Posture Control (ZPC)
Configuring IaC Scan for GitHub Actions
This article provides step-by-step instructions for integrating the Zscaler IaC Scan action with GitHub Actions.
The Zscaler IaC Scan action plugin scans and identifies security misconfigurations in the IaC Terraform, Kubernetes, and CloudFormation, and ARM templates within the code repositories. The IaC Scan action automatically triggers a scan when you run a workflow in GitHub Actions, identifies configuration errors and security policy violations, and displays the scan results within the code. You can resolve the issues, ensure the code is compliant with the security policies, and then merge the code.
Prerequisites
Ensure you use the supported operating systems only, otherwise the IaC integration fails.
Configuring the Zscaler IaC Scan Action for GitHub Actions
To configure the Zscaler IaC Scan action for GitHub Actions:
- Go to Administration > Version Control & CI/CD Systems.
- On the IaC Integrations page, click Add IaC Integration.
- Under General Information:
- For IaC Scanner Type, select CI/CD.
- For Platform, select GitHub Actions.
- Click Next.
- Under Configuration:
- Click the link to install the plugin from the GitHub Marketplace.
- Complete the configuration steps.
- Sign in to your GitHub account.
- Navigate to your repository, then click Settings.
- In the left-side navigation, click Secrets and variables > Actions.
- Create GitHub secrets to store the client ID and client secret key. You can create GitHub secret at the repository or organization level.
- On the Actions secrets and variables page, click New repository secret.
- Create two secrets:
- Enter the Name (e.g., ZPC_CLIENT_ID). In the Value field, paste the client ID you copied from the ZPC Admin Portal.
- Enter the Name (e.g., ZPC_CLIENT_SECRET). In the Value field, paste the client secret key you copied from the ZPC Admin Portal. Make sure you provide these names in the YAML configuration file also. To learn more about secrets, see the GitHub documentation.
- Click Add Secret.
- Click the Security tab.
- Under Security overview, click Set up code scanning. This setup automatically creates a custom code scanning configuration and after enabling the actions, your repository is scanned.
- Click Enable Actions.
- Click Save.
- Include a YAML file in the
.github/workflows/directory to start the scan. A sample file is provided here. You can include this script in an existing workflow, if required:
name: Zscanner IaC Scan on: push: branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] jobs: zscaler-iac-scan: runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v2 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@v1.5.1 id : zscaler-iac-scan with: client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} region : 'US' iac_dir : 'IAC directory path from root' iac_file : 'IAC file path from root' output_format : 'sarif' fail_build : 'false' - name: Upload SARIF file if: ${{ steps.zscaler-iac-scan.outputs.sarif_file_path != '' }} uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.outputs.sarif_file_path }}- Commit these changes and push them to your GitHub repository.
The Zscaler IaC Scan actions is installed in your repository and runs automatically each time you push a change to the repository.
Configuration Parameters
client_id and client_secret: Generated on the ZPC Admin Portal. See step 5b.
In the YAML file, the following format is used:
secrets.ZSCANNER_CLIENT_ID:ReplaceZSCANNER_CLIENT_IDwith the name of the repository secret you added earlier. For example,secrets.ZPC_CLIENT_ID.secrets.ZSCANNER_CLIENT_SECRET:ReplaceZSCANNER_CLIENT_SECRETwith the name of the repository secret you added earlier. For example,secrets.ZPC_CLIENT_SECRET.
region: The region (US or EU) where you use ZPC. The value is case sensitive.iac_dir (optional): Directory path from the root on which you want to trigger the IaC scan. If you don't specify the directory, ZPC scans the entire repository.iac_file (optional): File path from root where you want to trigger the IaC scan. This path is not required when iac_dir is present. If you don't specify the file, ZPC scans the entire repository.output_format: The IaC scan results are written to the desired file format as specified in the YAML file and placed in the workspace where the code is checked out during a job trigger. The supported formats are'json', 'yaml', 'sarif', 'human', 'json+github-sarif', and'human+github-sarif'. To know more about the Sarif format, see the GitHub documentation.fail_build: Set this value to 'true' or 'false'. If the Zscaler IaC Scan app should not fail the workflow build even when severe violations are found post the scan process, set the value to 'false'.- sarif_file_path: The path to the generated sarif file in the workspace.
- scan_status : The final status (passed or failed) of the IaC scan.
- After completing the configuration, return to the ZPC Admin Portal and click Finish.
The GitHub Actions integration is displayed on the Version Control & CI/CD Systems page.
Viewing the IaC Scan Results
The IaC Scan action identifies security misconfigurations and displays policy violations within the code.
You can see the total policies along with passed and failed findings. This information indicates if the code is violation-free for the policies evaluated or if none of the policies were evaluated for this resource.
The ZPC service generates alerts for the specific policy violations detected during the scan. You can view the list of alerts and policy violations in the ZPC Admin Portal. To learn more, see About Alerts.