scanning interface

Setup

  1. You will first need to ensure code scanning is enabled in your repo. For more information on how to enable code scanning visit GitHub Docs.

  2. Once enabled, code scanning should appear in the menu on the left side of your screen.

2032

Make sure code scanning is available by visiting the the Security tab

  1. Go to the Actions tab and Select New Workflow.
2032

Select New Workflow

  1. The code scanning integration is accomplished by integrating the Bridgecrew GitHub Action and configuring it to send results in the proper format (SARIF). Use the template YAML code below to create the action. Make sure you use your Bridgecrew API Token and save it as a GitHub Secret.

When finished, make sure to commit the changes to your main branch.

2032

Add the bridgecrew-code-scanning-yaml

# This is a workflow to help you setup Bridgecrew in github code scanning 

name: Bridgecrew

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
   bridgecrew:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@v2
    - name: Run Bridgecrew 
      id: Bridgecrew
      uses: bridgecrewio/checkov-action@master
      with:
        api-key: ${{ secrets.API_KEY }}
        soft_fail: true
    - name: Expose report
      uses: actions/upload-artifact@v2
      with:
        name: SARIF results
        path: results.sarif
    # Uploads results.sarif to GitHub repository using the upload-sarif action
    - uses: github/codeql-action/upload-sarif@v2
      with:
        # Path to SARIF file relative to the root of the repository
        sarif_file: results.sarif