mondoohq / actions Goto Github PK
View Code? Open in Web Editor NEWA set of GitHub actions for validating your projects with a policy
License: Mozilla Public License 2.0
A set of GitHub actions for validating your projects with a policy
License: Mozilla Public License 2.0
Describe the bug
The mondoohq/actions/github-org action in my mondoo-community organizations .github repo only scans the public repos and not private ones.
Expected behavior
Scan the org and all repos.
Screenshots or CLI Output
See results of runs here: https://github.com/mondoo-community/.github/actions/runs/5536671643/jobs/10104632098
We need to be explicit that future releases to Mondoo Client or to this project may affect pipelines and that users should adopt a version pinning strategy. We need to update examples and/or documentation accordingly.
Describe the bug
Tests fail for this dependabot PR: #59
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Tests should run.
Additional context
dependabot by default has no access to secrets.
There are different ways to solve this. We had the same problem already in the mondoo-operator repo.
When using Monddo actions multiple times in a Job, the installation takes most of the time. In the above screenshot, the actual scan took ~1s. But the steps took much longer.
The second step took so long because it updated ~200MB of apt packages. I saw this in another workflow with even worst results when a kernel update was part of the apt packages.
This is the workflow for the screenshot taken above: https://github.com/mondoohq/mondoo-operator/actions/runs/3050036000/jobs/4916723737
Perhaps, the install method can be changed to something like curl'ing the mondoo binary directly. I don't think apt repos and services are needed in a CI/CD context.
According to the docs for the setup action, the args
parameter is optional: https://github.com/mondoohq/actions/tree/main/setup
But running the action without this parameter results in an error:
mondoo --output compact --log-level info --config mondoo.json
Error: unknown flag: --output
Usage:
unknown flag: --output
mondoo [command]
The same would happen when args
has the value version
.
We should be testing each PR against the following uses of the action
Is your feature request related to a problem? Please describe.
Actions are still using cnspec v8.
Describe the solution you'd like
Upgrade to cnspec v9.
Describe alternatives you've considered
Keep v8. Not really an option.
Scans of orgs of any reasonable size will fail due to the Github API Rate Limit. There should be a parameter to reduce the scan rate.
A consequence of slowing the scan rate will be excessive number of minutes spent in the action, which might mean the only solutions are:
Currently, if I follow the docs and setup the Mondoo actions in a repo they work fine for the repo but they fail for forks. This is caused by the fact that forks cannot access the secret that contains the Mondoo service account. We should figure out a way to configure the actions for forks and document it.
For reference: https://github.com/podkrepi-bg/api/actions/runs/3629968259/jobs/6122775363
Describe the bug
I can directly push to main.
Expected behavior
This should fail.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.