GitHub Code Scanning
Overview
Bridgecrew's GitHub Action can execute as native GitHub Code Scanning to scan infrastructure-as-code (IaC) files. You can enable code scanning in your repos and set up the Bridgecrew integration, to receive inline code scanning results directly into the Security tab in GitHub.

Bridgecrew IaC errors in the code scanning interface
Errors detected by Bridgecrew will include the policy names as well as links to additional guidelines for how to fix them.

Investigating a single error in the code scanning interface
Setup
-
You will first need to ensure code scanning is enabled in your repo. For more information on how to enable code scanning visit GitHub Docs.
-
Once enabled, code scanning should appear in the menu on the left side of your screen.

Make sure code scanning is available by visiting the the Security tab
- Go to the Actions tab and Select New Workflow.

Select New Workflow
- The code scanning integration is accomplished by integrating the Bridgecrew GitHub Action and configuring it to send results in the proper format (SARIF). Use the template YAML code below to create the action. Make sure you use your Bridgecrew API Token and save it as a GitHub Secret.
When finished, make sure to commit the changes to your main branch.

Add the bridgecrew-code-scanning-yaml
# This is a workflow to help you setup Bridgecrew in github code scanning
name: Bridgecrew
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
bridgecrew:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v2
- name: Run Bridgecrew
id: Bridgecrew
uses: bridgecrewio/checkov-action@master
with:
api-key: ${{ secrets.API_KEY }}
soft_fail: true
- name: Expose report
uses: actions/upload-artifact@v2
with:
name: SARIF results
path: results.sarif
# Uploads results.sarif to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
Updated over 1 year ago