Use inline scan v2 (#5)

* Use secure-inline-scan:2 and add additional options * Include check run with annotations * Add SARIF report output
sysdiglabs · Nov 30, 2020 · 7a34679 · 7a34679
1 parent 619880f
commit 7a34679
Show file tree

Hide file tree

Showing 46 changed files with 25,985 additions and 2,740 deletions.
diff --git a/.eslintignore b/.eslintignore
@@ -0,0 +1 @@
+dist/
diff --git a/.eslintrc.yml b/.eslintrc.yml
@@ -0,0 +1,13 @@
+env:
+  commonjs: true
+  es6: true
+  es2021: true
+  jest: true
+  node: true
+extends: 'eslint:recommended'
+globals:
+  Atomics: "readonly"
+  SharedArrayBuffer: "readonly"
+parserOptions:
+  ecmaVersion: 2018
+rules: {}
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+dist/** -diff linguist-generated=true
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,11 @@
+name: Run Tests
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - run: npm ci
+    - run: npm test
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -0,0 +1,23 @@
+name: Scan
+
+on:
+  push:
+  workflow_dispatch:
+    inputs:
+      image:
+        description: Image to scan
+        required: true
+        default: alpine:3.7
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Scan image
+        id: scan
+        uses: sysdiglabs/scan-action@use-inline-scan-v2 
+        with:
+          image-tag: "alpine:3.7"
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          pull-from-registry: true
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,6 @@
+node_modules/
+
+# Editors
+.vscode/
+.idea/
+*.iml
diff --git a/README.md b/README.md
@@ -20,25 +20,122 @@ Sysdig Secure URL. Example: "https://secure-sysdig.svc.cluster.local".
 
 If not specified, it will default to Sysdig Secure SaaS URL (https://secure.sysdig.com/).
 
+### `sysdig-skip-tls`
+
+Skip TLS verification when calling secure endpoints.
+
 ### `dockerfile-path`
 
 Path to Dockerfile. Example: `"./Dockerfile"`.
 
-### `pull-from-registry`
+### `ignore-failed-scan`
+
+Don't fail the execution of this action even if the scan result is FAILED.
+
+### `input-type`
+
+If specified, where should we scan the image from. Possible values:
+* pull            Pull the image from the registry.
+                  Default if not specified.
+* docker-daemon   Get the image from the Docker daemon.
+                  The docker socket must be available at /var/run/docker.sock
+* cri-o           Get the image from containers-storage (CRI-O and others).
+                  Images must be stored in /var/lib/containers
+* docker-archive  Image is provided as a Docker .tar file (from docker save).
+                  Specify path to the tar file with 'input-path'
+* oci-archive     Image is provided as a OCI image tar file.
+                  Specify path to the tar file with 'input-path'
+* oci-dir         Image is provided as a OCI image, untared.
+                  Specify path to the directory file with 'input-path'
+
+### `input-path`
+
+Path to the tar file or OCI layout directory.
+
+### `run-as-user`
+
+Run the scan container with this username or UID.
+It might required if scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
+
+### `extra-parameters`
+
+Additional parameters added to the secure-inline-scan container execution.
+
+### `extra-docker-parameters`
+
+Additional parameters added to the docker command when executing the secure-inline-scan container execution.
 
-Pull container image from registry instead of using the locally built image.
+## SARIF Report
 
-## Example usage
+The action generates a SARIF report that can be uploaded using the `codeql-action/upload-sarif` action.
+
+You need to assign an ID to the Sysdig Scan Action step, like:
+
+```yaml
+    ...
+
+    - name: Scan image
+      id: scan
+      uses: sysdiglabs/scan-action@v3
+      with:
+        ...
+```
+
+and then add another step for uploading the SARIF report, providing the path in the `sarifReport` output:
+
+```yaml
+    ...
+      - uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarifReport }}
+```
+
+## Example usages
+
+### Build and scan image locally using Docker, and upload SARIF report
 
 ```yaml
     ...
     - name: Build the Docker image
       run: docker build . --file Dockerfile --tag sysdiglabs/dummy-vuln-app:latest
 
     - name: Scan image
-      uses: sysdiglabs/scan-action@v2
+      id: scan
+      uses: sysdiglabs/scan-action@v3
       with:
         image-tag: "sysdiglabs/dummy-vuln-app:latest"
         sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run-as-user: root
+
+      - uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarifReport }}
 
 ```
+
+### Pull and scan an image from a registry
+
+```yaml
+    ...
+
+    - name: Scan image
+      uses: sysdiglabs/scan-action@v3
+      with:
+        image-tag: "sysdiglabs/dummy-vuln-app:latest"
+        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+```
+
+### Scan a docker archive image
+
+
+```yaml
+    ...
+
+    - name: Scan image
+      uses: sysdiglabs/scan-action@v3
+      with:
+        image-tag: "sysdiglabs/dummy-vuln-app:latest"
+        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        input-type: docker-archive
+        input-path: artifacts/my-image.tar
+```
diff --git a/action.yml b/action.yml
@@ -2,24 +2,69 @@ name: 'Sysdig Secure Inline Scan'
 description: 'Perform image analysis on locally built container image and post the result of the analysis to Sysdig Secure.'
 inputs:
   image-tag:
-    description: 'Tag of the image to analyse'
+    description: Tag of the image to analyse.
     required: true
   sysdig-secure-token:
-    description: 'API token for Sysdig Scanning auth'
+    description: API token for Sysdig Scanning auth.
+    required: true
+  github-token:
+    description: Github App token to publish the checks. By default it will use "github.token value". See https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#about-the-github_token-secret
+    default: ${{ github.token }}
     required: true
   sysdig-secure-url:
-    description: 'Sysdig Secure URL (ex: "https://secure-sysdig.com")'
+    description: 'Sysdig Secure URL (ex: "https://secure-sysdig.com").'
     required: false
     default: https://secure.sysdig.com
+  sysdig-skip-tls:
+    description: Skip TLS verification when calling secure endpoints.
+    required: false
   dockerfile-path:
-    description: 'Path to Dockerfile (ex: "./Dockerfile")'
+    description: 'Path to Dockerfile (ex: "./Dockerfile").'
+    required: false
+  ignore-failed-scan:
+    description: Don't fail the execution of this action even if the scan result is FAILED.
+    required: false
+  input-type:
+    description: |
+      If specified, where should we scan the image from. Possible values:
+        pull            Pull the image from the registry.
+                        Default if not specified.
+        docker-daemon   Get the image from the Docker daemon.
+                        The docker socket must be available at /var/run/docker.sock
+        cri-o           Get the image from containers-storage (CRI-O and others).
+                        Images must be stored in /var/lib/containers
+        docker-archive  Image is provided as a Docker .tar file (from docker save).
+                        Specify path to the tar file with 'input-path'
+        oci-archive     Image is provided as a OCI image tar file.
+                        Specify path to the tar file with 'input-path'
+        oci-dir         Image is provided as a OCI image, untared.
+                        Specify path to the directory file with 'input-path'
+    default: pull
+    required: true
+  input-path:
+    description: Path to the tar file or OCI layout directory.
+    required: false  
+  run-as-user:
+    description: |
+      Run the scan container with this username or UID.
+      It might required if scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
+    required: false
+  extra-parameters:
+    description: Additional parameters added to the secure-inline-scan container execution.
     required: false
-  pull-from-registry:
-    description: 'Pull docker image from registry'
+  extra-docker-parameters:
+    description: Additional parameters added to the docker command when executing the secure-inline-scan container execution.
     required: false
+outputs:
+  scanReport:
+    description: Path to a JSON file containing the report results, failed evaluation gates, and found vulnerabilities.
+  sarifReport:
+    description: |
+      Path to a SARIF report, that can be uploaded using the codeql-action/upload-sarif action. See the README for more information.
+
 branding:
   icon: 'shield'
   color: 'orange'
 runs:
   using: 'node12'
-  main: 'index.js'
+  main: 'dist/index.js'