Skip to content

Latest commit

 

History

History
71 lines (54 loc) · 2.98 KB

README.md

File metadata and controls

71 lines (54 loc) · 2.98 KB

ZEIT ONLINE Sysdig scan action


NOTE: This Action is used internally by the ZEIT ONLINE organization and is probably not useful outside of this specific context.


Summary

This composite action is used to scan Docker images for vulnerabilities and integrate with Sysdig secure. The secure token needed for this is fetched from Vault. In ZEIT ONLINE building workflows the permission for this is provided by the Baseproject action.

The action assumes a locally built image that is subsequently scanned.

Example Usage

Scan image for vulnerabilities:

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Scan image
              uses: ZeitOnline/[email protected]
              with:
                gha_vault_role: ${{ steps.baseproject.outputs.gha_vault_role }}
                image_tag: ${{ env.REPOSITORY }}:${{ inputs.tag }}
            # ...

Perform IaC scan:

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Scan k8s manifests
              uses: ZeitOnline/[email protected]
              with:
                gha_vault_role: ${{ steps.baseproject.outputs.gha_vault_role }}
                mode: iac
                iac_scan_path: ./k8s
                recursive: true
            # ...

This usage assumes a preceding step with id baseproject that outputs the gha_vault_role. This is needed to authenticate to Vault for fetching the Sysdig secure token.

Reference

Here are all the inputs available through with:

Input Description Default Required
mode Whether to scan OCI images (vm) or IaC files (iac) vm
gha_default_role The name of the GHA default role as output by the baseproject action
image_tag The name and tag of the Docker image to be scanned. Assumes locally built image
stop_on_failed_policy_eval Whether to fail the action when the policy evaluation fails 'true'
iac_scan_path Directory path where IaC files to be scanned reside
recursive Whether to scan IaC files recursively

Releases

This action uses Release Please. To create a new release, create a PR and use Conventional Commits as described here.