.github/workflows/kics.yml

name: "KICS security and vulnerability scanner"

on:
  push:
    branches: main
  pull_request:
    branches: main
    paths-ignore:
      - "**/*.md"
      - "**/*.txt"
  schedule:
    - cron: "0 0 * * *"

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v3

      - name: KICS scan
        uses: checkmarx/kics-github-action@master
        with:
          # Scanning directory .
          path: "."
          # Exclude paths or files from scan
          # exclude_paths: "api/irs-v1.0.yaml"
          exclude_paths: api-tests/irs-api-tests.tavern.yaml,charts/irs-environments/local/*
          # Fail on HIGH severity results
          fail_on: high
          # when provided with a directory on output_path
          # it will generate the specified reports file named 'results.{extension}'
          # in this example it will generate:
          # - results-dir/results.json
          # - results-dir/results.sarif
          output_path: kicsResults/
          output_formats: "json,sarif"
          # If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
          # ignore_on_exit: results
          # GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
          # token: ${{ secrets.GITHUB_TOKEN }}
          # enable_comments: true
          # Exclude accepted results from the build
          exclude_results: "dda6420c385b33bef69f4db723fee4f469c93e851370c868a15af9bce5b3ec44,\
            03df1ef13c69b0ada26fc5bbf35eabca288c5c3c93c0f5d918e41f4951ca8795,\
            cd97103ed4e69cbeea5097168f744fdeffade5f6a5bf0b0f0b6bdaaa91b6815e,\
            724d6b5be1557dd1a6a2fb0e5c10ec0bcca20092c02fafad544c19a0b6d0e38f,\
            b8f92f3e5419d7e0bdefd956549b372fec72affbb25b735cbc59f0e9762f6943,\
            9cc9972d007cadc1b17d7ff64eb9aa66648c32997279c5b80c411abbcfbf3c5a,\
            663dfa114d46fb8eebf7e98ff0ba3f60f80b8059f8c170c12b07feb909b36f19,\
            edc4c9ac9ee139c0d7947410439b66e3c6290cb97a37d97a7519d3d5e56a5a84,\
            7f3e9461a3abdb7a281fdc736fb0827e69e9278ccd6b929bd32fc2d84336f68c,\
            10e4fff1f26f0a765423e35a7d8952363a6e8961a58e20b3017cd7818745eb36"
          # Exclude accepted queries from the build
          exclude_queries: "9f88c88d-824d-4d9a-b985-e22977046042,\
          00b78adf-b83f-419c-8ed8-c6018441dd3a,\
          8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85,\
          8c81d6c0-716b-49ec-afa5-2d62da4e3f3c,\
          2d8c175a-6d90-412b-8b0e-e034ea49a1fe"

      # Upload findings to GitHub Advanced Security Dashboard
      - name: Upload SARIF file for GitHub Advanced Security Dashboard
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: kicsResults/results.sarif
          
      - name: Archive results
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: kicsResults.json
          path: kicsResults/results.json