mondoohq / actions Goto Github PK

Describe the bug

The mondoohq/actions/github-org action in my mondoo-community organizations .github repo only scans the public repos and not private ones.

Expected behavior

Scan the org and all repos.

Screenshots or CLI Output

See results of runs here: https://github.com/mondoo-community/.github/actions/runs/5536671643/jobs/10104632098

We need to be explicit that future releases to Mondoo Client or to this project may affect pipelines and that users should adopt a version pinning strategy. We need to update examples and/or documentation accordingly.

Describe the bug
Tests fail for this dependabot PR: #59

To Reproduce
Steps to reproduce the behavior:

1. Restart tests in above PR
2. Note the error

Expected behavior
Tests should run.

Additional context
dependabot by default has no access to secrets.

This results in:

There are different ways to solve this. We had the same problem already in the mondoo-operator repo.

When using Monddo actions multiple times in a Job, the installation takes most of the time. In the above screenshot, the actual scan took ~1s. But the steps took much longer.

The second step took so long because it updated ~200MB of apt packages. I saw this in another workflow with even worst results when a kernel update was part of the apt packages.

This is the workflow for the screenshot taken above: https://github.com/mondoohq/mondoo-operator/actions/runs/3050036000/jobs/4916723737

Perhaps, the install method can be changed to something like curl'ing the mondoo binary directly. I don't think apt repos and services are needed in a CI/CD context.

According to the docs for the setup action, the args parameter is optional: https://github.com/mondoohq/actions/tree/main/setup

But running the action without this parameter results in an error:

mondoo  --output compact --log-level info --config mondoo.json
Error: unknown flag: --output
Usage:
unknown flag: --output
  mondoo [command]

The same would happen when args has the value version.

We should be testing each PR against the following uses of the action

• dockerfile build
• docker image
• TF
• k8s manifest

Is your feature request related to a problem? Please describe.
Actions are still using cnspec v8.

Describe the solution you'd like
Upgrade to cnspec v9.

Describe alternatives you've considered
Keep v8. Not really an option.

Scans of orgs of any reasonable size will fail due to the Github API Rate Limit. There should be a parameter to reduce the scan rate.

A consequence of slowing the scan rate will be excessive number of minutes spent in the action, which might mean the only solutions are:

1. Reduce the number of scans the cnspec/mondoo client is making
2. Update docs to recommend using repo scanning with offsets to stretch out the scans over a longer period of time

Currently, if I follow the docs and setup the Mondoo actions in a repo they work fine for the repo but they fail for forks. This is caused by the fact that forks cannot access the secret that contains the Mondoo service account. We should figure out a way to configure the actions for forks and document it.

For reference: https://github.com/podkrepi-bg/api/actions/runs/3629968259/jobs/6122775363

Describe the bug
I can directly push to main.

Expected behavior
This should fail.