Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump to version 4.0.0 #35

Merged
merged 1 commit into from
Jan 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 67 additions & 14 deletions .github/workflows/scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,34 +8,87 @@ jobs:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json

macos-scan-from-registry:
runs-on: macos-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: sysdiglabs/scan-action@master
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
ignore-failed-scan: true
stop-on-failed-policy-eval: true
stop-on-processing-error: true

scan-from-docker-archive:
- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json


standalone-scan-from-registry:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Pull image
id: pull-and-save
run: |
docker pull sysdiglabs/dummy-vuln-app:latest
docker save sysdiglabs/dummy-vuln-app:latest -o image.tar
- name: Donate MainDB from scan
id: donnor-scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: false
stop-on-processing-error: true
skip-summary: true

- name: Scan dummy-vuln-app from archive
- name: Scan dummy-vuln-app from registry
id: scan
uses: sysdiglabs/scan-action@master
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
input-type: docker-archive
input-path: ${{ github.workspace }}/image.tar
ignore-failed-scan: true
#sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
standalone: true

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json
138 changes: 71 additions & 67 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,89 +1,93 @@

# Sysdig Secure Inline Scan Action

This action performs analysis on locally built container image and posts the result to Sysdig Secure. For more information about Secure Inline Scan, see [Sysdig Secure documentation](https://docs.sysdig.com/en/integrate-with-ci-cd-tools.html).
> 🚧 **Warning**: To use the Legacy Scanning Engine Action, please use version v3.* and visit the [previous README](./README.v3.md).

This action performs analysis on a specific container image and posts the result to Sysdig Secure. For more information about Sysdig CLI Scanner, see [Sysdig Secure documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/running-in-vm-mode/).

## Inputs

### `image-tag`
### `cli-scanner-url`

**Required** The tag of the local image to scan. Example: `"sysdiglabs/dummy-vuln-app:latest"`.
URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. The version of the CLI Scanner is set to `1.8.1` by default (to specify another version see `cli-scanner-version`).

### `sysdig-secure-token`
For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/).

**Required** API token for Sysdig Scanning auth. Example: `"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`.
### `cli-scanner-version`

Directly specifying the API token in the action configuration is not recommended. A better approach is to [store it in GitHub secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets), and reference `${{ secrets.MY_SECRET_NAME }}` instead.
Custom sysdig-cli-scanner version to download. It is set to `1.8.1` by default.

### `sysdig-secure-url`
> Please note that the Action has only been tested with `1.8.x` versions and it is not guaranteed that it will work as expected with other versions.

Sysdig Secure URL. Example: `https://secure-sysdig.svc.cluster.local`
### `registry-user`

If not specified, it will default to Sysdig Secure SaaS URL (https://secure.sysdig.com).
Registry username to authenticate to while pulling the image to scan.

For SaaS, eee [SaaS Regions and IP Ranges](https://docs.sysdig.com/en/saas-regions-and-ip-ranges.html).
### `registry-password`

### `sysdig-skip-tls`
Registry password to authenticate to while pulling the image to scan.

Skip TLS verification when calling secure endpoints.
### `stop-on-failed-policy-eval`

### `dockerfile-path`
Fail the job if the Policy Evaluation is Failed.

Path to Dockerfile. Example: `"./Dockerfile"`.
### `stop-on-processing-error`

### `ignore-failed-scan`
Fail the job if the Scanner terminates execution with errors.

Don't fail the execution of this action even if the scan result is FAILED.
### `standalone`

### `input-type`
Enable standalone mode. Do not depend on Sysdig backend for
execution, avoiding the need of specifying
'sysdig-secure-token' and 'sysdig-secure-url'.

If specified, where should we scan the image from. Possible values:
* **pull**: Pull the image from the registry. Default if not specified.
* **docker-daemon**: Get the image from the Docker daemon. The Docker socket must be available at `/var/run/docker.sock`
* **cri-o**: Get the image from containers-storage (CRI-O and others). Images must be stored in `/var/lib/containers`
* docker-archive: Image is provided as a Docker .tar file (from Docker save). Specify the path to the tar file with `input-path` parameter.
* **oci-archive**: Image is provided as a OCI image tar file. Specify the path to the tar file with `input-path` parameter.
* **oci-dir**: Image is provided as a OCI image, untared. Specify the path to the directory file with `input-path` parameter.
Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`.

### `input-path`
### `db-path`

Path to the tar file or OCI layout directory, or the Docker daemon when using `input-type: docker-daemon`, in case the `docker.sock` file is not in the default path `/var/run/docker.sock`.
Specify the directory for the vulnerabilities database to use while scanning.

### `run-as-user`
Useful when running in standalone mode.

Run the scan container with this username or UID.
It might be required when scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
### `skip-upload`

### `extra-parameters`
Skip uploading scanning results to Sysdig Secure.

Additional parameters added to the secure-inline-scan container execution.
### `skip-summary`

### `extra-docker-parameters`
Skip generating Summary.

Additional parameters added to the `docker` command when executing the secure-inline-scan container execution.
### `use-policies`

### `severity`
Specify Sysdig Secure VM Policies to evaluate the image.

Filter output annotations by severity. Default is "unknown".
Possible values:
- critical
- high
- medium
- negligible
- unknown
### `override-pullstring`

### `unique-report-by-package`
Custom PullString to give the image when scanning and
uploading.

Only one annotation by package name/version will be displayed in the build output.
The last highest (by severity) vulnerability will be displayed by package.
It increases the readability of the output, avoiding duplicates for the same package.
Default to false.
Useful when building images in a pipeline with temporary names. The custom PullString will be used to identify the scanned image in Sysdig Secure.

### `image-tag`

Tag of the image to analyse.

### `sysdig-secure-token`

API token for Sysdig Scanning authentication. (Required if not in
Standalone mode.)

### `inline-scan-image`
### `sysdig-secure-url`

The image `quay.io/sysdig/secure-inline-scan:2`, which points to the latest 2.x version of the Sysdig Secure inline scanner is used by default.
This parameter allows overriding the default image, to use a specific version or for air-gapped environments.
Sysdig Secure Endpoint URL. Defaults to `https://secure-sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions.

### `sysdig-skip-tls`

Skip TLS verification when calling Sysdig Secure endpoints.

### `extra-parameters`

Additional parameters to be added to the CLI Scanner. Note that these may not be supported with the current Action.

## SARIF Report

Expand All @@ -96,22 +100,23 @@ You need to assign an ID to the Sysdig Scan Action step, like:

- name: Scan image
id: scan
uses: sysdiglabs/scan-action@v3
uses: sysdiglabs/scan-action@v4
with:
...
```

and then add another step for uploading the SARIF report, providing the path in the `sarifReport` output:
and then add another step for uploading the SARIF report, providing the path in the `sarif_file` parameter:

```yaml
...
- uses: github/codeql-action/upload-sarif@v1
- name: Upload SARIF file
if: success() || failure()
uses: github/codeql-action/upload-sarif@v3
with:
if: always()
sarif_file: ${{ steps.scan.outputs.sarifReport }}
sarif_file: ${{ github.workspace }}/sarif.json
```

The `if: always()` option makes sure the SARIF report is uploaded even if the scan fails and interrupts the workflow.
The `if: success() || failure()` option makes sure the SARIF report is uploaded even if the scan fails and interrupts the workflow. (Q: Why not `always()`? A: That would allow for canceled jobs as well.)

## Example usages

Expand All @@ -126,17 +131,16 @@ The `if: always()` option makes sure the SARIF report is uploaded even if the sc

- name: Scan image
id: scan
uses: sysdiglabs/scan-action@v3
uses: sysdiglabs/scan-action@v4
with:
image-tag: "sysdiglabs/dummy-vuln-app:latest"
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
input-type: docker-daemon
run-as-user: root
image-tag: sysdiglabs/dummy-vuln-app:latest
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}

- uses: github/codeql-action/upload-sarif@v1
if: always()
- name: Upload SARIF file
if: success() || failure()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarifReport }}
sarif_file: ${{ github.workspace }}/sarif.json

```

Expand All @@ -146,13 +150,13 @@ The `if: always()` option makes sure the SARIF report is uploaded even if the sc
...

- name: Scan image
uses: sysdiglabs/scan-action@v3
uses: sysdiglabs/scan-action@v4
with:
image-tag: "sysdiglabs/dummy-vuln-app:latest"
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
```

### Scan a Docker archive image
### Fail pipeline when Policy Evaluation is failed or scanner fails to run


```yaml
Expand All @@ -163,6 +167,6 @@ The `if: always()` option makes sure the SARIF report is uploaded even if the sc
with:
image-tag: "sysdiglabs/dummy-vuln-app:latest"
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
input-type: docker-archive
input-path: artifacts/my-image.tar
stop-on-failed-policy-eval: true
stop-on-processing-error: true
```
Loading
Loading