From f5b6c80536fcc45809bccc74869cacac58306c40 Mon Sep 17 00:00:00 2001 From: Jeremy Dubreil Date: Tue, 24 Mar 2026 16:36:38 +0000 Subject: [PATCH] fix(COD-6066): hide the Lacework credentials from the running commands --- .github/workflows/integration-test.yml | 2 +- README.md | 4 ++-- action.yaml | 10 ++++++++-- src/index.ts | 2 -- src/util.ts | 23 ++++------------------- 5 files changed, 15 insertions(+), 26 deletions(-) diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 26356dfc..981a5234 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -10,7 +10,7 @@ on: workflow_dispatch: env: - LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_CAT }} + LW_ACCOUNT: ${{ secrets.LW_ACCOUNT_CAT }} LW_API_KEY: ${{ secrets.LW_API_KEY_CAT }} LW_API_SECRET: ${{ secrets.LW_API_SECRET_CAT }} DEBUG: true diff --git a/README.md b/README.md index 757b0917..2ef2cf96 100644 --- a/README.md +++ b/README.md @@ -23,8 +23,8 @@ permissions: pull-requests: write env: - LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} - LW_SUBACCOUNT_NAME: ${{ secrets.LW_SUBACCOUNT_NAME }} + LW_ACCOUNT: ${{ secrets.LW_ACCOUNT }} + LW_SUBACCOUNT: ${{ secrets.LW_SUBACCOUNT }} LW_API_KEY: ${{ secrets.LW_API_KEY }} LW_API_SECRET: ${{ secrets.LW_API_SECRET }} diff --git a/action.yaml b/action.yaml index 963d01c4..4cd5f7bb 100644 --- a/action.yaml +++ b/action.yaml @@ -69,11 +69,17 @@ runs: if: ${{ inputs.debug == 'true' }} run: | echo "LW_LOG=debug" >> $GITHUB_ENV + - name: Set Lacework account environment variable + shell: bash + run: | + if [ -n "$LW_ACCOUNT_NAME" ]; then + echo "LW_ACCOUNT=$LW_ACCOUNT_NAME" >> $GITHUB_ENV + fi - name: Install Lacework CLI component shell: bash run: | - lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" component install sca - lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" version + lacework --noninteractive component install sca + lacework --noninteractive version env: CDK_DOWNLOAD_TIMEOUT_MINUTES: 2 - uses: actions/setup-node@v4 diff --git a/src/index.ts b/src/index.ts index c42cc747..9fb10e60 100644 --- a/src/index.ts +++ b/src/index.ts @@ -41,8 +41,6 @@ async function runAnalysis() { await callLaceworkCli(...args) toUpload.push(sarifReportPath) - const uploadStart = Date.now() - await uploadArtifact(getArtifactName(target), ...toUpload) setOutput(`${target}-completed`, true) } diff --git a/src/util.ts b/src/util.ts index b432e53a..dfec46c4 100644 --- a/src/util.ts +++ b/src/util.ts @@ -60,22 +60,7 @@ export function getOptionalEnvVariable(name: string, defaultValue: string) { } export async function callLaceworkCli(...args: string[]) { - const accountName = getRequiredEnvVariable('LW_ACCOUNT_NAME') - const apiKey = getRequiredEnvVariable('LW_API_KEY') - const apiSecret = getRequiredEnvVariable('LW_API_SECRET') - const expandedArgs = [ - '--noninteractive', - '--account', - accountName, - '--api_key', - apiKey, - '--api_secret', - apiSecret, - 'sca', - ...args, - ] - info('Calling lacework ' + expandedArgs.join(' ')) - await callCommand('lacework', ...expandedArgs) + await callCommand('lacework', '--noninteractive', 'sca', ...args) } export function getOrDefault(name: string, defaultValue: string) { @@ -93,7 +78,7 @@ export function generateUILink() { if (targetBranch !== defaultBranch) return '' - let lwAccountName = process.env.LW_ACCOUNT_NAME + let lwAccountName = process.env.LW_ACCOUNT lwAccountName = lwAccountName?.replace(/\.lacework\.net$/, '') let url = @@ -102,8 +87,8 @@ export function generateUILink() { `github.com%2F${context.repo.owner}%2F${context.repo.repo}` + `/${defaultBranch}` - if (process.env.LW_SUBACCOUNT_NAME) { - url += '?accountName=' + process.env.LW_SUBACCOUNT_NAME + if (process.env.LW_SUBACCOUNT) { + url += '?accountName=' + process.env.LW_SUBACCOUNT } return url