-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
48 lines (45 loc) · 1.73 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: ZON image scanning action
description: A composite action to scan images with Sysdig
inputs:
mode:
description: Whether to scan OCI images or IaC files
default: 'vm'
required: true
gha_vault_role:
description: The gha_vault_role as output by the baseproject action. Required if mode is 'vm'
required: true
image_tag:
description: The name and tag of the image to be scanned. Required if mode is 'vm'
stop_on_failed_policy_eval:
description: Whether to fail the action when the policy evaluation fails
default: 'true'
iac_scan_path:
description: Directory path where IaC files to be scanned reside
recursive:
description: Whether to scan IaC files recursively
runs:
using: "composite"
steps:
# This is covered by the default GHA Vault policy,
# no extra setup required
- name: Retrieve Sysdig secure token
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
method: jwt
url: https://vault.ops.zeit.de
path: github-actions
role: ${{ inputs.gha_vault_role }}
secrets: |
zon/v1/sysdig/sysdig-scanner api-key | SYSDIG_SECURE_TOKEN ;
# The results from this scan will appear in the GHA actions summary
# as well as the Sysdig UI under Vulnerabilities/Pipeline
- name: Scan image
uses: sysdiglabs/scan-action@v5
with:
mode: ${{ inputs.mode }}
image-tag: ${{ inputs.image_tag }}
stop-on-failed-policy-eval: ${{ inputs.stop_on_failed_policy_eval }}
iac-scan-path: ${{ inputs.iac_scan_path }}
recursive: ${{ inputs.recursive }}
sysdig-secure-token: ${{ env.SYSDIG_SECURE_TOKEN }}
sysdig-secure-url: https://eu1.app.sysdig.com/secure