Scan GitHub Action

Description of the GitHub action workflow

nctl scan is used within the local CLI environment; however, its true potential is unlocked when utilized within CI pipelines. To facilitate its seamless integration into such workflows, a dedicated GitHub Action is introduced, now accessible through the GitHub marketplace.

Scan action workflow

With nctl scan action, nctl scan can be used in the GitHub actions that can scan the configuration files against the policies that are defined centrally. After pulling the centrally defined policy files, a scan runs on the config files which determines the passing or failing of those files. In the case of a failure, the entire action can be configured to fail, meaning that the test pipeline will fail, and the user will be forced to fix the issue before merging the pull request. After scanning, the scan results get pushed to the NPM, which will show the insights on how the different repositories are performing.

The platform or security team admins are responsible for defining the policies that an organization needs to adhere to. They are stored as YAML files in GitHub repositories or as OCI images in the OCI registry. The storage locations can be grouped as a central place for policy storage. The DevOps user or the IT team is responsible for managing the configuration files, be it a Kubernetes manifest or any JSON file stored in GitHUb repositories.

User who wants to make any changes to the deployment spec in these repositories will create a pull request that will get reviewed by the admin before merging it in the repository. Before merging, several GitHub actions are written. GitHub actions are workflows or pipelines that get triggered based on the performed actions of the user.

Understanding the workflow manifest file

To have a look at the workflow manifest file, refer to the scan-outputs.yaml file in the .github/workflows section of the nctl-shift-left Github repository.

The part of the file that uses the nctl scan action available in the GitHub marketplace:

- name: nctl-scan-installer
        uses: nirmata/action-install-nctl-scan@v0.0.2

Different steps are added in the action that creates the scan reports in different output formats.