⭐ Use cnspec container image

.github/workflows/docker-image.yaml

@@ -35,5 +35,12 @@ jobs:
       - name: Scan Docker Image
         uses: ./docker-image
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           image: ${{env.APP}}:${{env.VERSION}}
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+      - name: Scan Docker Image
+        uses: ./docker-image
+        with:
+          image: ${{env.APP}}:${{env.VERSION}}
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}

.github/workflows/general-action.yaml

@@ -0,0 +1,30 @@
+name: General Mondoo action
+on:
+  pull_request:
+  push:
+    paths:
+      - "action.yaml"
+      - ".github/test_files/**"
+    branches:
+      - "main"
+    tags: ["v*.*.*"]
+
+jobs:
+  general-action-test:
+    runs-on: ubuntu-latest
+    name: Test general Mondoo action
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Show status
+        uses: ./
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+        with:
+          args: status
+      - name: Show version
+        uses: ./
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+        with:
+          args: version

.github/workflows/k8s-manifest.yaml

@@ -19,6 +19,7 @@ jobs:
 
       - name: Scan k8s manifest
         uses: ./k8s-manifest
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           path: ./.github/test_files/k8s-manifest.yaml

.github/workflows/terraform-hcl.yaml

@@ -18,6 +18,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: Scan Terraform HCL
         uses: ./terraform-hcl
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           path: ./.github/test_files/tf

.github/workflows/terraform-plan.yaml

@@ -40,7 +40,7 @@ jobs:
           path: .github/test_files/tfplan/plan.json
       - name: Scan Terraform Plan
         uses: ./terraform-plan
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           path: ".github/test_files/tfplan/plan.json"
-          args: "--policy-bundle .github/test_files/tfplan/policy/policy.mql.yaml"

.github/workflows/terraform-state.yaml

@@ -48,7 +48,7 @@ jobs:
             .github/test_files/tfstate/state.json
       - name: Scan Terraform State
         uses: ./terraform-state
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           path: ".github/test_files/tfstate/state.json"
-          args: "--policy-bundle .github/test_files/tfstate/policy/policy.mql.yaml"

README.md

@@ -9,7 +9,6 @@ A set of GitHub Action for using Mondoo to check for vulnerabilities and misconf
 - [Kubernetes](k8s) - Scan Kubernetes Clusters post-deploy for continuous auditing and compliance of the cluster.
 - [Kubernetes Manifest](k8s-manifest) - Scan Kubernetes manifests for misconfigurations before applying changes to the cluster.
 - [Policy](policy) - Publish Mondoo policies to Mondoo Platform using GitHub Actions.
-- [Setup](setup) - Install and configure Mondoo into any existing GitHub Action workflow.
 - [Terraform HCL](terraform-hcl) - Scan HashiCorp Terraform HCL code for security misconfigurations.
 - [Terraform Plan](terraform-plan) - Scan HashiCorp Terraform Plan for security misconfigurations.
 - [Terraform State](terraform-state) - Scan HashiCorp Terraform State output for security misconfigurations.
@@ -53,9 +52,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: mondoohq/actions/k8s-manifest@main
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
-          path: k8s/*.yaml
+          path: k8s/manifest.yaml
 ```
 
 Simple scan of Terraform files:
@@ -71,8 +71,9 @@ jobs:
     - uses: actions/checkout@v3
 
     - uses: mondoohq/actions/terraform-hcl@main
+      env:
+        MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
       with:
-        service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         path: terraform
 ```
 
@@ -115,8 +116,9 @@ jobs:
           secrets: GIT_AUTH_TOKEN=${{ secrets.GIT_AUTH_TOKEN }}
       - name: Scan Docker Image with Mondoo
         uses: mondoohq/actions/docker-image@main
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           image: ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
       - name: Build and push
         uses: docker/build-push-action@v3

action.yaml

@@ -6,34 +6,16 @@ branding:
 inputs:
   args:
     description: >-
-      Additional arguments to pass to Mondoo Client.
+      Additional arguments to pass to cnspec client.
     required: false
   log-level:
     description: >-
       Sets the log level: error, warn, info, debug, trace (default "info")
     default: info
     required: false
-  output:
-    description: >-
-      Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")
-    default: compact
-    required: false
-  service-account-credentials:
-    description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
-    required: true
 runs:
   using: "composite"
   steps:
-    - name: Install Mondoo Client
-      run: |
-        echo Installing Mondoo Client...
-        echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
-        curl -sSL https://mondoo.com/install.sh | bash
-      shell: bash
-    - name: Run Mondoo
-      shell: bash
-      run: >
-        mondoo ${{ inputs.args }}
-        --output ${{ inputs.output }}
-        --log-level ${{ inputs.log-level }}
-        --config mondoo.json
+    - uses: "docker://mondoo/cnspec:7"
+      with:
+        args: ${{ inputs.args }} --log-level "${{ inputs.log-level }}"

aws/README.md

@@ -6,13 +6,17 @@ A GitHub Action for using Mondoo to check for misconfigurations in your AWS acco
 
 The Mondoo AWS Action has properties which are passed to the underlying image. These are passed to the action using `with`.
 
-| Property                      | Required | Default | Description                                                                                                                                                          |
-| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `args`                        | false    |         | Additional arguments to pass to Mondoo Client.                                                                                                                       |
-| `log-level`                   | false    | info    | Sets the log level: error, warn, info, debug, trace (default "info")                                                                                                 |
-| `output`                      | false    | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")                                                   |
-| `score-threshold`             | false    | 0       | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).      |
-| `service-account-credentials` | true     |         | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
+| Property          | Required | Default | Description                                                                                                                                                     |
+| ----------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `log-level`       | false    | info    | Sets the log level: error, warn, info, debug, trace (default "info")                                                                                            |
+| `output`          | false    | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")                                              |
+| `score-threshold` | false    | 0       | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |
+
+Additionally, you need to specify the service account credentials as an environment variable.
+
+| Environment            | Required | Default | Description                                                                                                                                                          |
+| ---------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `MONDOO_CONFIG_BASE64` | true     |         | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
 
 ## Scan AWS account example
 
@@ -36,8 +40,9 @@ jobs:
           role-session-name: MySessionName
 
       - uses: mondoohq/actions/aws@main
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           output: compact
           score-threshold: 0
 ```

aws/action.yaml

@@ -5,10 +5,6 @@ branding:
   icon: "shield"
   color: "purple"
 inputs:
-  args:
-    description: >-
-      Additional arguments to pass to Mondoo Client.
-    required: false
   log-level:
     description: >-
       Sets the log level: error, warn, info, debug, trace (default "info")
@@ -24,23 +20,15 @@ inputs:
       Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).
     default: "0"
     required: false
-  service-account-credentials:
-    description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
-    required: true
 runs:
-  using: "composite"
-  steps:
-    - run: |
-        echo Installing Mondoo Client...
-        echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
-        curl -sSL https://mondoo.com/install.sh | bash
-      shell: bash
-    - name: Scan AWS account
-      shell: bash
-      run: >
-        mondoo scan aws
-        --output ${{ inputs.output }}
-        --score-threshold ${{ inputs.score-threshold }}
-        --log-level ${{ inputs.log-level }}
-        ${{ inputs.args }}
-        --config mondoo.json
+  using: "docker"
+  image: "docker://mondoo/cnspec:7"
+  args:
+    - scan
+    - aws
+    - --output
+    - ${{ inputs.output }}
+    - --score-threshold
+    - ${{ inputs.score-threshold }}
+    - --log-level
+    - ${{ inputs.log-level }}

docker-image/README.md

@@ -6,14 +6,18 @@ A GitHub Action for using Mondoo to check for vulnerabilities and misconfigurati
 
 The Mondoo Docker Image Action has properties which are passed to the underlying image. These are passed to the action using `with`.
 
-| Property                      | Required | Default | Description                                                                                                                                                          |
-| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `args`                        | false    |         | Additional arguments to pass to Mondoo Client.                                                                                                                       |
-| `image`                       | true     |         | Docker image ID or `name:tag` to scan.                                                                                                                               |
-| `log-level`                   | false    | info    | Sets the log level: error, warn, info, debug, trace (default "info")                                                                                                 |
-| `output`                      | false    | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")                                                   |
-| `score-threshold`             | false    | 0       | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).      |
-| `service-account-credentials` | true     |         | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
+| Property          | Required | Default | Description                                                                                                                                                     |
+| ----------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `image`           | true     |         | Docker image ID or `name:tag` to scan.                                                                                                                          |
+| `log-level`       | false    | info    | Sets the log level: error, warn, info, debug, trace (default "info")                                                                                            |
+| `output`          | false    | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")                                              |
+| `score-threshold` | false    | 0       | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |
+
+Additionally, you need to specify the service account credentials as an environment variable.
+
+| Environment            | Required | Default | Description                                                                                                                                                          |
+| ---------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `MONDOO_CONFIG_BASE64` | true     |         | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
 
 You can use the Action as follows:
 
@@ -58,8 +62,9 @@ jobs:
           secrets: GIT_AUTH_TOKEN=${{ secrets.GIT_AUTH_TOKEN }}
       - name: Scan Docker Image
         uses: mondoohq/actions/docker-image@main
+        env:
+          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
         with:
-          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           image: ghcr.io/${{github.repository_owner}}/${{env.APP}}:latest
       - name: Build and push
         uses: docker/build-push-action@v3

docker-image/action.yaml

@@ -4,9 +4,6 @@ branding:
   icon: "shield"
   color: "purple"
 inputs:
-  args:
-    description: "Additional arguments to pass to Mondoo Client"
-    required: false
   image:
     description: Docker image ID or name:tag to scan.
     required: true
@@ -25,27 +22,17 @@ inputs:
       Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).
     default: "0"
     required: false
-  service-account-credentials:
-    description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
-    required: true
 runs:
-  using: "composite"
-  steps:
-    - name: Install Mondoo Client
-      shell: bash
-      run: |
-        echo Installing Mondoo Client...
-        echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
-        curl -sSL https://mondoo.com/install.sh | bash
-    - name: Mondoo status
-      shell: bash
-      run: mondoo status --config mondoo.json
-    - name: Run mondoo scan docker image
-      shell: bash
-      run: >
-        mondoo scan docker image ${{ inputs.image }}
-        --output ${{ inputs.output }}
-        --score-threshold ${{ inputs.score-threshold }}
-        --log-level ${{ inputs.log-level }}
-        ${{ inputs.args }}
-        --config mondoo.json
+  using: "docker"
+  image: "docker://mondoo/cnspec:7"
+  args:
+    - scan
+    - docker
+    - image
+    - ${{ inputs.image }}
+    - --output
+    - ${{ inputs.output }}
+    - --score-threshold
+    - ${{ inputs.score-threshold }}
+    - --log-level
+    - ${{ inputs.log-level }}