Skip to content

query(terraform): unrestricted_security_group_ingress #254

query(terraform): unrestricted_security_group_ingress

query(terraform): unrestricted_security_group_ingress #254

name: validate-issues
on:
issues:
types: [opened, edited, reopened]
jobs:
title-check:
runs-on: ubuntu-latest
env:
BODY: ${{ github.event.issue.body }}
TITLE: ${{ github.event.issue.title }}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
sparse-checkout: |
.github/scripts/pr-issue-info/issue-fail.md
.github/scripts/pr-issue-info/get_title_types.py
.github/issue-title-types.yaml
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install dependencies
run: python3 -m pip install --upgrade pip pyyaml
- name: Check issue title
env:
FILE_PATH: .github/issue-title-types.yaml
run: |
regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py)
echo "Title regex: $regex"
echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV)
- name: Check for comment tag
if: env.TITLE_CHECK_FAILED != 'true'
run: |
comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \
-X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments")
if echo "$comments" | grep -q "title_check"; then
echo "TAG_EXISTS=true" >> $GITHUB_ENV
else
echo "TAG_EXISTS=false" >> $GITHUB_ENV
fi
- name: Delete comment if title is fixed
if: env.TAG_EXISTS == 'true'
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
with:
message: |
Deleting comment, please refresh the page...
comment_tag: title_check
mode: delete
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }}
- name: Add comment if title fails
if: env.TITLE_CHECK_FAILED == 'true'
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
with:
filePath: .github/scripts/pr-issue-info/issue-fail.md
comment_tag: title_check
mode: recreate
create_if_not_exists: true
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }}
- name: Workflow failed
if: env.TITLE_CHECK_FAILED == 'true'
run: exit 1
labels-check:
runs-on: ubuntu-latest
env:
BODY: ${{ github.event.issue.body }}
LABELS: ${{ toJson(github.event.issue.labels) }}
TITLE: ${{ github.event.issue.title }}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
sparse-checkout: |
.github/scripts/pr-issue-info/get_keywords.py
.github/keywords.yaml
- name: Install JQ
run: sudo apt-get install jq
- name: Get username
run: echo "USERNAME=${{ github.event.issue.user.login }}" >> $GITHUB_ENV
- name: Check user username
run: |
response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members")
team_members=$(echo "$response" | jq -r '.[].login')
if echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then
echo "Contributor belongs to Checkmarx organization"
is_member="true"
else
echo "Contributor does not belong to Checkmarx organization"
is_member="false"
fi
echo "IS_MEMBER=$is_member" >> $GITHUB_ENV
- name: Add community label if user does not belong to Checkmarx Organization
run: |
if [[ "$IS_MEMBER" == "false" ]]; then
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["community"]}'
fi
- name: Add feature or feature request label
run: |
if [[ "$TITLE" == feat* ]] || echo "$TITLE $BODY" | grep -iqP "feature request" || echo "$BODY" | grep -iqP "Is your feature request related to a problem? Please describe." || echo "$BODY" | grep -iqP "Describe the solution you'd like" || echo "$BODY" | grep -iqP "Describe alternatives you've considered" || echo "$BODY" | grep -iqP "Additional context"; then
if [[ "$IS_MEMBER" == "true" ]]; then
echo "Adding 'feature' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["feature"]}'
else
echo "Adding 'feature request' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["feature request"]}'
fi
else
if echo "$LABELS" | grep -q "feature request"; then
echo "Removing 'feature request' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/feature%20request
elif echo "$LABELS" | grep -q "feature"; then
echo "Removing 'feature' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/feature
fi
fi
- name: Add bug label
run: |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)" || echo "$BODY" | grep -iqP "steps to reproduce" || echo "$BODY" | grep -iqP "actual behavior" || echo "$BODY" | grep -iqP "expected behavior"; then
echo "Adding 'bug' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["bug"]}'
else
if echo "$LABELS" | grep -q "bug"; then
echo "Removing 'bug' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/bug
fi
fi
- name: Add query label
run: |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)quer(y|ies)(\\b|_)" || echo "$BODY" | grep -iqP "### Platform" || echo "$BODY" | grep -iqP "### Provider"; then
echo "Adding 'query' label... "
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["query"]}'
else
if echo "$LABELS" | grep -q "query"; then
echo "Removing 'query' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/query
fi
fi
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install dependencies
run: python3 -m pip install --upgrade pip pyyaml
- name: Check title for keywords of platforms and cloud providers to add labels
run: |
keywords=$(python3 .github/scripts/pr-issue-info/get_keywords.py)
eval "$keywords"
declare -p keywords
declare -a labels_to_add=()
for keyword in "${!keywords[@]}"; do
if echo "$TITLE $BODY" | grep -iPq "(\\b|_)$keyword(\\b|_)"; then
labels_to_add+=("${keywords[$keyword]}")
fi
done
mapfile -t current_labels < <(echo "$LABELS" | jq -r '.[].name')
for keyword in "${!keywords[@]}"; do
label=${keywords[$keyword]}
if [[ ! " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ " ${current_labels[@]} " =~ " ${label} " ]]; then
echo "Removing '$label' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/$label
elif [[ " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ ! " ${current_labels[@]} " =~ " ${label} " ]]; then
echo "Adding '$label' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d "{\"labels\": [\"$label\"]}"
fi
done