diff --git a/.github/workflows/test/scan-output-test.yaml b/.github/workflows/test/scan-output-test.yaml deleted file mode 100644 index a3d2949..0000000 --- a/.github/workflows/test/scan-output-test.yaml +++ /dev/null @@ -1,88 +0,0 @@ -name: Test Scanner Output - -on: - workflow_dispatch: - inputs: - image-name: - description: "Docker image to scan" - required: true - default: "nginx" - image-tag: - description: "Image tag to scan" - required: true - default: "latest" - debug-output: - description: "Enable detailed debug output" - required: false - type: boolean - default: false - -jobs: - test-scan: - runs-on: [self-hosted, ubuntu-latest] - steps: - - uses: actions/checkout@v4 - - - name: Scan container image - uses: lacework/lw-scanner-action@v1.4.3 - id: lacework-scan - with: - LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} - LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} - IMAGE_NAME: ${{ inputs.image-name }} - IMAGE_TAG: ${{ inputs.image-tag }} - SAVE_RESULTS_IN_LACEWORK: false - RESULTS_IN_GITHUB_SUMMARY: true - - - name: Examine results format - if: inputs.debug-output - run: | - echo "=== Full Results Structure ===" - jq '.' results.stdout - - echo "=== Vulnerability Counts ===" - jq '.evaluation.vulnerabilities' results.stdout - - echo "=== Image Details ===" - jq '.image' results.stdout - - - name: Test New Relic payload format - run: | - # Format data for New Relic - jq -n \ - --arg image_name "${{ inputs.image-name }}" \ - --arg image_tag "${{ inputs.image-tag }}" \ - --arg scan_time "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \ - --arg repo "${{ github.repository }}" \ - --arg workflow "${{ github.workflow }}" \ - '{ - eventType: "ContainerScan", - repository: $repo, - workflow: $workflow, - imageName: $image_name, - imageTag: $image_tag, - scanTime: $scan_time, - criticalCount: (.evaluation.vulnerabilities.critical // 0), - highCount: (.evaluation.vulnerabilities.high // 0), - mediumCount: (.evaluation.vulnerabilities.medium // 0), - lowCount: (.evaluation.vulnerabilities.low // 0), - fixableCount: (.evaluation.fixable_vulnerabilities // 0) - }' results.stdout > nr_payload.json - - echo "=== New Relic Payload ===" - cat nr_payload.json - - - name: Upload payload artifact - uses: actions/upload-artifact@v4 - with: - name: newrelic-payload - path: nr_payload.json - retention-days: 5 - - - name: Upload full results artifact - if: inputs.debug-output - uses: actions/upload-artifact@v4 - with: - name: full-scan-results - path: results.stdout - retention-days: 5 diff --git a/container-scan/action.yaml b/container-scan/action.yaml index eefd305..2ccb258 100644 --- a/container-scan/action.yaml +++ b/container-scan/action.yaml @@ -49,9 +49,7 @@ inputs: outputs: image-name: description: Name of the scanned Docker image. - image-tag: - description: Tag of the scanned Docker image. - scan-results: + scan-results-path: description: Path to the scan results file (e.g., results.stdout). runs: @@ -104,7 +102,7 @@ runs: run: | if [ -f results.stdout ]; then echo "Scan results file (results.stdout) exists." - echo "::set-output name=scan-results::results.stdout" + echo "::set-output name=scan-results-path::results.stdout" else echo "Scan results file (results.stdout) does not exist." exit 1 @@ -122,6 +120,31 @@ runs: echo "" >> pr-results.md shell: bash + - name: Check for Previous Report Comment + id: fc + if: github.event_name == 'pull_request' && github.event.pull_request.number != '' + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: "github-actions[bot]" + body-includes: "Lacework Inline Scanner Results" + + - name: Delete Previous Test Report Comment + if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' + uses: winterjung/comment@v1 + with: + type: delete + comment_id: ${{ steps.fc.outputs.comment-id }} + token: ${{ inputs.github-token }} + + - name: Comment PR + if: github.event_name == 'pull_request' + uses: thollander/actions-comment-pull-request@v3 + with: + filePath: pr-results.md + mode: recreate + comment_tag: to_recreate + - name: Cleanup Docker Image if: always() run: |