fix(COD-6066): hide the Lacework credentials from the running commands

.github/workflows/integration-test.yml

@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
 
 env:
-  LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_CAT }}
+  LW_ACCOUNT: ${{ secrets.LW_ACCOUNT_CAT }}
   LW_API_KEY: ${{ secrets.LW_API_KEY_CAT }}
   LW_API_SECRET: ${{ secrets.LW_API_SECRET_CAT }}
   DEBUG: true

README.md

@@ -23,8 +23,8 @@ permissions:
   pull-requests: write
 
 env:
-  LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
-  LW_SUBACCOUNT_NAME: ${{ secrets.LW_SUBACCOUNT_NAME }}
+  LW_ACCOUNT: ${{ secrets.LW_ACCOUNT }}
+  LW_SUBACCOUNT: ${{ secrets.LW_SUBACCOUNT }}
   LW_API_KEY: ${{ secrets.LW_API_KEY }}
   LW_API_SECRET: ${{ secrets.LW_API_SECRET }}
 

action.yaml

@@ -69,11 +69,17 @@ runs:
       if: ${{ inputs.debug == 'true' }}
       run: |
         echo "LW_LOG=debug" >> $GITHUB_ENV
+    - name: Set Lacework account environment variable
+      shell: bash
+      run: |
+        if [ -n "$LW_ACCOUNT_NAME" ]; then
+          echo "LW_ACCOUNT=$LW_ACCOUNT_NAME" >> $GITHUB_ENV
+        fi
     - name: Install Lacework CLI component
       shell: bash
       run: |
-        lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" component install sca
-        lacework --noninteractive -a "${LW_ACCOUNT_NAME}" -k "${LW_API_KEY}" -s "${LW_API_SECRET}" version
+        lacework --noninteractive component install sca
+        lacework --noninteractive version
       env:
         CDK_DOWNLOAD_TIMEOUT_MINUTES: 2
     - uses: actions/setup-node@v4

src/index.ts

@@ -41,8 +41,6 @@ async function runAnalysis() {
   await callLaceworkCli(...args)
   toUpload.push(sarifReportPath)
 
-  const uploadStart = Date.now()
-
   await uploadArtifact(getArtifactName(target), ...toUpload)
   setOutput(`${target}-completed`, true)
 }

src/util.ts

@@ -60,22 +60,7 @@ export function getOptionalEnvVariable(name: string, defaultValue: string) {
 }
 
 export async function callLaceworkCli(...args: string[]) {
-  const accountName = getRequiredEnvVariable('LW_ACCOUNT_NAME')
-  const apiKey = getRequiredEnvVariable('LW_API_KEY')
-  const apiSecret = getRequiredEnvVariable('LW_API_SECRET')
-  const expandedArgs = [
-    '--noninteractive',
-    '--account',
-    accountName,
-    '--api_key',
-    apiKey,
-    '--api_secret',
-    apiSecret,
-    'sca',
-    ...args,
-  ]
-  info('Calling lacework ' + expandedArgs.join(' '))
-  await callCommand('lacework', ...expandedArgs)
+  await callCommand('lacework', '--noninteractive', 'sca', ...args)
 }
 
 export function getOrDefault(name: string, defaultValue: string) {
@@ -93,7 +78,7 @@ export function generateUILink() {
 
   if (targetBranch !== defaultBranch) return ''
 
-  let lwAccountName = process.env.LW_ACCOUNT_NAME
+  let lwAccountName = process.env.LW_ACCOUNT
   lwAccountName = lwAccountName?.replace(/\.lacework\.net$/, '')
 
   let url =
@@ -102,8 +87,8 @@ export function generateUILink() {
     `github.com%2F${context.repo.owner}%2F${context.repo.repo}` +
     `/${defaultBranch}`
 
-  if (process.env.LW_SUBACCOUNT_NAME) {
-    url += '?accountName=' + process.env.LW_SUBACCOUNT_NAME
+  if (process.env.LW_SUBACCOUNT) {
+    url += '?accountName=' + process.env.LW_SUBACCOUNT
   }
 
   return url