Merge pull request #1 from bugners/bug-fixes-and-updates

updates and fixes

Dockerfile

@@ -1,10 +1,10 @@
-FROM python:slim
+FROM python:3.11-slim
 
-ARG REVIEWDOG_VERSION="v0.11.0"
+ARG REVIEWDOG_VERSION="v0.16.0"
 ENV PATH $PATH:/usr/local/bin
 
 RUN apt-get update && \
-    apt install -y git curl
+    apt-get install -y git curl
 
 RUN curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "/usr/local/bin/" "${REVIEWDOG_VERSION}" 2>&1
 

README.md

@@ -30,34 +30,44 @@ See [reviewdog documentation for exit codes](https://github.com/reviewdog/review
 Optional. Directory to run the action on, from the repo root.
 The default is `.` ( root of the repository).
 
+### `skip_check`
+
+Optional. Specify comma separated strings of checks that should be ignored.
+
+### `baseline`
+
+Optional. Allows you to include a baseline file with known findings that should be ignored.
+
+### `download_external_modules`
+
+Optional. Indicates whether any external modules should be downloaded.
+The default is `false`
+
 ## Example usage
 
 ```yml
 name: checkov-reviewdog
 on: [pull_request]
 jobs:
-  checkov-reviewdog:
-    name: runner / checkov-reviewdog
+  test:
     runs-on: ubuntu-latest
-
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+    name: checkov-reviewdog-scan
     steps:
-      - name: Clone repo
-        uses: actions/checkout@master
-
-      # Minimal example
-      - name: checkov-reviewdog
-        uses: ishii1648/action-checkov-reviewdog@master
-        with:
-          github_token: ${{ secrets.github_token }}
-
-      # More complex example
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: checkov-reviewdog
-        uses: ishii1648/action-checkov-reviewdog@master
+        uses: bugners/action-checkov-reviewdog@main
         with:
-          github_token: ${{ secrets.github_token }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review # Optional. Change reporter
           fail_on_error: "true" # Optional. Fail action if errors are found
           filter_mode: "nofilter" # Optional. Check all files, not just the diff
-          skip_check: "CKV_GCP_13" # Optional. Skip Check CKV
-          working_directory: "testdata" # Optional. Change working directory
+          working_directory: "."
+          skip_check: "CKV_GCP_13" # Optional. Skip specific checks
+          baseline: ".checkov.baseline" #Do not report results for checks in the baseline file
+          download_external_modules: false  # Optional. Try downloading any external modules
 ```

action.yml

@@ -1,5 +1,5 @@
 name: 'Checkov with Reviewdog GitHub Action'
-author: 'Ishii1648'
+author: 'bugners'
 description: 'Run Checkov with Reviewdog against Terraform/CloudFormation infrastructure code, as a pre-packaged GitHub Action.'
 inputs:
   github_token:
@@ -28,6 +28,13 @@ inputs:
   skip_check:
     description: 'Run scan on all checks but a specific check identifier (comma separated)'
     required: false
+  download_external_modules:
+    description: 'Enables checkov to download any external modules used in the terraform configuration'
+    default: 'false'
+  baseline:
+    description: 'Scan only reports failed checks that are new with respect to the provided baseline'
+    required: false
+    default: ''
 
 branding:
   icon: 'shield'
@@ -41,4 +48,6 @@ runs:
     INPUT_FILTER_MODE: ${{ inputs.filter_mode }}
     INPUT_FAIL_ON_ERROR: ${{ inputs.fail_on_error }}
     INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
-    INPUT_SKIP_CHECK: ${{ inputs.skip_check }}
+    INPUT_SKIP_CHECK: ${{ inputs.skip_check }}
+    INPUT_DOWNLOAD_EXTERNAL_MODULES: ${{ inputs.download_external_modules }}
+    INPUT_BASELINE: ${{ inputs.baseline }}

entrypoint.sh

@@ -1,15 +1,20 @@
 #!/bin/bash
 
 [[ ! -z "$INPUT_SKIP_CHECK" ]] && SKIP_CHECK_FLAG="--skip-check $INPUT_SKIP_CHECK"
+[[ ! -z "$INPUT_BASELINE" ]] && CHECK_BASELINE="--baseline $INPUT_BASELINE"
 
 export REVIEWDOG_GITHUB_API_TOKEN="${INPUT_GITHUB_TOKEN}"
 
-checkov -d $INPUT_WORKING_DIRECTORY $SKIP_CHECK_FLAG -o json \
+touch /tmp/output_file
+checkov -d $INPUT_WORKING_DIRECTORY $CHECK_BASELINE --download-external-modules $INPUT_DOWNLOAD_EXTERNAL_MODULES --quiet $SKIP_CHECK_FLAG -o json > /tmp/output_file
+checkov_return="${PIPESTATUS[0]}"
+
+cat /tmp/output_file \
     | python3 /parse.py \
     | reviewdog -efm="%f:%l: %m" -name="checkov" -reporter="${INPUT_REPORTER}" -fail-on-error="${INPUT_FAIL_ON_ERROR}" -filter-mode="${INPUT_FILTER_MODE}"
 
-checkov_return="${PIPESTATUS[0]}" reviewdog_return="${PIPESTATUS[2]}" exit_code=$?
-echo ::set-output name=checkov-return-code::"${checkov_return}"
-echo ::set-output name=reviewdog-return-code::"${reviewdog_return}"
+reviewdog_return="${PIPESTATUS[2]}" exit_code=$?
+echo "checkov-return-code=${checkov_return}" >> $GITHUB_OUTPUT
+echo "reviewdog-return-code=${reviewdog_return}" >> $GITHUB_OUTPUT
 
 exit $exit_code

parse.py

@@ -1,20 +1,27 @@
 import json, sys
+from os import isatty
 
 def main():
+
     data = json.load(sys.stdin)
-    failed_checks = data["results"].get("failed_checks")
+    if isinstance(data, list) and 'failed_checks' in data[0]["results"]:
+        failed_checks = data[0]["results"].get("failed_checks")
+    elif isinstance(data, dict):
+        if 'results' in data:
+            failed_checks = data["results"].get("failed_checks")
+        else:
+            exit(0)
     if failed_checks is None:
         exit(0)
 
     for failed_check in failed_checks:
         check_id = failed_check["check_id"]
-        file_name = failed_check["file_path"].replace('/', '')
+        file_name = failed_check["file_path"]
         line_number = failed_check["file_line_range"][0]
         error_message = failed_check["check_name"]
         print('{}:{}: [{}] {}'.format(file_name, line_number, check_id, error_message))
 
     exit(1)
 
-
 if __name__ == "__main__":
     main()

requirements.txt

@@ -1 +1 @@
-checkov==1.0.861
+checkov==3.1.40