test: implement Lacework scanner test workflow

- adds test workflow for scanning containers - formats scan results for New Relic integration - includes debug mode and configurable inputs - preserves results as workflow artifacts feat: update action.yaml for additional outputs (image-name, image-tag) for downstream processing chore: remove scan-output-test.yaml from branch fix: resolve set-output and input issues in container-scan action fix: resolving errors fix: align outputs and cleanup references in container scan action fix: add required inputs for container scan Added input definitions for: - lw-account-name - lw-access-token - github-token - build-args Pass build-args to docker-build action feat(action): add JSON output format support - Add output-format parameter to control scan results format - Pass format parameter to Lacework scanner - Default to JSON for better parsing fix(scan): disable verbose output for JSON format - Add scanner flag to output clean JSON - Enable proper parsing of scan results fix(scan): use correct JSON output flag for Lacework scanner - Add -j=true flag to force JSON output format - Remove output-format parameter fix(scan): use correct parameter name for JSON output - Replace SCANNER_FLAGS with ADDITIONAL_PARAMETERS - Maintain -j=true flag for JSON format feat: add optional skip-checkout input to container-scan action fix(ci): restore PR commenting and result formatting in security scan action - Added steps to check and delete previous PR comments to ensure clean re-runs. - Restored PR commenting functionality with formatted Lacework scan results. - Improved validation of to prevent runtime errors. - Ensured Docker images are properly cleaned up after the scan process. This change addresses feedback regarding missing PR comments and maintains the expected behavior of the workflow. fix(ci): restored ADDITIONAL_PARAMETERS to enable JSON output. fix: add missing shell property to container scan action fix: add winterjung/comment@v1, type: delete feat(security): enable table output for container scan results - Add RESULTS_IN_GITHUB_SUMMARY and PRETTY_OUTPUT flags to Lacework scanner config - Maintain JSON output for New Relic metrics integration - Improve scan result readability in PR comments The scanner will now display results in both table format for GitHub and JSON for metrics reporting. feat(security): enable table output for scan results while preserving JSON for metrics Set PRETTY_OUTPUT and RESULTS_IN_GITHUB_SUMMARY to true while maintaining JSON output for New Relic integration using --save-results flag feat(security): parse JSON scan results into markdown table Keep JSON output for New Relic integration while adding JQ-based parsing to generate readable table format for PR comments feat(security): parse JSON scan results into markdown table Keep JSON output for New Relic integration while adding JQ-based parsing to generate readable table format for PR comments fix(ci): recreating pretty table feat(security): add formatted Lacework vulnerability report for PR comments - Parse Lacework JSON scan results into a readable markdown table. - Generate a summary table with severity counts and detailed vulnerabilities. - Add support for posting formatted results as PR comments. - Ensure compatibility with consuming workflows. fix(ci): revert to JSON results, table format failing
open-turo · Dec 11, 2024 · a9dccbb · a9dccbb
1 parent 5275d96
commit a9dccbb
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 100 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,7 +9,7 @@ repos:
     rev: v3.1.0
     hooks:
       - id: prettier
-        stages: [commit]
+        stages: [pre-commit]
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0 # Use the ref you want to point at
     hooks:

diff --git a/container-scan/README.md b/container-scan/README.md
@@ -4,7 +4,7 @@
 <!-- action-docs-description source="action.yaml" -->
 ## Description
 
-GitHub Action for scanning container image for vulnerabilities using Lacework
+GitHub Action for scanning container images for vulnerabilities using Lacework.
 <!-- action-docs-description source="action.yaml" -->
 
 <!-- action-docs-usage source="action.yaml" -->
@@ -13,30 +13,42 @@ GitHub Action for scanning container image for vulnerabilities using Lacework
 ```yaml
 - uses: @
   with:
+    skip-checkout:
+    # Skip repository checkout in this step
+    #
+    # Required: false
+    # Default: false
+
     dockerhub-user:
-    # username for dockerhub
+    # DockerHub username
     #
     # Required: false
     # Default: ""
 
     dockerhub-password:
-    # password for dockerhub
+    # DockerHub password
     #
     # Required: false
     # Default: ""
 
-    docker-config-file:
-    # Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile
+    image-name:
+    # Docker image name
     #
     # Required: false
-    # Default: .docker-config.json
+    # Default: ""
 
-    github-token:
-    # GitHub token
+    image-tag:
+    # Docker image tag
     #
     # Required: true
     # Default: ""
 
+    enable-docker-build:
+    # Enable Docker build
+    #
+    # Required: false
+    # Default: true
+
     lw-account-name:
     # Lacework account name
     #
@@ -49,41 +61,17 @@ GitHub Action for scanning container image for vulnerabilities using Lacework
     # Required: true
     # Default: ""
 
-    image-name:
-    # Docker image name
-    #
-    # Required: false
-    # Default: ""
-
-    image-tag:
-    # Docker image tag
+    github-token:
+    # GitHub token
     #
     # Required: true
     # Default: ""
 
-    image-platform:
-    # Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc)
-    #
-    # Required: false
-    # Default: linux/amd64
-
     build-args:
-    # List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE)
+    # Docker build arguments
     #
     # Required: false
     # Default: ""
-
-    secrets:
-    # List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE)
-    #
-    # Required: false
-    # Default: ""
-
-    enable-docker-build:
-    # Docker image tag
-    #
-    # Required: false
-    # Default: true
 ```
 <!-- action-docs-usage source="action.yaml" -->
 

diff --git a/container-scan/action.yaml b/container-scan/action.yaml
@@ -1,116 +1,94 @@
 name: "Security Scan Composite Action"
-description: "GitHub Action for scanning container image for vulnerabilities using Lacework"
+description: >
+  GitHub Action for scanning container images for vulnerabilities using Lacework.
 
 inputs:
+  skip-checkout:
+    required: false
+    default: "false"
+    description: Skip repository checkout in this step
   dockerhub-user:
     required: false
     default: ""
-    description: username for dockerhub
+    description: DockerHub username
   dockerhub-password:
     required: false
     default: ""
-    description: password for dockerhub
-  docker-config-file:
+    description: DockerHub password
+  image-name:
     required: false
-    description: Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile
-    default: .docker-config.json
-  github-token:
+    description: Docker image name
+  image-tag:
     required: true
-    description: GitHub token
+    description: Docker image tag
+  enable-docker-build:
+    required: false
+    default: true
+    description: Enable Docker build
   lw-account-name:
     required: true
     description: Lacework account name
   lw-access-token:
     required: true
     description: Lacework access token
-  image-name:
-    required: false
-    description: Docker image name
-  image-tag:
+  github-token:
     required: true
-    description: Docker image tag
-  image-platform:
-    description: Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc)
-    required: false
-    default: linux/amd64
-
+    description: GitHub token
   build-args:
     required: false
-    description: List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE)
-    default: ""
-  secrets:
-    required: false
-    description: List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE)
-    default: ""
-  enable-docker-build:
-    required: false
-    default: true
-    description: Docker image tag
+    description: Docker build arguments
 
 outputs:
-  comment-id:
-    description: Comment ID of the test report
-    value: ${{ steps.comment-pr.outputs.comment-id }}
+  image-name:
+    description: Name of the scanned Docker image.
 
 runs:
   using: composite
   steps:
     - name: Checkout Repository
+      if: ${{ inputs.skip-checkout != 'true' }}
       uses: actions/checkout@v4
 
-    - name: Build docker image
+    - name: Build Docker Image
       if: ${{ inputs.enable-docker-build }}
       uses: open-turo/actions-security/docker-build@v2
       id: docker-build
       with:
         dockerhub-user: ${{ inputs.dockerhub-user }}
         dockerhub-password: ${{ inputs.dockerhub-password }}
-        github-token: ${{ inputs.github-token }}
         image-version: ${{ inputs.image-tag }}
-        image-platform: ${{ inputs.image-platform }}
-        load: true
-        push: false
-        docker-metadata-tags: |
-          type=ref,event=branch
-          type=ref,event=pr
         build-args: ${{ inputs.build-args }}
-        secrets: ${{ inputs.secrets }}
 
-    - name: "Determining image name"
-      shell: bash
-      id: set_image_name
+    - name: Determine Image Name
       run: |
-        if [ "${{ inputs.enable-docker-build }}" == "true" ]; then
-          echo "::set-output name=image_name::${{ steps.docker-build.outputs.image-name }}"
+        if [ "${{ inputs.enable-docker-build }}" = "true" ]; then
+          echo "IMAGE_NAME=${{ steps.docker-build.outputs.image-name }}" >> $GITHUB_ENV
         else
-          echo "::set-output name=image_name::${{ inputs.image-name }}"
+          echo "IMAGE_NAME=${{ inputs.image-name }}" >> $GITHUB_ENV
         fi
+      shell: bash
 
-    - name: Scan container image for vulnerabilities using Lacework
+    - name: Scan Container Image
       uses: lacework/[email protected]
       with:
         LW_ACCOUNT_NAME: ${{ inputs.lw-account-name }}
         LW_ACCESS_TOKEN: ${{ inputs.lw-access-token }}
-        IMAGE_NAME: ${{ steps.set_image_name.outputs.image_name }}
+        IMAGE_NAME: ${{ env.IMAGE_NAME }}
         IMAGE_TAG: ${{ inputs.image-tag }}
         SAVE_RESULTS_IN_LACEWORK: true
-        RESULTS_IN_GITHUB_SUMMARY: true
-        PRETTY_OUTPUT: true
+        ADDITIONAL_PARAMETERS: "-j"
 
-    - name: Check if Lacework scan results file exist
-      id: check-results
+    - name: Check Lacework Scan Results File
       run: |
         if [ -f results.stdout ]; then
-          echo "Scan results file (results.stdout) exists"
-          exit 0
+          echo "Scan results file (results.stdout) exists."
         else
-          echo "Scan results file (results.stdout) does not exist"
+          echo "Error: Scan results file (results.stdout) does not exist."
           exit 1
         fi
       shell: bash
 
-    - name: Change formatting for PR
-      if: always()
+    - name: Format Results for PR
       run: |
         echo "## Lacework Inline Scanner Results" > pr-results.md
         echo "<details><summary>Click to expand</summary>" >> pr-results.md
@@ -120,9 +98,9 @@ runs:
         echo "</details>" >> pr-results.md
       shell: bash
 
-    - name: Check for previous report comment
-      id: fc
-      if: github.event_name == 'pull_request' && github.event.pull_request.number != ''
+    - name: Check for Previous Report Comment
+      id: find-comment
+      if: github.event_name == 'pull_request'
       uses: peter-evans/find-comment@v3
       with:
         issue-number: ${{ github.event.pull_request.number }}
@@ -141,12 +119,14 @@ runs:
       if: github.event_name == 'pull_request'
       uses: thollander/actions-comment-pull-request@v3
       with:
-        filePath: pr-results.md
+        file-path: pr-results.md
         mode: recreate
-        comment_tag: to_recreate
+        comment-tag: to_recreate
+        github-token: ${{ inputs.github-token }}
 
-    - name: Cleanup docker image
+    - name: Cleanup Docker Image
       if: always()
       run: |
-        docker image rm ${{ steps.docker-build.outputs.image-name }}:${{ inputs.image-tag }}
+        echo "Cleaning up image: ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }}"
+        docker image rm ${{ env.IMAGE_NAME }}:${{ inputs.image-tag }}
       shell: bash