From 4e9b2439ff9ca3d877ccbecc71b231de27203cf1 Mon Sep 17 00:00:00 2001 From: Teodor-Ioan Baltoi Date: Wed, 10 Jun 2026 10:11:00 +0100 Subject: [PATCH 1/6] test branch for iac-pre-scan optimisation --- src/util.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util.ts b/src/util.ts index 4340574a..5a2cbf58 100644 --- a/src/util.ts +++ b/src/util.ts @@ -220,7 +220,7 @@ export async function runCodesec( `SCAN_TARGET=${scanTarget || 'scan'}`, ...(modifiedFiles ? ['-e', `MODIFIED_FILES=${modifiedFiles}`] : []), ...(computeCacheKey ? ['-e', 'GENERATE_CACHE_KEY=true'] : []), - 'lacework/codesec:latest', + 'lacework/codesec:test', 'scan', ] @@ -307,7 +307,7 @@ export async function runCodesec( `RUN_SCA=${runSca}`, '-e', `RUN_IAC=${runIac}`, - 'lacework/codesec:latest', + 'lacework/codesec:test', 'compare', ] From 238dee2c2ad483e22c52573132ee99531fd86d12 Mon Sep 17 00:00:00 2001 From: Teodor-Ioan Baltoi Date: Wed, 10 Jun 2026 11:07:39 +0100 Subject: [PATCH 2/6] drop the initial optimisation --- src/index.ts | 9 +-------- src/util.ts | 29 ----------------------------- 2 files changed, 1 insertion(+), 37 deletions(-) diff --git a/src/index.ts b/src/index.ts index 343449b4..5a06cdb9 100644 --- a/src/index.ts +++ b/src/index.ts @@ -14,7 +14,6 @@ import { getModifiedFiles, getOptionalEnvVariable, readMarkdownFile, - shouldRunIaCScanner, generateCacheKey, } from './util' @@ -53,13 +52,7 @@ async function runAnalysis() { } } - // Skip the IaC scan if there no IaC-related files have been modified in the PR - let enableIacRunning = true - if (modifiedFiles && target == 'new') { - if (!shouldRunIaCScanner(modifiedFiles)) { - enableIacRunning = false - } - } + const enableIacRunning = true // Create scan-results directory const resultsPath = path.join(process.cwd(), 'scan-results') diff --git a/src/util.ts b/src/util.ts index 5a2cbf58..4251cf9f 100644 --- a/src/util.ts +++ b/src/util.ts @@ -127,35 +127,6 @@ export async function getModifiedFiles(): Promise { } } -export function shouldRunIaCScanner(modifiedFiles: string): boolean { - const iacFileExtensions = ['.tf', '.hcl', '.yaml', '.yml', '.json'] - const nonIaCFilenames = [ - 'package.json', - 'package-lock.json', - 'tsconfig.json', - 'tsconfig.build.json', - 'tslint.json', - 'jest.config.json', - '.eslintrc.json', - '.prettierrc.json', - '.prettierrc.yaml', - '.prettierrc.yml', - 'renovate.json', - 'lerna.json', - 'bower.json', - 'composer.json', - 'composer.lock', - 'Pipfile.lock', - 'cargo.lock', - ] - return modifiedFiles.split(',').some((file) => { - const filename = file.split('/').pop() || '' - if (nonIaCFilenames.includes(filename.toLowerCase())) { - return false - } - return iacFileExtensions.some((ext) => file.endsWith(ext)) - }) -} // runCodesec - Docker-based scanner using codesec:latest image // From 558ce7780e6ac2fdfa61a97e8a6cb07cd522dbfb Mon Sep 17 00:00:00 2001 From: Teodor-Ioan Baltoi Date: Wed, 10 Jun 2026 11:08:12 +0100 Subject: [PATCH 3/6] drop the initial optimisation --- src/util.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/src/util.ts b/src/util.ts index 4251cf9f..0fda9f87 100644 --- a/src/util.ts +++ b/src/util.ts @@ -127,7 +127,6 @@ export async function getModifiedFiles(): Promise { } } - // runCodesec - Docker-based scanner using codesec:latest image // // Modes: From 5c81875578c70e34444331f70903b6f213668b1f Mon Sep 17 00:00:00 2001 From: Teodor-Ioan Baltoi Date: Wed, 10 Jun 2026 11:43:04 +0100 Subject: [PATCH 4/6] try catch error for docker cp when iac decides to skip --- src/util.ts | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/util.ts b/src/util.ts index 0fda9f87..38bb29be 100644 --- a/src/util.ts +++ b/src/util.ts @@ -68,6 +68,19 @@ export async function callCommand(command: string, ...args: string[]) { } } +export async function tryCallCommand(command: string, ...args: string[]): Promise { + info('Invoking ' + command + ' ' + args.join(' ')) + const child = spawn(command, args, { stdio: 'inherit' }) + const exitCode = await new Promise((resolve, _) => { + child.on('close', resolve) + }) + if (exitCode !== 0) { + info(`Command exited with status ${exitCode}`) + return false + } + return true +} + export function getRequiredEnvVariable(name: string) { const value = process.env[name] if (!value) { @@ -231,13 +244,16 @@ export async function runCodesec( if (runIac) { const iacDir = path.join(reportsDir, 'iac') mkdirSync(iacDir, { recursive: true }) - await callCommand( + const copied = await tryCallCommand( 'docker', 'container', 'cp', `${containerName}:/tmp/scan-results/iac/iac-${scanTarget || 'scan'}.json`, path.join(iacDir, `iac-${scanTarget || 'scan'}.json`) ) + if (!copied) { + info('IaC results not produced — scanner likely skipped IaC') + } } // Cleanup container From 3bd6cb4c4dc2d4f526c90650643d1149866ed6ef Mon Sep 17 00:00:00 2001 From: Teodor-Ioan Baltoi Date: Wed, 10 Jun 2026 11:59:54 +0100 Subject: [PATCH 5/6] ignore extra noise from logs --- src/util.ts | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/util.ts b/src/util.ts index 38bb29be..dcf59943 100644 --- a/src/util.ts +++ b/src/util.ts @@ -69,16 +69,11 @@ export async function callCommand(command: string, ...args: string[]) { } export async function tryCallCommand(command: string, ...args: string[]): Promise { - info('Invoking ' + command + ' ' + args.join(' ')) - const child = spawn(command, args, { stdio: 'inherit' }) + const child = spawn(command, args, { stdio: 'ignore' }) const exitCode = await new Promise((resolve, _) => { child.on('close', resolve) }) - if (exitCode !== 0) { - info(`Command exited with status ${exitCode}`) - return false - } - return true + return exitCode === 0 } export function getRequiredEnvVariable(name: string) { From 51cbcd6635f527c4713c97ec990adfc531ab7272 Mon Sep 17 00:00:00 2001 From: Teodor-Ioan Baltoi Date: Wed, 10 Jun 2026 15:15:11 +0100 Subject: [PATCH 6/6] update to latest --- src/util.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util.ts b/src/util.ts index dcf59943..b6ef0f15 100644 --- a/src/util.ts +++ b/src/util.ts @@ -198,7 +198,7 @@ export async function runCodesec( `SCAN_TARGET=${scanTarget || 'scan'}`, ...(modifiedFiles ? ['-e', `MODIFIED_FILES=${modifiedFiles}`] : []), ...(computeCacheKey ? ['-e', 'GENERATE_CACHE_KEY=true'] : []), - 'lacework/codesec:test', + 'lacework/codesec:latest', 'scan', ] @@ -288,7 +288,7 @@ export async function runCodesec( `RUN_SCA=${runSca}`, '-e', `RUN_IAC=${runIac}`, - 'lacework/codesec:test', + 'lacework/codesec:latest', 'compare', ]