GitHub Actions Integration

Overview of Integrating GitHub Actions with InsightCloudSec IaC Scans

The InsightCloudSec Scan GitHub Action allows security and development teams to integrate infrastructure-as-code (IaC) security and compliance scans with their GitHub CI/CD pipelines. The Action is available at the GitHub Marketplace.

If you also use the GitHub Advanced Security (GHAS) module with the external Code Scanning feature, our bi-directional integration will publish the details of any ICS IaC scan findings back to GitHub in a SARIF format for consumption, which consolidates security alerts for developers in a central repository.

The following is an example of what our GitHub Action integration might look like:

on:
  pull_request:
    branches:
      - master
      - main

jobs:
  ics-scan-and-upload:
    name: insightCloudSec repository scan with Github Advanced Security
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan the repository
        uses: rapid7/insightcloudsec-actions@v2
        with:
          api_key: ${{ secrets.ics_api_key }}
          base_url: ${{ secrets.ics_base_url }}
          config_name: AWS CIS Benchmark 1.4
      # the following is optional but recommended to surface results to Github Advanced Security
      - name: Upload the sarif report to Github Advanced Security
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ics_scan.sarif