w09-solution/.github/workflows/kics.yml at main · AET-DevOps25/w09-solution · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Copyright © TUM AET 2025 - 2025
#
# Licensed under the MIT License
#
# Authors: Benedikt Hofmann, Patrick Stoeckle, and other contributors
#
# SPDX-FileCopyrightText: 2025 TUM AET
#
# SPDX-License-Identifier: MIT

name: security linting using kics

on:
  workflow_call:

jobs:
  kics:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      actions: read
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Lint Everything
        uses: checkmarx/kics-github-action@c06a133a98c75c2f920014d688015a5fb18095a4
        id: kics-action-scan
        with:
          path: ${{ github.workspace }}
          fail_on: critical,high,medium
          output_path: ${{ github.workspace }}
          token: ${{ github.token }}
          enable_comments: true
          output_formats: "sarif"
        continue-on-error: true

      - name: Upload SARIF report files to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      # Ensure the workflow eventually fails if files did not pass the checks.
      - name: Verify kics succeeded
        shell: bash
        run: |
          echo "If this step fails, kics found issues. Check the output of the scan step above."
          [[ "${{ steps.kics-action-scan.outcome }}" == "success" ]]