-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test: implement Lacework scanner test workflow
- adds test workflow for scanning containers - formats scan results for New Relic integration - includes debug mode and configurable inputs - preserves results as workflow artifacts feat: update action.yaml for additional outputs (image-name, image-tag) for downstream processing chore: remove scan-output-test.yaml from branch fix: resolve set-output and input issues in container-scan action fix: resolving errors fix: align outputs and cleanup references in container scan action fix: add required inputs for container scan Added input definitions for: - lw-account-name - lw-access-token - github-token - build-args Pass build-args to docker-build action feat(action): add JSON output format support - Add output-format parameter to control scan results format - Pass format parameter to Lacework scanner - Default to JSON for better parsing fix(scan): disable verbose output for JSON format - Add scanner flag to output clean JSON - Enable proper parsing of scan results fix(scan): use correct JSON output flag for Lacework scanner - Add -j=true flag to force JSON output format - Remove output-format parameter fix(scan): use correct parameter name for JSON output - Replace SCANNER_FLAGS with ADDITIONAL_PARAMETERS - Maintain -j=true flag for JSON format feat: add optional skip-checkout input to container-scan action
- Loading branch information
Showing
3 changed files
with
59 additions
and
134 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,152 +1,89 @@ | ||
| name: "Security Scan Composite Action" | ||
| description: "GitHub Action for scanning container image for vulnerabilities using Lacework" | ||
| description: > | ||
| GitHub Action for scanning container images for vulnerabilities using Lacework. | ||
| inputs: | ||
| skip-checkout: | ||
| required: false | ||
| default: "false" | ||
| description: Skip repository checkout in this step | ||
|
|
||
| dockerhub-user: | ||
| required: false | ||
| default: "" | ||
| description: username for dockerhub | ||
| description: DockerHub username | ||
| dockerhub-password: | ||
| required: false | ||
| default: "" | ||
| description: password for dockerhub | ||
| docker-config-file: | ||
| description: DockerHub password | ||
| image-name: | ||
| required: false | ||
| description: Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile | ||
| default: .docker-config.json | ||
| github-token: | ||
| description: Docker image name | ||
| image-tag: | ||
| required: true | ||
| description: GitHub token | ||
| description: Docker image tag | ||
| enable-docker-build: | ||
| required: false | ||
| default: true | ||
| description: Enable Docker build | ||
| lw-account-name: | ||
| required: true | ||
| description: Lacework account name | ||
| lw-access-token: | ||
| required: true | ||
| description: Lacework access token | ||
| image-name: | ||
| required: false | ||
| description: Docker image name | ||
| image-tag: | ||
| github-token: | ||
| required: true | ||
| description: Docker image tag | ||
| image-platform: | ||
| description: Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc) | ||
| required: false | ||
| default: linux/amd64 | ||
|
|
||
| description: GitHub token | ||
| build-args: | ||
| required: false | ||
| description: List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE) | ||
| default: "" | ||
| secrets: | ||
| required: false | ||
| description: List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE) | ||
| default: "" | ||
| enable-docker-build: | ||
| required: false | ||
| default: true | ||
| description: Docker image tag | ||
| description: Docker build arguments | ||
|
|
||
| outputs: | ||
| comment-id: | ||
| description: Comment ID of the test report | ||
| value: ${{ steps.comment-pr.outputs.comment-id }} | ||
| image-name: | ||
| description: Name of the scanned Docker image. | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Checkout Repository | ||
| if: ${{ inputs.skip-checkout != 'true' }} | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Build docker image | ||
| - name: Build Docker Image | ||
| if: ${{ inputs.enable-docker-build }} | ||
| uses: open-turo/actions-security/docker-build@v2 | ||
| id: docker-build | ||
| with: | ||
| dockerhub-user: ${{ inputs.dockerhub-user }} | ||
| dockerhub-password: ${{ inputs.dockerhub-password }} | ||
| github-token: ${{ inputs.github-token }} | ||
| image-version: ${{ inputs.image-tag }} | ||
| image-platform: ${{ inputs.image-platform }} | ||
| load: true | ||
| push: false | ||
| docker-metadata-tags: | | ||
| type=ref,event=branch | ||
| type=ref,event=pr | ||
| build-args: ${{ inputs.build-args }} | ||
| secrets: ${{ inputs.secrets }} | ||
|
|
||
| - name: "Determining image name" | ||
| shell: bash | ||
| id: set_image_name | ||
| - name: Determine Image Name | ||
| run: | | ||
| if [ "${{ inputs.enable-docker-build }}" == "true" ]; then | ||
| echo "::set-output name=image_name::${{ steps.docker-build.outputs.image-name }}" | ||
| if [ "${{ inputs.enable-docker-build }}" = "true" ]; then | ||
| echo "IMAGE_NAME=${{ steps.docker-build.outputs.image-name }}" >> $GITHUB_ENV | ||
| else | ||
| echo "::set-output name=image_name::${{ inputs.image-name }}" | ||
| echo "IMAGE_NAME=${{ inputs.image-name }}" >> $GITHUB_ENV | ||
| fi | ||
| shell: bash | ||
|
|
||
| - name: Scan container image for vulnerabilities using Lacework | ||
| - name: Scan Container Image | ||
| uses: lacework/[email protected] | ||
| with: | ||
| LW_ACCOUNT_NAME: ${{ inputs.lw-account-name }} | ||
| LW_ACCESS_TOKEN: ${{ inputs.lw-access-token }} | ||
| IMAGE_NAME: ${{ steps.set_image_name.outputs.image_name }} | ||
| IMAGE_NAME: ${{ env.IMAGE_NAME }} | ||
| IMAGE_TAG: ${{ inputs.image-tag }} | ||
| SAVE_RESULTS_IN_LACEWORK: true | ||
| RESULTS_IN_GITHUB_SUMMARY: true | ||
| PRETTY_OUTPUT: true | ||
|
|
||
| - name: Check if Lacework scan results file exist | ||
| id: check-results | ||
| run: | | ||
| if [ -f results.stdout ]; then | ||
| echo "Scan results file (results.stdout) exists" | ||
| exit 0 | ||
| else | ||
| echo "Scan results file (results.stdout) does not exist" | ||
| exit 1 | ||
| fi | ||
| shell: bash | ||
|
|
||
| - name: Change formatting for PR | ||
| if: always() | ||
| run: | | ||
| echo "## Lacework Inline Scanner Results" > pr-results.md | ||
| echo "<details><summary>Click to expand</summary>" >> pr-results.md | ||
| echo "<pre>" >> pr-results.md | ||
| cat results.stdout >> pr-results.md | ||
| echo "</pre>" >> pr-results.md | ||
| echo "</details>" >> pr-results.md | ||
| shell: bash | ||
|
|
||
| - name: Check for previous report comment | ||
| id: fc | ||
| if: github.event_name == 'pull_request' && github.event.pull_request.number != '' | ||
| uses: peter-evans/find-comment@v3 | ||
| with: | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| comment-author: "github-actions[bot]" | ||
| body-includes: "Lacework Inline Scanner Results" | ||
|
|
||
| - name: Delete previous test report comment | ||
| if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | ||
| uses: winterjung/comment@v1 | ||
| with: | ||
| type: delete | ||
| comment_id: ${{ steps.fc.outputs.comment-id }} | ||
| token: ${{ inputs.github-token }} | ||
|
|
||
| - name: Comment PR | ||
| if: github.event_name == 'pull_request' | ||
| uses: thollander/actions-comment-pull-request@v3 | ||
| with: | ||
| filePath: pr-results.md | ||
| mode: recreate | ||
| comment_tag: to_recreate | ||
| ADDITIONAL_PARAMETERS: "-j=true" | ||
|
|
||
| - name: Cleanup docker image | ||
| - name: Cleanup Docker Image | ||
| if: always() | ||
| run: | | ||
| docker image rm ${{ steps.docker-build.outputs.image-name }}:${{ inputs.image-tag }} | ||
| echo "Cleaning up image: ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }}" | ||
| docker image rm ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }} | ||
| shell: bash |