-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update documentation and examples (#35)
* update documentation * added 'display_vulnerability_findings' input arg * fix invalid YAML * fix aws-actions url --------- Co-authored-by: Michael Long <mlongii@amazon.com>
- Loading branch information
1 parent
fb6d0db
commit c715a2b
Showing
5 changed files
with
268 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
name: Display Findings Example | ||
|
||
# Run once per day and on git push | ||
on: | ||
schedule: | ||
- cron: '0 0 * * *' | ||
push: | ||
branches: # | ||
- '*' | ||
|
||
jobs: | ||
daily_job: | ||
runs-on: ubuntu-latest | ||
environment: | ||
name: plugin-development # change this to match your GitHub Secrets environment | ||
|
||
steps: | ||
|
||
# modify this block based on how you authenticate to AWS | ||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
with: | ||
aws-region: ${{ secrets.AWS_REGION }} | ||
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
|
||
|
||
# modify this block to scan your intended artifact | ||
- name: Scan container | ||
id: inspector | ||
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main | ||
with: | ||
# change artifact_type to either 'repository', 'container', 'binary', or 'archive'. | ||
# this example scans a container image | ||
artifact_type: 'container' | ||
|
||
# change artifact_path to the file path or container image you would like to scan. | ||
# For containers, this action accepts 'docker pull'-style references to containers, | ||
# such as 'alpine:latest' or a file path to an image exported as TAR using docker save. | ||
artifact_path: 'ubuntu:14.04' | ||
|
||
# If enabled, this setting will display Inspector's vulnerability scan findings | ||
# as a GitHub actions job summary. See here for an example: | ||
# https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8800085041 | ||
display_vulnerability_findings: true | ||
|
||
# Set vulnerability thresholds; if the number of vulns is | ||
# equal to or greater than any of the specified thresholds, set | ||
# the 'vulnerability_threshold_exceeded' output flag to 1. | ||
critical_threshold: 1 | ||
high_threshold: 1 | ||
medium_threshold: 1 | ||
low_threshold: 1 | ||
other_threshold: 1 | ||
|
||
# Additional input arguments are available. | ||
# See 'action.yml' for additional input/output options. | ||
|
||
|
||
# The following steps illustrate how to | ||
# display scan results in the GitHub Actions job terminal. | ||
# These examples simply print the output files to the console. | ||
- name: Display CycloneDX SBOM (JSON) | ||
run: cat ${{ steps.inspector.outputs.artifact_sbom }} | ||
|
||
- name: Display Inspector vulnerability scan results (JSON) | ||
run: cat ${{ steps.inspector.outputs.inspector_scan_results }} | ||
|
||
- name: Display Inspector vulnerability scan results (CSV) | ||
run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} | ||
|
||
# - name: Display Inspector vulnerability scan results (Markdown) | ||
# run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }} | ||
|
||
|
||
# The following steps illustrate how to | ||
# upload scan results as a GitHub actions job artifact | ||
- name: Upload Scan Results | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: Inspector Vulnerability Scan Artifacts | ||
path: | | ||
${{ steps.inspector.outputs.inspector_scan_results }} | ||
${{ steps.inspector.outputs.inspector_scan_results_csv }} | ||
${{ steps.inspector.outputs.artifact_sbom }} | ||
# ${{ steps.inspector.outputs.inspector_scan_results_markdown }} | ||
|
||
|
||
# This step illustrates how to add custom logic if | ||
# the vulnerability threshold is exceeded. This example | ||
# simply prints the 'vulnerability_threshold_exceeded' value | ||
# to the GitHub actions job terminal. | ||
# Replace 'echo' with 'exit' if you want to fail the job. | ||
- name: On vulnerability threshold exceeded | ||
run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.