You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
GitHub Action
Mondoo Action
v0.6.0
A set of GitHub Action for using Mondoo to check for vulnerabilities and misconfigurations in your GitHub projects. Actions have been organized into different asset types that Mondoo supports. We currently support the following asset types:
- AWS - Scan AWS accounts for misconfigurations as a post-provisioning step in your pipeline.
- Docker Image - Scan Docker images vulnerabilities and misconfigurations before pushing to a container registry.
- GitHub Organization - Scan a GitHub organization and repositories for security configuration best practices.
- GitHub Repository - Scan a GitHub repository for security configuration best practices.
- Kubernetes - Scan Kubernetes Clusters post-deploy for continuous auditing and compliance of the cluster.
- Kubernetes Manifest - Scan Kubernetes manifests for misconfigurations before applying changes to the cluster.
- Policy - Publish Mondoo policies to Mondoo Platform using GitHub Actions.
- Setup - Install and configure Mondoo into any existing GitHub Action workflow.
- Terraform - Scan HashiCorp Terraform code for security misconfigurations.
All Mondoo GitHub Actions require a service account to authenticate with Mondoo Platform and run policies enabled for your assets in the Policy Hub.
To create a service account on Mondoo Platform:
- Log in to Mondoo Platform
- Select the Space you want to integrate with your repository.
- Click on Settings and then Service Accounts.
- Click ADD ACCOUNT.
- Select the Base64-encoded checkbox, and then click on the GENERATE NEW CREDENTIALS button.
- Copy the base64 encoded credentials and then move on to the next section.
- Click on Settings in your GitHub repository.
- Under the Security section click on Actions.
- Click New repository secret.
- Name the secret
MONDOO_SERVICE_ACCOUNT
and paste the base64 encoded credentials from the previous section into the value input. - Click Add secret.
Simple scan of nginx.yml Kubernetes manifest:
name: Mondoo Kubernetes Manifest scan
on:
push:
paths:
- "k8s/*.yaml"
jobs:
install:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: mondoohq/actions/kubernetes@main
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: k8s/*.yaml
Simple scan of Terraform files:
name: Mondoo Terraform scan
on:
push:
paths:
- "terraform/main.tf"
jobs:
steps:
- uses: actions/checkout@v3
- uses: mondoohq/actions/terraform@main
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
path: terraform
Build a Docker image before pushing to a registry:
name: docker-build-scan-push
on:
push:
env:
APP: myapp
VERSION: 0.1.0
jobs:
docker-build-scan-push:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GHCR.io
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Build and export to Docker
uses: docker/build-push-action@v3
with:
context: .
load: true
tags: |
ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
ghcr.io/${{github.repository_owner}}/${{env.APP}}:${{env.VERSION}}
secrets: GIT_AUTH_TOKEN=${{ secrets.GIT_AUTH_TOKEN }}
- name: Scan Docker Image with Mondoo
uses: mondoohq/actions/docker-image@main
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
image: ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
- name: Build and push
uses: docker/build-push-action@v3
with:
context: .
tags: |
ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
ghcr.io/${{github.repository_owner}}/${{env.APP}}:${{env.VERSION}}
push: ${{ github.ref == 'refs/heads/main' }}
- name: Image Digest
run: echo ${{ steps.docker_build.outputs.digest }}