{"id":20102941,"url":"https://github.com/stackrox/roxctl-installer-action","last_synced_at":"2025-03-02T17:23:03.574Z","repository":{"id":233012383,"uuid":"781456172","full_name":"stackrox/roxctl-installer-action","owner":"stackrox","description":null,"archived":false,"fork":false,"pushed_at":"2024-07-03T15:06:33.000Z","size":671,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-01-13T04:30:01.425Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-03T12:19:55.000Z","updated_at":"2024-08-21T22:09:51.000Z","dependencies_parsed_at":"2024-05-14T00:42:33.992Z","dependency_job_id":"2aebbf85-c39d-450d-afa3-3dabeb0c47c7","html_url":"https://github.com/stackrox/roxctl-installer-action","commit_stats":null,"previous_names":["stackrox/roxctl-installer-action"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Froxctl-installer-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Froxctl-installer-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Froxctl-installer-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Froxctl-installer-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/roxctl-installer-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241542256,"owners_count":19979282,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:44.323Z","updated_at":"2025-03-02T17:23:03.531Z","avatar_url":"https://github.com/stackrox.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# roxctl-installer-action GitHub Action\n\nThis is a GitHub action for installing `roxctl` on Github Action runners. `roxctl` is a command-line interface (CLI) for running commands on Red Hat Advanced Cluster Security for Kubernetes ([RHACS](https://redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes)).\n\n![](./docs/images/roxctl-action.png)\n\n## Table of Contents\n\n- [Parameters](#parameters)\n- [Authentication](#authentication)\n  - [Authenticate with short-lived access tokens](#authenticate-with-short-lived-access-tokens)\n  - [Authenticate with long-lived API tokens](#authenticate-with-long-lived-api-tokens)\n- [Usage](#usage)\n  - [Scan images in CI pipelines](#scan-images-in-ci-pipelines)\n  - [Check images in CI pipelines](#check-images-in-ci-pipelines)\n  - [Download roxctl from mirror.openshift.com](#download-roxctl-from-mirroropenshiftcom)\n  - [GitHub code scanning](#github-code-scanning)\n\n## Parameters\n\n| Parameter name     | Required?  | Description                                                                                                                                                          |\n| ------------------ | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `install-dir`      | (optional) | Path of directory to install `roxctl` to.                                                                                                                            |\n| `version`          | (optional) | `roxctl` release version to use, e.g. \"4.4.0\". The latest available version is used by default. Ignored when `central-endpoint` is specified.                        |\n| `central-endpoint` | (optional) | RHACS Central endpoint to download `roxctl` from. If left unspecified, `roxctl` is downloaded from mirror.openshift.com instead. Requires `central-token` to be set. |\n| `central-token`    | (optional) | Token to access RHACS Central endpoint.                                                                                                                              |\n| `skip-tls-verify`  | (optional) | Skip TLS certificate verification for Central's API endpoint. `false` by default.                                                                                    |\n\n## Authentication\n\n### Authenticate with short-lived access tokens\n\nShort-lived access tokens are the recommended authentication method when using `roxctl` in GitHub workflows.\nTo generate a suitable token, configure a machine access configuration in Central and run the\n[central-login](https://github.com/stackrox/central-login) Github Action to set up an authenticated environment.\n\nFor example, to allow access from GitHub workflows in the `stackrox/stackrox` repository:\n\n1. Create a machine access configuration of type `GitHub` in Central.\n2. Add a new rule with `Key = sub`, `Value = repo:stackrox/stackrox.*` and `Role = Continuous Integration`.\n\n![](./docs/images/machine-access.png)\n\nThe following examples assume `env.CENTRAL_ENDPOINT=https://my-central.com` to be a valid Central URL.\n\nSee [Scan images in CI pipelines](#scan-images-in-ci-pipelines) and [Check images in CI pipelines](#check-images-in-ci-pipelines) for full length examples.\n\n```yaml\nsteps:\n  - name: Central login\n    uses: stackrox/central-login@v1\n    with:\n      endpoint: ${{ env.CENTRAL_ENDPOINT }}\n  - name: Install roxctl\n    uses: stackrox/roxctl-installer-action@v1\n    with:\n      central-endpoint: ${{ env.CENTRAL_ENDPOINT }}\n      central-token: ${{ env.ROX_API_TOKEN }}\n```\n\n### Authenticate with long-lived API tokens\n\nLong-lived API tokens are not recommended because they carry an increased risk of credential exposure.\nThey should only be used when short-lived access tokens are not an option.\n\nTo authenticate with a Central API token, create a GitHub secret `secrets.ROX_API_TOKEN` and assign its value to the API token.\n\n```yaml\nname: Scan image with roxctl\non:\n  push:\n    branches: [\"main\"]\n  pull_request:\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    permissions:\n      id-token: write\n    steps:\n      - name: Install roxctl\n        uses: stackrox/roxctl-installer-action@v1\n        with:\n          central-endpoint: ${{ env.CENTRAL_ENDPOINT }}\n          central-token: ${{ secrets.ROX_API_TOKEN }}\n      - name: Scan image with roxctl\n        shell: bash\n        env:\n          ROX_ENDPOINT: ${{ env.CENTRAL_ENDPOINT }}\n          ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}\n        run: |\n          roxctl image scan --output=table --image=\"quay.io/stackrox-io/main\"\n```\n\n## Usage\n\n### Scan images in CI pipelines\n\nSee [`roxctl image scan`](https://docs.openshift.com/acs/4.4/cli/command-reference/roxctl-image.html#roxctl-image-scan_roxctl-image)\nfor the full parameter list.\n\n```yaml\nname: Scan image with roxctl\non:\n  push:\n    branches: [\"main\"]\n  pull_request:\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    permissions:\n      id-token: write\n    steps:\n      - name: Central login\n        uses: stackrox/central-login@v1\n        with:\n          endpoint: ${{ env.CENTRAL_ENDPOINT }}\n      - name: Install roxctl\n        uses: stackrox/roxctl-installer-action@v1\n        with:\n          central-endpoint: ${{ env.CENTRAL_ENDPOINT }}\n          central-token: ${{ env.ROX_API_TOKEN }}\n      - name: Scan image with roxctl\n        shell: bash\n        run: |\n          roxctl image scan --output=table --image=\"quay.io/stackrox-io/main\"\n```\n\n### Check images in CI pipelines\n\nSee [`roxctl image check`](https://docs.openshift.com/acs/4.4/cli/command-reference/roxctl-image.html#roxctl-image-check_roxctl-image)\nfor the full parameter list.\n\n```yaml\nname: Check image with roxctl\non:\n  push:\n    branches: [\"main\"]\n  pull_request:\njobs:\n  check:\n    runs-on: ubuntu-latest\n    permissions:\n      id-token: write\n    steps:\n      - name: Central login\n        uses: stackrox/central-login@v1\n        with:\n          endpoint: ${{ env.CENTRAL_ENDPOINT }}\n      - name: Install roxctl\n        uses: stackrox/roxctl-installer-action@v1\n        with:\n          central-endpoint: ${{ env.CENTRAL_ENDPOINT }}\n          central-token: ${{ env.ROX_API_TOKEN }}\n      - name: Check image with roxctl\n        shell: bash\n        run: |\n          roxctl image check --output=table --image=\"quay.io/stackrox-io/main\"\n```\n\n### Download roxctl from mirror.openshift.com\n\nSee [`roxctl image scan`](https://docs.openshift.com/acs/4.4/cli/command-reference/roxctl-image.html#roxctl-image-scan_roxctl-image)\nfor the full parameter list.\n\n```yaml\nname: Scan image with roxctl\non:\n  push:\n    branches: [\"main\"]\n  pull_request:\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    permissions:\n      id-token: write\n    steps:\n      - name: Central login\n        uses: stackrox/central-login@v1\n        with:\n          endpoint: ${{ env.CENTRAL_ENDPOINT }}\n      - name: Install roxctl\n        uses: stackrox/roxctl-installer-action@v1\n        with:\n          version: 4.4.0\n      - name: Scan image with roxctl\n        shell: bash\n        run: |\n          roxctl image scan --output=table --image=\"quay.io/stackrox-io/main\"\n```\n\n### GitHub code scanning\n\nSee [`roxctl image scan`](https://docs.openshift.com/acs/4.4/cli/command-reference/roxctl-image.html#roxctl-image-scan_roxctl-image)\nfor the full parameter list.\n\n```yaml\nname: Code scanning with roxctl\non:\n  push:\n    branches: [\"main\"]\n  pull_request:\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    permissions:\n      id-token: write\n      security-events: write\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n      - name: Central login\n        uses: stackrox/central-login@v1\n        with:\n          endpoint: ${{ env.CENTRAL_ENDPOINT }}\n      - name: Install roxctl\n        uses: stackrox/roxctl-installer-action@v1\n        with:\n          central-endpoint: ${{ env.CENTRAL_ENDPOINT }}\n          central-token: ${{ env.ROX_API_TOKEN }}\n      - name: Scan image with roxctl\n        shell: bash\n        run: |\n          roxctl image scan --output=sarif --image=\"quay.io/stackrox-io/main\" \u003e results.sarif\n      - name: Upload roxctl scan results to GitHub code scanning\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          category: stackrox-io/main\n          sarif_file: results.sarif\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Froxctl-installer-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Froxctl-installer-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Froxctl-installer-action/lists"}