From af30ea86b6be21c19e1e875df177a041273ec377 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D2=89=CE=B1k=CE=B1=20x=E2=A0=A0=E2=A0=B5?=
 <32862241+4k4xs4pH1r3@users.noreply.github.com>
Date: Wed, 31 Jan 2024 20:25:34 +0300
Subject: [PATCH] Create cloudrail.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: ҉αkα x⠠⠵ <32862241+4k4xs4pH1r3@users.noreply.github.com>
---
 .github/workflows/cloudrail.yml | 58 +++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 .github/workflows/cloudrail.yml

diff --git a/.github/workflows/cloudrail.yml b/.github/workflows/cloudrail.yml
new file mode 100644
index 000000000..d22d482bf
--- /dev/null
+++ b/.github/workflows/cloudrail.yml
@@ -0,0 +1,58 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Cloudrail
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '27 18 * * 6'
+
+jobs:
+  cloudrail:
+    name: Run Indeni Cloudrail on Terraform code with SARIF output
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v3
+
+      # For Terraform, Cloudrail requires the plan as input. So we generate it using
+      # the Terraform core binary.
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: v0.13.2
+
+      - run: terraform init
+
+      - run: terraform plan -out=plan.out
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      # Confirm we have the plan file
+      - run: stat plan.out
+
+      - name: Run Cloudrail
+        uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622
+        with:
+          tf-plan-file: plan.out # This was created in a "terraform plan" step
+          cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app
+          cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
+        # is needed to ensure the SARIF file is uploaded
+        if: always()
+        with:
+          sarif_file: cloudrail_results.sarif