fix(COD-6066): hide the Lacework credentials from the running commands

jeremydubreil · jeremydubreil · commit 22e22e682c22 · 2026-03-25T13:33:25.000Z
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
 
 env:
-  LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_CAT }}
+  LW_ACCOUNT: ${{ secrets.LW_ACCOUNT_CAT }}
   LW_API_KEY: ${{ secrets.LW_API_KEY_CAT }}
   LW_API_SECRET: ${{ secrets.LW_API_SECRET_CAT }}
   DEBUG: true
diff --git a/README.md b/README.md
@@ -23,8 +23,8 @@ permissions:
   pull-requests: write
 
 env:
-  LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
-  LW_SUBACCOUNT_NAME: ${{ secrets.LW_SUBACCOUNT_NAME }}
+  LW_ACCOUNT: ${{ secrets.LW_ACCOUNT }}
+  LW_SUBACCOUNT: ${{ secrets.LW_SUBACCOUNT }}
   LW_API_KEY: ${{ secrets.LW_API_KEY }}
   LW_API_SECRET: ${{ secrets.LW_API_SECRET }}
 
diff --git a/action.yaml b/action.yaml
@@ -69,11 +69,17 @@ runs:
       if: ${{ inputs.debug == 'true' }}
       run: |
         echo "LW_LOG=debug" >> $GITHUB_ENV
+    - name: Set Lacework account environment variable
+      shell: bash
+      run: |
+        if [ -z "${{ env.LW_ACCOUNT_NAME }}" ]; then
+          echo "LW_ACCOUNT=${{ env.LW_ACCOUNT_NAME }}" >> $GITHUB_ENV
+        fi
     - name: Install Lacework CLI component
       shell: bash
       run: |
-        lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" component install sca
-        lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" version
+        lacework --noninteractive component install sca
+        lacework --noninteractive version
       env:
         CDK_DOWNLOAD_TIMEOUT_MINUTES: 2
     - uses: actions/setup-node@v4
diff --git a/src/index.ts b/src/index.ts
@@ -41,8 +41,6 @@ async function runAnalysis() {
   await callLaceworkCli(...args)
   toUpload.push(sarifReportPath)
 
-  const uploadStart = Date.now()
-
   await uploadArtifact(getArtifactName(target), ...toUpload)
   setOutput(`${target}-completed`, true)
 }
diff --git a/src/util.ts b/src/util.ts
@@ -31,6 +31,12 @@ export function getRunUrl(): string {
 }
 
 export async function callCommand(command: string, ...args: string[]) {
+  // // set LW_ACCOUNT for backwards compatibility
+  // let env = { ...process.env }
+  // const lwAccountName = getOptionalEnvVariable('LW_ACCOUNT_NAME', '')
+  // if (lwAccountName !== '') {
+  //   env.LW_ACCOUNT = lwAccountName
+  // }
   info('Invoking ' + command + ' ' + args.join(' '))
   const child = spawn(command, args, { stdio: 'inherit' })
   const exitCode = await new Promise((resolve, _) => {
@@ -51,6 +57,10 @@ export function getRequiredEnvVariable(name: string) {
   return value
 }
 
+export function setEnvironmentVariable(name: string, value: string) {
+  process.env[name] = value
+}
+
 export function getOptionalEnvVariable(name: string, defaultValue: string) {
   const value = process.env[name]
   if (!value) {
@@ -60,22 +70,7 @@ export function getOptionalEnvVariable(name: string, defaultValue: string) {
 }
 
 export async function callLaceworkCli(...args: string[]) {
-  const accountName = getRequiredEnvVariable('LW_ACCOUNT_NAME')
-  const apiKey = getRequiredEnvVariable('LW_API_KEY')
-  const apiSecret = getRequiredEnvVariable('LW_API_SECRET')
-  const expandedArgs = [
-    '--noninteractive',
-    '--account',
-    accountName,
-    '--api_key',
-    apiKey,
-    '--api_secret',
-    apiSecret,
-    'sca',
-    ...args,
-  ]
-  info('Calling lacework ' + expandedArgs.join(' '))
-  await callCommand('lacework', ...expandedArgs)
+  await callCommand('lacework', '--noninteractive', 'sca', ...args)
 }
 
 export function getOrDefault(name: string, defaultValue: string) {
@@ -93,7 +88,7 @@ export function generateUILink() {
 
   if (targetBranch !== defaultBranch) return ''
 
-  let lwAccountName = process.env.LW_ACCOUNT_NAME
+  let lwAccountName = process.env.LW_ACCOUNT
   lwAccountName = lwAccountName?.replace(/\.lacework\.net$/, '')
 
   let url =
@@ -102,8 +97,8 @@ export function generateUILink() {
     `github.com%2F${context.repo.owner}%2F${context.repo.repo}` +
     `/${defaultBranch}`
 
-  if (process.env.LW_SUBACCOUNT_NAME) {
-    url += '?accountName=' + process.env.LW_SUBACCOUNT_NAME
+  if (process.env.LW_SUBACCOUNT) {
+    url += '?accountName=' + process.env.LW_SUBACCOUNT
   }
 
   return url

Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,6 @@ async function runAnalysis() {`
`41`	`41`	`await callLaceworkCli(...args)`
`42`	`42`	`toUpload.push(sarifReportPath)`
`43`	`43`
`44`		`- const uploadStart = Date.now()`
`45`		`-`
`46`	`44`	`await uploadArtifact(getArtifactName(target), ...toUpload)`
`47`	`45`	setOutput(`${target}-completed`, true)
`48`	`46`	`}`