GitHub
CI/CD
Pull Request Pipeline
To use the GitHub action, you can copy the code listed below. This will trigger a submit-for-review action on the Gomboc CLI for every pull request. You can replace the effect input with preview if no pull request is wanted. Please note that with preview, the pipelines will pass, regardless of any remediations we find.
name: Gomboc.AI Terraform
permissions:
id-token: write
contents: read
on:
pull_request:
jobs:
gomboc:
runs-on: ubuntu-latest
steps:
- name: Gomboc.AI - Terraform Remediate
uses: Gomboc-AI/actions/on-pull-request@main
with:
effect: submit-for-review
iac: terraform cloudformation
cli-version: 'latest'Scheduled Pipeline
The Gomboc pipeline also recognizes scheduled execution to support detecting remediations in code that happen due to changes in IaC modules or improvements in Gomboc remediation coverage. The cronproperty follows standard crontab syntax. You can generate a crontab configuration here - https://crontab.guru/. You can choose whether the pipeline should be run always or should only be run when there are new commits since the last execution.
name: Gomboc.AI Terraform
permissions:
id-token: write
contents: read
on:
pull_request:
schedules:
- cron: '0 0 * * *' # Runs the job at midnight
displayName: "test-scheduled-pipeline"
branches:
include:
- main
always: false # should be made to true if runs should be started regardless if changes were made to the repo
jobs:
gomboc:
runs-on: ubuntu-latest
steps:
- name: Gomboc.AI - Terraform Remediate
uses: Gomboc-AI/actions/on-schedule@main
with:
effect: submit-for-review
target-directory: 'tf'
recurse: false
iac: terraform cloudformation
cli-version: 'latest'
Custom Pipelines
We currently only support scheduled and pull request workflows, however, if you'd like to use the docker image that contains the Gomboc cli command directly, you can find the images on DockerHub under gombocai/cli.
Last updated