test: implement Lacework scanner test workflow

bilals12 · bilals12 · commit 392484fcb683 · 2024-12-09T15:42:12.000-05:00
- adds test workflow for scanning containers
- formats scan results for New Relic integration
- includes debug mode and configurable inputs
- preserves results as workflow artifacts

feat: update action.yaml for additional outputs (image-name, image-tag) for downstream processing

chore: remove scan-output-test.yaml from branch

fix: resolve set-output and input issues in container-scan action

fix: resolving errors

fix: align outputs and cleanup references in container scan action

fix: add required inputs for container scan

Added input definitions for:
- lw-account-name
- lw-access-token
- github-token
- build-args

Pass build-args to docker-build action

feat(action): add JSON output format support

- Add output-format parameter to control scan results format
- Pass format parameter to Lacework scanner
- Default to JSON for better parsing

fix(scan): disable verbose output for JSON format

- Add scanner flag to output clean JSON
- Enable proper parsing of scan results

fix(scan): use correct JSON output flag for Lacework scanner

- Add -j=true flag to force JSON output format
- Remove output-format parameter

fix(scan): use correct parameter name for JSON output

- Replace SCANNER_FLAGS with ADDITIONAL_PARAMETERS
- Maintain -j=true flag for JSON format

feat: add optional skip-checkout input to container-scan action
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,7 +9,7 @@ repos:
     rev: v3.1.0
     hooks:
       - id: prettier
-        stages: [commit]
+        stages: [pre-commit]
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0 # Use the ref you want to point at
     hooks:
diff --git a/container-scan/README.md b/container-scan/README.md
@@ -4,7 +4,7 @@
 <!-- action-docs-description source="action.yaml" -->
 ## Description
 
-GitHub Action for scanning container image for vulnerabilities using Lacework
+GitHub Action for scanning container images for vulnerabilities using Lacework.
 <!-- action-docs-description source="action.yaml" -->
 
 <!-- action-docs-usage source="action.yaml" -->
@@ -13,30 +13,42 @@ GitHub Action for scanning container image for vulnerabilities using Lacework
 ```yaml
 - uses: @
   with:
+    skip-checkout:
+    # Skip repository checkout in this step
+    #
+    # Required: false
+    # Default: false
+
     dockerhub-user:
-    # username for dockerhub
+    # DockerHub username
     #
     # Required: false
     # Default: ""
 
     dockerhub-password:
-    # password for dockerhub
+    # DockerHub password
     #
     # Required: false
     # Default: ""
 
-    docker-config-file:
-    # Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile
+    image-name:
+    # Docker image name
     #
     # Required: false
-    # Default: .docker-config.json
+    # Default: ""
 
-    github-token:
-    # GitHub token
+    image-tag:
+    # Docker image tag
     #
     # Required: true
     # Default: ""
 
+    enable-docker-build:
+    # Enable Docker build
+    #
+    # Required: false
+    # Default: true
+
     lw-account-name:
     # Lacework account name
     #
@@ -49,41 +61,17 @@ GitHub Action for scanning container image for vulnerabilities using Lacework
     # Required: true
     # Default: ""
 
-    image-name:
-    # Docker image name
-    #
-    # Required: false
-    # Default: ""
-
-    image-tag:
-    # Docker image tag
+    github-token:
+    # GitHub token
     #
     # Required: true
     # Default: ""
 
-    image-platform:
-    # Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc)
-    #
-    # Required: false
-    # Default: linux/amd64
-
     build-args:
-    # List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE)
+    # Docker build arguments
     #
     # Required: false
     # Default: ""
-
-    secrets:
-    # List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE)
-    #
-    # Required: false
-    # Default: ""
-
-    enable-docker-build:
-    # Docker image tag
-    #
-    # Required: false
-    # Default: true
 ```
 <!-- action-docs-usage source="action.yaml" -->
 
diff --git a/container-scan/action.yaml b/container-scan/action.yaml
@@ -1,152 +1,89 @@
 name: "Security Scan Composite Action"
-description: "GitHub Action for scanning container image for vulnerabilities using Lacework"
+description: >
+  GitHub Action for scanning container images for vulnerabilities using Lacework.
 
 inputs:
+  skip-checkout:
+    required: false
+    default: "false"
+    description: Skip repository checkout in this step
+
   dockerhub-user:
     required: false
     default: ""
-    description: username for dockerhub
+    description: DockerHub username
   dockerhub-password:
     required: false
     default: ""
-    description: password for dockerhub
-  docker-config-file:
+    description: DockerHub password
+  image-name:
     required: false
-    description: Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile
-    default: .docker-config.json
-  github-token:
+    description: Docker image name
+  image-tag:
     required: true
-    description: GitHub token
+    description: Docker image tag
+  enable-docker-build:
+    required: false
+    default: true
+    description: Enable Docker build
   lw-account-name:
     required: true
     description: Lacework account name
   lw-access-token:
     required: true
     description: Lacework access token
-  image-name:
-    required: false
-    description: Docker image name
-  image-tag:
+  github-token:
     required: true
-    description: Docker image tag
-  image-platform:
-    description: Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc)
-    required: false
-    default: linux/amd64
-
+    description: GitHub token
   build-args:
     required: false
-    description: List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE)
-    default: ""
-  secrets:
-    required: false
-    description: List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE)
-    default: ""
-  enable-docker-build:
-    required: false
-    default: true
-    description: Docker image tag
+    description: Docker build arguments
 
 outputs:
-  comment-id:
-    description: Comment ID of the test report
-    value: ${{ steps.comment-pr.outputs.comment-id }}
+  image-name:
+    description: Name of the scanned Docker image.
 
 runs:
   using: composite
   steps:
     - name: Checkout Repository
+      if: ${{ inputs.skip-checkout != 'true' }}
       uses: actions/checkout@v4
 
-    - name: Build docker image
+    - name: Build Docker Image
       if: ${{ inputs.enable-docker-build }}
       uses: open-turo/actions-security/docker-build@v2
       id: docker-build
       with:
         dockerhub-user: ${{ inputs.dockerhub-user }}
         dockerhub-password: ${{ inputs.dockerhub-password }}
-        github-token: ${{ inputs.github-token }}
         image-version: ${{ inputs.image-tag }}
-        image-platform: ${{ inputs.image-platform }}
         load: true
         push: false
-        docker-metadata-tags: |
-          type=ref,event=branch
-          type=ref,event=pr
         build-args: ${{ inputs.build-args }}
-        secrets: ${{ inputs.secrets }}
 
-    - name: "Determining image name"
-      shell: bash
-      id: set_image_name
+    - name: Determine Image Name
       run: |
-        if [ "${{ inputs.enable-docker-build }}" == "true" ]; then
-          echo "::set-output name=image_name::${{ steps.docker-build.outputs.image-name }}"
+        if [ "${{ inputs.enable-docker-build }}" = "true" ]; then
+          echo "IMAGE_NAME=${{ steps.docker-build.outputs.image-name }}" >> $GITHUB_ENV
         else
-          echo "::set-output name=image_name::${{ inputs.image-name }}"
+          echo "IMAGE_NAME=${{ inputs.image-name }}" >> $GITHUB_ENV
         fi
+      shell: bash
 
-    - name: Scan container image for vulnerabilities using Lacework
+    - name: Scan Container Image
       uses: lacework/lw-scanner-action@v1.4.3
       with:
         LW_ACCOUNT_NAME: ${{ inputs.lw-account-name }}
         LW_ACCESS_TOKEN: ${{ inputs.lw-access-token }}
-        IMAGE_NAME: ${{ steps.set_image_name.outputs.image_name }}
+        IMAGE_NAME: ${{ env.IMAGE_NAME }}
         IMAGE_TAG: ${{ inputs.image-tag }}
         SAVE_RESULTS_IN_LACEWORK: true
-        RESULTS_IN_GITHUB_SUMMARY: true
-        PRETTY_OUTPUT: true
-
-    - name: Check if Lacework scan results file exist
-      id: check-results
-      run: |
-        if [ -f results.stdout ]; then
-          echo "Scan results file (results.stdout) exists"
-          exit 0
-        else
-          echo "Scan results file (results.stdout) does not exist"
-          exit 1
-        fi
-      shell: bash
-
-    - name: Change formatting for PR
-      if: always()
-      run: |
-        echo "## Lacework Inline Scanner Results" > pr-results.md
-        echo "<details><summary>Click to expand</summary>" >> pr-results.md
-        echo "<pre>" >> pr-results.md
-        cat results.stdout >> pr-results.md
-        echo "</pre>" >> pr-results.md
-        echo "</details>" >> pr-results.md
-      shell: bash
-
-    - name: Check for previous report comment
-      id: fc
-      if: github.event_name == 'pull_request' && github.event.pull_request.number != ''
-      uses: peter-evans/find-comment@v3
-      with:
-        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: "github-actions[bot]"
-        body-includes: "Lacework Inline Scanner Results"
-
-    - name: Delete previous test report comment
-      if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
-      uses: winterjung/comment@v1
-      with:
-        type: delete
-        comment_id: ${{ steps.fc.outputs.comment-id }}
-        token: ${{ inputs.github-token }}
-
-    - name: Comment PR
-      if: github.event_name == 'pull_request'
-      uses: thollander/actions-comment-pull-request@v3
-      with:
-        filePath: pr-results.md
-        mode: recreate
-        comment_tag: to_recreate
+        ADDITIONAL_PARAMETERS: "-j=true"
 
-    - name: Cleanup docker image
+    - name: Cleanup Docker Image
       if: always()
       run: |
-        docker image rm ${{ steps.docker-build.outputs.image-name }}:${{ inputs.image-tag }}
+        echo "Cleaning up image: ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }}"
+        docker image rm ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }}
       shell: bash
