|
1 | 1 | name: "Security Scan Composite Action"
|
2 |
| -description: "GitHub Action for scanning container image for vulnerabilities using Lacework" |
| 2 | +description: > |
| 3 | + GitHub Action for scanning container images for vulnerabilities using Lacework. |
3 | 4 |
|
4 | 5 | inputs:
|
| 6 | + skip-checkout: |
| 7 | + required: false |
| 8 | + default: "false" |
| 9 | + description: Skip repository checkout in this step |
5 | 10 | dockerhub-user:
|
6 | 11 | required: false
|
7 | 12 | default: ""
|
8 |
| - description: username for dockerhub |
| 13 | + description: DockerHub username |
9 | 14 | dockerhub-password:
|
10 | 15 | required: false
|
11 | 16 | default: ""
|
12 |
| - description: password for dockerhub |
13 |
| - docker-config-file: |
| 17 | + description: DockerHub password |
| 18 | + image-name: |
14 | 19 | required: false
|
15 |
| - description: Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile |
16 |
| - default: .docker-config.json |
17 |
| - github-token: |
| 20 | + description: Docker image name |
| 21 | + image-tag: |
18 | 22 | required: true
|
19 |
| - description: GitHub token |
| 23 | + description: Docker image tag |
| 24 | + enable-docker-build: |
| 25 | + required: false |
| 26 | + default: true |
| 27 | + description: Enable Docker build |
20 | 28 | lw-account-name:
|
21 | 29 | required: true
|
22 | 30 | description: Lacework account name
|
23 | 31 | lw-access-token:
|
24 | 32 | required: true
|
25 | 33 | description: Lacework access token
|
26 |
| - image-name: |
27 |
| - required: false |
28 |
| - description: Docker image name |
29 |
| - image-tag: |
| 34 | + github-token: |
30 | 35 | required: true
|
31 |
| - description: Docker image tag |
32 |
| - image-platform: |
33 |
| - description: Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc) |
34 |
| - required: false |
35 |
| - default: linux/amd64 |
36 |
| - |
| 36 | + description: GitHub token |
37 | 37 | build-args:
|
38 | 38 | required: false
|
39 |
| - description: List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE) |
40 |
| - default: "" |
41 |
| - secrets: |
42 |
| - required: false |
43 |
| - description: List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE) |
44 |
| - default: "" |
45 |
| - enable-docker-build: |
46 |
| - required: false |
47 |
| - default: true |
48 |
| - description: Docker image tag |
| 39 | + description: Docker build arguments |
49 | 40 |
|
50 | 41 | outputs:
|
51 |
| - comment-id: |
52 |
| - description: Comment ID of the test report |
53 |
| - value: ${{ steps.comment-pr.outputs.comment-id }} |
| 42 | + image-name: |
| 43 | + description: Name of the scanned Docker image. |
54 | 44 |
|
55 | 45 | runs:
|
56 | 46 | using: composite
|
57 | 47 | steps:
|
58 | 48 | - name: Checkout Repository
|
| 49 | + if: ${{ inputs.skip-checkout != 'true' }} |
59 | 50 | uses: actions/checkout@v4
|
60 | 51 |
|
61 |
| - - name: Build docker image |
| 52 | + - name: Build Docker Image |
62 | 53 | if: ${{ inputs.enable-docker-build }}
|
63 | 54 | uses: open-turo/actions-security/docker-build@v2
|
64 | 55 | id: docker-build
|
65 | 56 | with:
|
66 | 57 | dockerhub-user: ${{ inputs.dockerhub-user }}
|
67 | 58 | dockerhub-password: ${{ inputs.dockerhub-password }}
|
68 |
| - github-token: ${{ inputs.github-token }} |
69 | 59 | image-version: ${{ inputs.image-tag }}
|
70 |
| - image-platform: ${{ inputs.image-platform }} |
71 |
| - load: true |
72 |
| - push: false |
73 |
| - docker-metadata-tags: | |
74 |
| - type=ref,event=branch |
75 |
| - type=ref,event=pr |
76 | 60 | build-args: ${{ inputs.build-args }}
|
77 |
| - secrets: ${{ inputs.secrets }} |
78 | 61 |
|
79 |
| - - name: "Determining image name" |
80 |
| - shell: bash |
81 |
| - id: set_image_name |
| 62 | + - name: Determine Image Name |
82 | 63 | run: |
|
83 |
| - if [ "${{ inputs.enable-docker-build }}" == "true" ]; then |
84 |
| - echo "::set-output name=image_name::${{ steps.docker-build.outputs.image-name }}" |
| 64 | + if [ "${{ inputs.enable-docker-build }}" = "true" ]; then |
| 65 | + echo "IMAGE_NAME=${{ steps.docker-build.outputs.image-name }}" >> $GITHUB_ENV |
85 | 66 | else
|
86 |
| - echo "::set-output name=image_name::${{ inputs.image-name }}" |
| 67 | + echo "IMAGE_NAME=${{ inputs.image-name }}" >> $GITHUB_ENV |
87 | 68 | fi
|
| 69 | + shell: bash |
88 | 70 |
|
89 |
| - - name: Scan container image for vulnerabilities using Lacework |
| 71 | + - name: Scan Container Image |
90 | 72 | uses: lacework/lw-scanner-action@v1.4.3
|
91 | 73 | with:
|
92 | 74 | LW_ACCOUNT_NAME: ${{ inputs.lw-account-name }}
|
93 | 75 | LW_ACCESS_TOKEN: ${{ inputs.lw-access-token }}
|
94 |
| - IMAGE_NAME: ${{ steps.set_image_name.outputs.image_name }} |
| 76 | + IMAGE_NAME: ${{ env.IMAGE_NAME }} |
95 | 77 | IMAGE_TAG: ${{ inputs.image-tag }}
|
96 | 78 | SAVE_RESULTS_IN_LACEWORK: true
|
97 |
| - RESULTS_IN_GITHUB_SUMMARY: true |
98 |
| - PRETTY_OUTPUT: true |
| 79 | + ADDITIONAL_PARAMETERS: "-j=true" |
99 | 80 |
|
100 |
| - - name: Check if Lacework scan results file exist |
101 |
| - id: check-results |
| 81 | + - name: Check Lacework Scan Results File |
102 | 82 | run: |
|
103 | 83 | if [ -f results.stdout ]; then
|
104 |
| - echo "Scan results file (results.stdout) exists" |
105 |
| - exit 0 |
| 84 | + echo "Scan results file (results.stdout) exists." |
106 | 85 | else
|
107 |
| - echo "Scan results file (results.stdout) does not exist" |
| 86 | + echo "Error: Scan results file (results.stdout) does not exist." |
108 | 87 | exit 1
|
109 | 88 | fi
|
110 |
| - shell: bash |
111 | 89 |
|
112 |
| - - name: Change formatting for PR |
113 |
| - if: always() |
| 90 | + - name: Format Results for PR |
114 | 91 | run: |
|
115 | 92 | echo "## Lacework Inline Scanner Results" > pr-results.md
|
116 | 93 | echo "<details><summary>Click to expand</summary>" >> pr-results.md
|
117 | 94 | echo "<pre>" >> pr-results.md
|
118 | 95 | cat results.stdout >> pr-results.md
|
119 | 96 | echo "</pre>" >> pr-results.md
|
120 | 97 | echo "</details>" >> pr-results.md
|
121 |
| - shell: bash |
122 | 98 |
|
123 |
| - - name: Check for previous report comment |
124 |
| - id: fc |
125 |
| - if: github.event_name == 'pull_request' && github.event.pull_request.number != '' |
| 99 | + - name: Check for Previous Report Comment |
| 100 | + id: find-comment |
| 101 | + if: github.event_name == 'pull_request' |
126 | 102 | uses: peter-evans/find-comment@v3
|
127 | 103 | with:
|
128 | 104 | issue-number: ${{ github.event.pull_request.number }}
|
129 | 105 | comment-author: "github-actions[bot]"
|
130 | 106 | body-includes: "Lacework Inline Scanner Results"
|
131 | 107 |
|
132 |
| - - name: Delete previous test report comment |
133 |
| - if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' |
134 |
| - uses: winterjung/comment@v1 |
| 108 | + - name: Delete Previous Report Comment |
| 109 | + if: steps.find-comment.outputs.comment-id != '' |
| 110 | + uses: peter-evans/delete-comment@v1 |
135 | 111 | with:
|
136 |
| - type: delete |
137 |
| - comment_id: ${{ steps.fc.outputs.comment-id }} |
138 |
| - token: ${{ inputs.github-token }} |
| 112 | + comment-id: ${{ steps.find-comment.outputs.comment-id }} |
139 | 113 |
|
140 | 114 | - name: Comment PR
|
141 | 115 | if: github.event_name == 'pull_request'
|
142 | 116 | uses: thollander/actions-comment-pull-request@v3
|
143 | 117 | with:
|
144 |
| - filePath: pr-results.md |
| 118 | + file-path: pr-results.md |
145 | 119 | mode: recreate
|
146 |
| - comment_tag: to_recreate |
| 120 | + comment-tag: to_recreate |
| 121 | + github-token: ${{ inputs.github-token }} |
147 | 122 |
|
148 |
| - - name: Cleanup docker image |
| 123 | + - name: Cleanup Docker Image |
149 | 124 | if: always()
|
150 | 125 | run: |
|
151 |
| - docker image rm ${{ steps.docker-build.outputs.image-name }}:${{ inputs.image-tag }} |
| 126 | + echo "Cleaning up image: ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }}" |
| 127 | + docker image rm ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }} |
152 | 128 | shell: bash
|
0 commit comments