-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathaction.yaml
100 lines (92 loc) · 3.73 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: AccuKnox Container Scan
description: Scan Docker images using AccuKnox and push the results to the CSPM panel.
inputs:
dockerfile_context:
description: "The context of the Dockerfile to use for building the image."
required: true
default: "Dockerfile"
endpoint:
description: "The URL of the CSPM panel to push the scan results to."
required: true
default: "cspm.demo.accuknox.com"
token:
description: "The token for authenticating with the CSPM panel."
required: true
tenant_id:
description: "The ID of the tenant associated with the CSPM panel."
required: true
repository_name:
description: "Docker image repository name"
required: true
tag:
description: "Add version tag to the repository"
required: true
default: "${{ github.run_id }}"
severity:
description: "Allows selection of severity level for the scan. Options include UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. If specified, the scan will target vulnerabilities of the selected severity level."
required: false
default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
exit_code:
description: "Values '0' and '1' are accepted. '0' is the default value, which indicates that the pipeline will not be halted if the specified severity is found, while '1' indicates that the pipeline will stop if a specified severity level is detected."
required: false
default: "0"
label:
description: "The label created in AccuKnox SaaS for associating scan results."
required: true
runs:
using: "composite"
steps:
- name: Validate Inputs
run: |
curl -o validate_inputs.py https://raw.githubusercontent.com/accuknox/container-scan-action/main/validate_inputs.py
python validate_inputs.py
shell: bash
env:
DOCKERFILE_CONTEXT: ${{ inputs.dockerfile_context }}
ENDPOINT: ${{ inputs.endpoint }}
TOKEN: ${{ inputs.token }}
TENANT_ID: ${{ inputs.tenant_id }}
REPOSITORY_NAME: ${{ inputs.repository_name }}
TAG: ${{ inputs.tag }}
SEVERITY: ${{ inputs.severity }}
CODE: ${{ inputs.exit_code }}
- name: Docker Build
run: |
docker build -t ${{ inputs.repository_name }}:${{ inputs.tag }} -f ${{ inputs.DOCKERFILE_CONTEXT }} .
shell: bash
- name: Download Vulnerability Scanner
run: |
curl -sfL $url | sh -s -- -b /usr/local/bin > /dev/null
env:
url: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh
shell: bash
- name: Run AccuKnox Vulnerability Scanner
run: |
$Scan image --severity ${{ inputs.severity }} -f json ${{ inputs.repository_name }}:${{ inputs.tag }} -o results.json --quiet
env:
Scan: trivy
shell: bash
- name: Print AccuKnox Results
run: cat results.json
shell: bash
- name: Push report to CSPM panel
run: |
response=$(curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=TR&label_id=${{ inputs.label }}&save_to_s3=false' \
--header 'Tenant-Id: ${{ inputs.tenant_id }}' \
--header 'Authorization: Bearer ${{ inputs.token }}' \
--form 'file=@"./results.json"')
echo "Response: $response"
if [[ "$response" != *"File received successfully"* ]]; then
echo "Error: Failed to push report to CSPM panel"
exit 1
fi
shell: bash
- name: Run AccuKnox Vulnerability Scanner with specific tags
run: |
$Scan image --exit-code ${{ inputs.exit_code }} --severity ${{ inputs.severity }} ${{ inputs.repository_name }}:${{ inputs.tag }} --quiet >/dev/null
env:
Scan: trivy
shell: bash
branding:
icon: "shield"
color: "green"