GitHub Actions Integration

The InsightCloudSec Scan GitHub Action allows security and development teams to integrate infrastructure-as-code (IaC) security and compliance scans with their GitHub CI/CD pipelines. The Action is available at the GitHub Marketplace.

If you also use the GitHub Advanced Security (GHAS) module with the external Code Scanning feature, our bi-directional integration will publish the details of any ICS IaC scan findings back to GitHub in a SARIF format for consumption, which consolidates security alerts for developers in a central repository.

The following is an example of what our GitHub Action integration might look like:

yaml
1
on:
2
  pull_request:
3
    branches:
4
      - master
5
      - main
6

7
jobs:
8
  ics-scan-and-upload:
9
    name: insightCloudSec repository scan with Github Advanced Security
10
    runs-on: ubuntu-latest
11
    steps:
12
      - uses: actions/checkout@v3
13
      - name: Scan the repository
14
        uses: rapid7/insightcloudsec-actions@v2
15
        with:
16
          api_key: ${{ secrets.ics_api_key }}
17
          base_url: ${{ secrets.ics_base_url }}
18
          config_name: AWS CIS Benchmark 1.4
19
      # the following is optional but recommended to surface results to Github Advanced Security
20
      - name: Upload the sarif report to Github Advanced Security
21
        if: always()
22
        uses: github/codeql-action/upload-sarif@v2
23
        with:
24
          sarif_file: ics_scan.sarif
25