From fc9344133b2f0394ff50d23353907c96c8f8c729 Mon Sep 17 00:00:00 2001 From: testtest126 <44771568+testtest126@users.noreply.github.com> Date: Sun, 12 Jul 2026 20:00:14 +0200 Subject: [PATCH] Add Zscaler IaC Scan workflow This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app to detect security misconfigurations in IaC templates and publish findings. --- .github/workflows/zscaler-iac-scan.yml | 56 ++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/zscaler-iac-scan.yml diff --git a/.github/workflows/zscaler-iac-scan.yml b/.github/workflows/zscaler-iac-scan.yml new file mode 100644 index 0000000..6bcd52b --- /dev/null +++ b/.github/workflows/zscaler-iac-scan.yml @@ -0,0 +1,56 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. + +name: Zscaler IaC Scan +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '22 20 * * 6' + +permissions: + contents: read + +jobs: + zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v4 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 + id : zscaler-iac-scan + with: + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZPC Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}