@@ -122,6 +122,25 @@ The simplest way to add CleanCloud to GitHub Actions — one step, no pip instal
122122 artifact-name: cleancloud-scan-results
123123` ` `
124124
125+ # ## GCP (Workload Identity Federation)
126+
127+ ` ` ` yaml
128+ - uses: google-github-actions/auth@v2
129+ with:
130+ workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
131+ service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
132+
133+ - uses: cleancloud-io/scan-action@v1
134+ with:
135+ provider: gcp
136+ all-projects: 'true'
137+ fail-on-confidence: HIGH
138+ fail-on-cost: '100'
139+ output: json
140+ output-file: scan-results.json
141+ artifact-name: cleancloud-scan-results
142+ ` ` `
143+
125144# ## AWS Multi-Account (via action)
126145
127146` ` ` yaml
@@ -144,30 +163,32 @@ The simplest way to add CleanCloud to GitHub Actions — one step, no pip instal
144163
145164# ## Full Inputs Reference
146165
147- | Input | Description | AWS | Azure |
148- |---|---|:---:|:---:|
149- | `provider` | `aws` or `azure` (required) | ✓ | ✓ |
150- | `region` | Single region/location filter | ✓ | ✓ |
151- | `all-regions` | Scan all active regions | ✓ | — |
152- | `org` | Auto-discover all AWS Organization accounts | ✓ | — |
153- | `accounts` | Comma-separated account IDs | ✓ | — |
154- | `multi-account` | Path to accounts config YAML | ✓ | — |
155- | `role-name` | Cross-account role name (default : ` CleanCloudReadOnlyRole` ) | ✓ | — |
156- | `external-id` | External ID for cross-account role assumption | ✓ | — |
157- | `concurrency` | Parallel account scan limit | ✓ | — |
158- | `timeout` | Total scan timeout in seconds | ✓ | — |
159- | `per-account-regions` | Detect active regions per account (slower, more accurate) | ✓ | — |
160- | `subscription` | Comma-separated subscription IDs | — | ✓ |
161- | `management-group` | Management Group ID for subscription discovery | — | ✓ |
162- | `fail-on-confidence` | Fail on `LOW`, `MEDIUM`, or `HIGH` confidence findings | ✓ | ✓ |
163- | `fail-on-cost` | Fail if estimated waste exceeds this USD amount | ✓ | ✓ |
164- | `fail-on-findings` | Fail on any finding | ✓ | ✓ |
165- | `output` | `human`, `json`, `csv`, or `markdown` | ✓ | ✓ |
166- | `output-file` | Path to write output (required for `json`/`csv`) | ✓ | ✓ |
167- | `artifact-name` | Upload `output-file` as a GitHub artifact with this name | ✓ | ✓ |
168- | `config` | Path to `cleancloud.yaml` config file | ✓ | ✓ |
169- | `ignore-tag` | Comma-separated `key` or `key:value` tags to ignore | ✓ | ✓ |
170- | `version` | CleanCloud version to install (default : latest) | ✓ | ✓ |
166+ | Input | Description | AWS | Azure | GCP |
167+ |---|---|:---:|:---:|:---:|
168+ | `provider` | `aws`, `azure`, or `gcp` (required) | ✓ | ✓ | ✓ |
169+ | `region` | Single region/location filter | ✓ | ✓ | — |
170+ | `all-regions` | Scan all active regions | ✓ | — | — |
171+ | `org` | Auto-discover all AWS Organization accounts | ✓ | — | — |
172+ | `accounts` | Comma-separated account IDs | ✓ | — | — |
173+ | `multi-account` | Path to accounts config YAML | ✓ | — | — |
174+ | `role-name` | Cross-account role name (default : ` CleanCloudReadOnlyRole` ) | ✓ | — | — |
175+ | `external-id` | External ID for cross-account role assumption | ✓ | — | — |
176+ | `concurrency` | Parallel account scan limit | ✓ | — | — |
177+ | `timeout` | Total scan timeout in seconds | ✓ | — | — |
178+ | `per-account-regions` | Detect active regions per account (slower, more accurate) | ✓ | — | — |
179+ | `subscription` | Comma-separated subscription IDs | — | ✓ | — |
180+ | `management-group` | Management Group ID for subscription discovery | — | ✓ | — |
181+ | `project` | Comma-separated GCP project IDs | — | — | ✓ |
182+ | `all-projects` | Scan all accessible GCP projects | — | — | ✓ |
183+ | `fail-on-confidence` | Fail on `LOW`, `MEDIUM`, or `HIGH` confidence findings | ✓ | ✓ | ✓ |
184+ | `fail-on-cost` | Fail if estimated waste exceeds this USD amount | ✓ | ✓ | ✓ |
185+ | `fail-on-findings` | Fail on any finding | ✓ | ✓ | ✓ |
186+ | `output` | `human`, `json`, `csv`, or `markdown` | ✓ | ✓ | ✓ |
187+ | `output-file` | Path to write output (required for `json`/`csv`) | ✓ | ✓ | ✓ |
188+ | `artifact-name` | Upload `output-file` as a GitHub artifact with this name | ✓ | ✓ | ✓ |
189+ | `config` | Path to `cleancloud.yaml` config file | ✓ | ✓ | ✓ |
190+ | `ignore-tag` | Comma-separated `key` or `key:value` tags to ignore | ✓ | ✓ | ✓ |
191+ | `version` | CleanCloud version to install (default : latest) | ✓ | ✓ | ✓ |
171192
172193> When `artifact-name` is set the action uploads `output-file` automatically — no separate `upload-artifact` step needed.
173194
0 commit comments