action.yml

# action.yml
name: 'Checkov GitHub Action'
author: 'Chris Mavrakis'
description: 'Run Checkov against Terraform/CloudFormation infrastructure code, as a pre-packaged GitHub Action.'
inputs:
  directory:
    description: 'directory with infrastructure code to scan'
    default: '.'
    required: false
  check:
    description: 'Run scan only on a specific check identifier (comma separated)'
    required: false
  skip_check:
    description: 'Run scan on all checks but a specific check identifier (comma separated)'
    required: false
  quiet:
    description: 'display only failed checks'
    required: false
  api-key:
    description: 'Environment variable name of the Bridgecrew API key from Bridgecrew app'
    required: false
  soft_fail:
    description: 'do not return an error code if there are failed checks'
    required: false
  framework:
    description: 'run only on a specific infrastructure'
    required: false
  external_checks_dirs:
    description: 'comma separated list of external (custom) checks directories'
    required: false
  external_checks_repos:
    description: 'comma separated list of external (custom) checks repositories'
    required: false
  output_format:
    description: 'The format of the output. cli, json, junitxml, github_failed_only, or sarif'
    required: false
    default: 'sarif'
  download_external_modules:
    description: 'download external terraform modules from public git repositories and terraform registry:true, false'
    required: false
  log_level:
    description: 'log level'
    required: false
    default: 'WARNING'
  config_file:
    description: 'checkov configuration file'
    required: false
  baseline:
    description: 'Path to a .checkov.baseline file to compare. Report will include only failed checks that are not in the baseline'
    required: false
  soft_fail_on:
    description: 'Do not return an error code only for specific check identifiers (comma separated)'
    required: false
  hard_fail_on:
    description: 'Return an error code only for specific check identifiers (comma separated)'
    required: false
  container_user:
    default: 0
    description: 'Set the username or UID used and optionally the groupname or GID for the action to run under'
    required: false
outputs:
  results:
    description: 'The results from the infrastructure scan'

branding:
  icon: 'shield'
  color: 'purple'
runs:
  using: 'docker'
  image: 'docker://bridgecrew/checkov:2.0.1140'
  args:
    - ${{ inputs.directory }}
    - ${{ inputs.check }}
    - ${{ inputs.skip_check }}
    - ${{ inputs.quiet }}
    - ${{ inputs.soft_fail }}
    - ${{ inputs.framework }}
    - ${{ inputs.external_checks_dirs }}
    - ${{ inputs.external_checks_repos }}
    - ${{ inputs.output_format }}
    - ${{ inputs.download_external_modules }}
    - ${{ inputs.log_level }}
    - ${{ inputs.config_file }}
    - ${{ inputs.baseline }}
    - ${{ inputs.hard_fail_on }}
    - ${{ inputs.soft_fail_on }}
    - "--user ${{ inputs.container_user }}"  
  env:
    API_KEY_VARIABLE: ${{ inputs.api-key }}