https://github.com/draios/infra-action-sysdig-scan

Github action to use Sysdig scanner
https://github.com/draios/infra-action-sysdig-scan

action github infra scanner sysdig

Last synced: about 1 month ago
JSON representation

Github action to use Sysdig scanner

• Host: GitHub
• URL: https://github.com/draios/infra-action-sysdig-scan
• Owner: draios
• Created: 2022-12-12T17:20:12.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2024-04-22T10:20:40.000Z (about 2 years ago)
• Last Synced: 2024-04-22T11:32:55.648Z (about 2 years ago)
• Topics: action, github, infra, scanner, sysdig
• Homepage:
• Size: 21.5 KB
• Stars: 1
• Watchers: 8
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

          
# infra-action-sysdig-scan

GitHub Action to scan container images with Sysdig scan

## Inputs

### Required

- `image_tag`: The tag of the local image to scan. Example: "sysdiglabs/dummy-vuln-app:latest"

- `sysdig-secure-token`: API token for Sysdig Scanning auth.

- `scan-type`: "Type of scan to perform. Possible values: "legacy","new", "both". Default: "legacy"

- `sysdig-secure-url`: Sysdig Secure URL. Example: https://secure-sysdig.svc.cluster.local

## Optional

- `sysdig-skip-tls`: Skip TLS verification when calling secure endpoints.

- `severity`: "Severity level to fail the build"

- `input-type`: If specified, where should we scan the image from.

- `policy-list`: Comma separated list of policies to include

## Ignore failed scans

You can ignore **failed** Sysdig scans by creating a docker label named `com.sysdig.ignore-failed-scan`. If the label isn't present the action will fail.

## Example workflow

Perform all checks on pull requests

```yaml

name: Scan image

on: [pull_request]

jobs:

  build:

    runs-on: self-hosted

    steps:

    - uses: actions/checkout@v2

    - uses: draios/infra-action-buildnpush@v1

      with:

        push_to_quay: true

        image_name: "redis-6"

        image_description: "sysdig image for redis-6"

        context_path: "containers/redis"

        dockerfile: "Dockerfile"

        dry_run: ${{ ! ((github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'false')) }}

        artifactory_username: ${{ secrets.ARTIFACTORY_USERNAME }}

        artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}

        quay_username: ${{ secrets.QUAY_USERNAME }}

        quay_password: ${{ secrets.QUAY_PASSWORD }}

        github_token: ${{ secrets.GITHUB_TOKEN }}

  scan:

    runs-on: self-hosted

    needs: build

    steps:

      - name: Checkout

        uses: actions/checkout@v3

      - name: Scan image

        uses: draios/infra-action-sysdig-scan@v1

        with:

          image-tag: "${{ needs.build.outputs.names }}"

          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}

          scan-type: "legacy"

          severity: "high"

```