diff --git a/.github/workflows/container_local.yml b/.github/workflows/build_scan_container.yml similarity index 64% rename from .github/workflows/container_local.yml rename to .github/workflows/build_scan_container.yml index ff2307e..61c72bc 100644 --- a/.github/workflows/container_local.yml +++ b/.github/workflows/build_scan_container.yml @@ -1,4 +1,16 @@ -on: [push] +name: Demonstrate Build and Scan Container Image Scan + +# This workflow demonstrates how to build +# a Docker image, and then scan the image +# with Inspector. This workflow runs automatically +# every 6 hours, and on pushes. + +on: + schedule: + - cron: '0 */6 * * *' # runs every 6 hours + push: + branches: # + - '*' jobs: build: @@ -8,16 +20,16 @@ jobs: name: plugin-development steps: - - name: Checkout + - name: Checkout this repository uses: actions/checkout@v4 - - name: Set up QEMU + - name: Set up docker build prereqs: QEMU uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx + - name: Set up docker build prereqs: Buildx uses: docker/setup-buildx-action@v3 - - name: Build and push Docker image + - name: Build Docker image uses: docker/build-push-action@v5 with: context: . @@ -26,19 +38,17 @@ jobs: tags: app:latest load: true - - name: check local images - run: docker images - - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + # TODO: use an IAM role - - - name: Scan artifact with Inspector - uses: ./ # Uses an action in the root directory + - name: Scan built image with Inspector + uses: aws/amazon-inspector-github-actions-plugin@main + # TODO: bump action to v1 on release id: inspector with: artifact_type: 'container' @@ -61,7 +71,7 @@ jobs: - name: Demonstrate Inspector Scan Output (CSV) run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} - - name: Upload Inspector Scan Results + - name: Demonstrate Upload Scan Results uses: actions/upload-artifact@v4 with: name: Inspector Scan SBOM Results @@ -70,9 +80,9 @@ jobs: ${{ steps.inspector.outputs.inspector_scan_results_csv }} ${{ steps.inspector.outputs.artifact_sbom }} + - name: Fail job if vulnerability threshold is exceeded + run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} - - name: Fail if vulnerability threshold is exceeded - run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} - - - name: Upload image to registry - run: echo docker push + - name: Run custom logic if vulnerability threshold is exceeded + if: failure() + run: echo "vulnerability threshold exceeded" diff --git a/.github/workflows/container_remote.yml b/.github/workflows/container_remote.yml deleted file mode 100644 index 92447a9..0000000 --- a/.github/workflows/container_remote.yml +++ /dev/null @@ -1,57 +0,0 @@ -on: [push] - -jobs: - inspector: - runs-on: ubuntu-latest - name: "Container Image Scan (Tarball)" - environment: - name: plugin-development - steps: - # To use this repository's private action, - # you must check out the repository - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - #- name: Log in to Docker Hub - # uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a - # with: - # username: ${{ secrets.DOCKER_USERNAME }} - # password: ${{ secrets.DOCKER_PASSWORD }} - - #- name: Build and push Docker image - # uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - # with: - # context: . - # file: ./Dockerfile - - - name: Scan artifact with Inspector - uses: ./ # Uses an action in the root directory - id: inspector - with: - artifact_type: 'container' - artifact_path: 'alpine:latest' - output_sbom_path: 'alpine_sbom.json' - output_inspector_scan_path: 'alpine_scan.json' - - - name: Demonstrate SBOM Output - run: cat ${{ steps.inspector.outputs.artifact_sbom }} - - - name: Demonstrate Inspector Scan Output - run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - - name: Upload Inspector Scan Results - uses: actions/upload-artifact@v4 - continue-on-error: true - with: - name: Inspector Scan SBOM Results - path: | - alpine_sbom.json - alpine_scan.json - diff --git a/.github/workflows/go_binary.yml b/.github/workflows/go_binary.yml deleted file mode 100644 index 6bf8997..0000000 --- a/.github/workflows/go_binary.yml +++ /dev/null @@ -1,49 +0,0 @@ -on: [push] - -jobs: - inspector: - runs-on: ubuntu-latest - name: "Scan Go binary" - environment: - name: plugin-development - steps: - # To use this repository's private action, - # you must check out the repository - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Scan artifact with Inspector - uses: ./ # Uses an action in the root directory - id: inspector - with: - artifact_type: 'binary' - artifact_path: '/usr/local/bin/inspector-sbomgen' - output_sbom_path: 'sbom.json' - output_inspector_scan_path: 'inspector_scan.json' - output_inspector_scan_path_csv: 'inspector_scan.csv' - - - name: Demonstrate SBOM Output - run: cat ${{ steps.inspector.outputs.artifact_sbom }} - - - name: Demonstrate Inspector Scan Output (JSON) - run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - - name: Demonstrate Inspector Scan Output (CSV) - run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} - - - name: Upload Inspector Scan Results - uses: actions/upload-artifact@v4 - with: - name: Inspector Scan SBOM Results - path: | - ${{ steps.inspector.outputs.artifact_sbom }} - ${{ steps.inspector.outputs.inspector_scan_results }} - ${{ steps.inspector.outputs.inspector_scan_results_csv }} - diff --git a/.github/workflows/repository.yml b/.github/workflows/repository.yml deleted file mode 100644 index 87f4b98..0000000 --- a/.github/workflows/repository.yml +++ /dev/null @@ -1,47 +0,0 @@ -on: [push] - -jobs: - inspector: - runs-on: ubuntu-latest - name: "Repository Scan" - environment: - name: plugin-development - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Scan artifact with Inspector - uses: ./ # Uses an action in the root directory - id: inspector - with: - artifact_type: 'repository' - artifact_path: './' - output_sbom_path: 'sbom.json' - output_inspector_scan_path: 'inspector_scan.json' - output_inspector_scan_path_csv: 'inspector_scan.csv' - - - name: Demonstrate SBOM Output - run: cat ${{ steps.inspector.outputs.artifact_sbom }} - - - name: Demonstrate Inspector Scan Output (JSON) - run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - - name: Demonstrate Inspector Scan Output (CSV) - run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} - - - name: Upload Inspector Scan Results - uses: actions/upload-artifact@v4 - with: - name: Inspector Scan SBOM Results - path: | - ${{ steps.inspector.outputs.artifact_sbom }} - ${{ steps.inspector.outputs.inspector_scan_results }} - ${{ steps.inspector.outputs.inspector_scan_results_csv }} - diff --git a/.github/workflows/skip_files.yml b/.github/workflows/skip_files.yml deleted file mode 100644 index 7a14072..0000000 --- a/.github/workflows/skip_files.yml +++ /dev/null @@ -1,51 +0,0 @@ -on: [push] - -jobs: - inspector: - runs-on: ubuntu-latest - name: "Container Image Scan" - environment: - name: plugin-development - steps: - # To use this repository's private action, - # you must check out the repository - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Scan artifact with Inspector - uses: ./ # Uses an action in the root directory - id: inspector - with: - artifact_type: 'container' - artifact_path: 'alpine:latest' - output_sbom_path: 'sbom.json' - output_inspector_scan_path: 'inspector_scan.json' - output_inspector_scan_path_csv: 'inspector_scan.csv' - skip_files: "/lib/apk/db/installed" - - - name: Demonstrate SBOM Output (JSON) - run: cat ${{ steps.inspector.outputs.artifact_sbom }} - - - name: Demonstrate Inspector Scan Output (JSON) - run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - - name: Demonstrate Inspector Scan Output (CSV) - run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} - - - - name: Upload Inspector Scan Results - uses: actions/upload-artifact@v4 - with: - name: Inspector Scan SBOM Results - path: | - ${{ steps.inspector.outputs.artifact_sbom }} - ${{ steps.inspector.outputs.inspector_scan_results }} - ${{ steps.inspector.outputs.inspector_scan_results_csv }} - diff --git a/.github/workflows/skip_rhel_rpm.yml b/.github/workflows/skip_rhel_rpm.yml deleted file mode 100644 index 7eb2441..0000000 --- a/.github/workflows/skip_rhel_rpm.yml +++ /dev/null @@ -1,51 +0,0 @@ -on: [push] - -jobs: - inspector: - runs-on: ubuntu-latest - name: "Container Image Scan" - environment: - name: plugin-development - steps: - # To use this repository's private action, - # you must check out the repository - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Scan artifact with Inspector - uses: ./ # Uses an action in the root directory - id: inspector - with: - artifact_type: 'container' - artifact_path: 'amazonlinux:latest' - output_sbom_path: 'sbom.json' - output_inspector_scan_path: 'inspector_scan.json' - output_inspector_scan_path_csv: 'inspector_scan.csv' - skip_scanners: 'rhel-rpm' - - - name: Demonstrate SBOM Output (JSON) - run: cat ${{ steps.inspector.outputs.artifact_sbom }} - - - name: Demonstrate Inspector Scan Output (JSON) - run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - - name: Demonstrate Inspector Scan Output (CSV) - run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} - - - - name: Upload Inspector Scan Results - uses: actions/upload-artifact@v4 - with: - name: Inspector Scan SBOM Results - path: | - ${{ steps.inspector.outputs.artifact_sbom }} - ${{ steps.inspector.outputs.inspector_scan_results }} - ${{ steps.inspector.outputs.inspector_scan_results_csv }} -