This GitHub Action runs Bridgecrew against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
Use the Bridgecrew GitHub Action to scan for infrastructure-as-code misconfigurations, vulnerabilities and license issues in open source packages and images, and CI/CD misconfigurations. By signing up for a free Bridgecrew Community plan you can also view dashboards and reports. The community plan does not limit the number of scans or users you can invite to view the results.
bridgecrewio/bridgecrew-action@master
- name: Run Bridgecrew
id: Bridgecrew
uses: bridgecrewio/bridgecrew-action@master
with:
api-key: ${{ secrets.BRIDGECREW_API_KEY }}
directory: "example/examplea"
check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
skip_check: CKV_AWS_1 # optional: skip a specific check_id. can be comma separated list
soft_fail: false
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: cli
quiet: false
external_checks_dirs: ./checkov
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
log_level: DEBUG # optional: set log level. Default WARNING
use_enforcement_rules: true # optional - use enforcement rule configs from the platform
Bridgecrew supports github code scanning. An example workflow configuration can be found here.
Parameter | Description | Required | Default | Type |
---|---|---|---|---|
api-key | Environment variable name of the Bridgecrew API key from Bridgecrew app | No | Secret parameter | |
file | File to scan | No | Input parameter | |
directory | Root directory to scan | No | "." | Input parameter |
soft_fail | Runs checks without failing build | No | Input parameters | |
check | filter scan to run only on a specific check identifier, You can specify multiple checks separated by comma delimiter | No | Input parameters | |
skip_check | filter scan to run on all check but a specific check identifier(blacklist), You can specify multiple checks separated by comma delimiter, clashes with check | No | Input parameters | |
quiet | display only failed checks | No | Input parameters | |
external_checks_dirs | Directory for custom checks to be loaded | No | Input parameters | |
output_format | The format of the output - json - cli - sarif | No | Input parameters | |
output_file_path | The path for the file output | No | Input parameters | |
framework | run on a specific infrastructure | No | cloudformation,terraform,kubernetes,all | |
download_external_modules | download external terraform modules from public git repositories and terraform registry | No | Input parameters | |
repo_root_for_plan_enrichment | root directory containing the hcl templates used to generate the given terraform plan file. Use together with file |
No | Input parameters | |
log_level | set log level | No | WARNING | Input parameters |
Full reference docs here.
Reject pull requests containing infrastructure code configuration errors Find & fix resources that might be a risk