feat(COD-7079): skip the IaC scan when no IaC-related files are modified

src/index.ts

@@ -14,12 +14,13 @@ import {
   getModifiedFiles,
   getOptionalEnvVariable,
   readMarkdownFile,
+  shouldRunIaCScanner,
 } from './util'
 import { simpleGit } from 'simple-git'
 
 // Global scanner toggles - set to false to disable a scanner globally
 const enableScaRunning = true
-const enableIacRunning = true
+let enableIacRunning = false
 
 async function runAnalysis() {
   const target = getInput('target')
@@ -53,6 +54,13 @@ async function runAnalysis() {
     }
   }
 
+  // Skip the IaC scan if there no IaC-related files have been modified in the PR
+  if (modifiedFiles && target == 'new') {
+    if (shouldRunIaCScanner(modifiedFiles)) {
+      enableIacRunning = true
+    }
+  }
+
   // Create scan-results directory
   const resultsPath = path.join(process.cwd(), 'scan-results')
 

src/util.ts

@@ -140,6 +140,36 @@ export function getModifiedFiles(): string | undefined {
   return files || undefined
 }
 
+export function shouldRunIaCScanner(modifiedFiles: string): boolean {
+  const iacFileExtensions = ['.tf', '.hcl', '.yaml', '.yml', '.json']
+  const nonIaCFilenames = [
+    'package.json',
+    'package-lock.json',
+    'tsconfig.json',
+    'tsconfig.build.json',
+    'tslint.json',
+    'jest.config.json',
+    '.eslintrc.json',
+    '.prettierrc.json',
+    '.prettierrc.yaml',
+    '.prettierrc.yml',
+    'renovate.json',
+    'lerna.json',
+    'bower.json',
+    'composer.json',
+    'composer.lock',
+    'Pipfile.lock',
+    'cargo.lock',
+  ]
+  return modifiedFiles.split(',').some((file) => {
+    const filename = file.split('/').pop() || ''
+    if (nonIaCFilenames.includes(filename.toLowerCase())) {
+      return false
+    }
+    return iacFileExtensions.some((ext) => file.endsWith(ext))
+  })
+}
+
 // runCodesec - Docker-based scanner using codesec:latest image
 //
 // Modes: