SEC-3351: Refactor action.yaml in container-scan

container-scan/README.md

@@ -4,7 +4,7 @@
 <!-- action-docs-description source="action.yaml" -->
 ## Description
 
-GitHub Action for scanning container image for vulnerabilities using Lacework
+Scans container images for vulnerabilities using Lacework
 <!-- action-docs-description source="action.yaml" -->
 
 <!-- action-docs-usage source="action.yaml" -->
@@ -13,42 +13,6 @@ GitHub Action for scanning container image for vulnerabilities using Lacework
 ```yaml
 - uses: @
   with:
-    dockerhub-user:
-    # username for dockerhub
-    #
-    # Required: false
-    # Default: ""
-
-    dockerhub-password:
-    # password for dockerhub
-    #
-    # Required: false
-    # Default: ""
-
-    docker-config-file:
-    # Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile
-    #
-    # Required: false
-    # Default: .docker-config.json
-
-    github-token:
-    # GitHub token
-    #
-    # Required: true
-    # Default: ""
-
-    lw-account-name:
-    # Lacework account name
-    #
-    # Required: true
-    # Default: ""
-
-    lw-access-token:
-    # Lacework access token
-    #
-    # Required: true
-    # Default: ""
-
     image-name:
     # Docker image name
     #
@@ -61,29 +25,29 @@ GitHub Action for scanning container image for vulnerabilities using Lacework
     # Required: true
     # Default: ""
 
-    image-platform:
-    # Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc)
+    enable-docker-build:
+    # Enable Docker build
     #
     # Required: false
-    # Default: linux/amd64
+    # Default: true
 
     build-args:
-    # List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE)
+    # Docker build arguments
     #
     # Required: false
     # Default: ""
 
-    secrets:
-    # List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE)
+    lw-account-name:
+    # Lacework account name
     #
-    # Required: false
+    # Required: true
     # Default: ""
 
-    enable-docker-build:
-    # Docker image tag
+    lw-access-token:
+    # Lacework access token
     #
-    # Required: false
-    # Default: true
+    # Required: true
+    # Default: ""
 ```
 <!-- action-docs-usage source="action.yaml" -->
 

container-scan/action.yaml

@@ -1,152 +1,67 @@
-name: "Security Scan Composite Action"
-description: "GitHub Action for scanning container image for vulnerabilities using Lacework"
+name: "Container Security Scan"
+description: "Scans container images for vulnerabilities using Lacework"
 
 inputs:
-  dockerhub-user:
-    required: false
-    default: ""
-    description: username for dockerhub
-  dockerhub-password:
-    required: false
-    default: ""
-    description: password for dockerhub
-  docker-config-file:
-    required: false
-    description: Path to the docker config file (defaults to .docker-config.json) Must contain imageName, may contain dockerfile
-    default: .docker-config.json
-  github-token:
-    required: true
-    description: GitHub token
-  lw-account-name:
-    required: true
-    description: Lacework account name
-  lw-access-token:
-    required: true
-    description: Lacework access token
   image-name:
     required: false
-    description: Docker image name
+    description: "Docker image name"
   image-tag:
     required: true
-    description: Docker image tag
-  image-platform:
-    description: Target platform to build image for (eg. linux/amd64 (default), linux/arm64, etc)
+    description: "Docker image tag"
+  enable-docker-build:
     required: false
-    default: linux/amd64
-
+    default: "true"
+    description: "Enable Docker build"
   build-args:
     required: false
-    description: List of build arguments for docker build as key-value pairs (e.g., KEY=VALUE)
-    default: ""
-  secrets:
-    required: false
-    description: List of secrets for docker build as key-value pairs (e.g., SECRET_KEY=VALUE)
-    default: ""
-  enable-docker-build:
-    required: false
-    default: true
-    description: Docker image tag
+    description: "Docker build arguments"
+  lw-account-name:
+    required: true
+    description: "Lacework account name"
+  lw-access-token:
+    required: true
+    description: "Lacework access token"
 
 outputs:
-  comment-id:
-    description: Comment ID of the test report
-    value: ${{ steps.comment-pr.outputs.comment-id }}
+  scan-results-path:
+    description: "Path to the scan results file"
+    value: ${{ steps.scan.outputs.results-file }}
 
 runs:
   using: composite
   steps:
-    - name: Checkout Repository
-      uses: actions/checkout@v4
-
-    - name: Build docker image
-      if: ${{ inputs.enable-docker-build }}
+    - name: Build Docker Image
+      if: ${{ inputs.enable-docker-build == 'true' }}
       uses: open-turo/actions-security/docker-build@v2
       id: docker-build
       with:
-        dockerhub-user: ${{ inputs.dockerhub-user }}
-        dockerhub-password: ${{ inputs.dockerhub-password }}
-        github-token: ${{ inputs.github-token }}
         image-version: ${{ inputs.image-tag }}
-        image-platform: ${{ inputs.image-platform }}
-        load: true
-        push: false
-        docker-metadata-tags: |
-          type=ref,event=branch
-          type=ref,event=pr
         build-args: ${{ inputs.build-args }}
-        secrets: ${{ inputs.secrets }}
 
-    - name: "Determining image name"
-      shell: bash
-      id: set_image_name
+    - name: Determine Image Name
       run: |
-        if [ "${{ inputs.enable-docker-build }}" == "true" ]; then
-          echo "::set-output name=image_name::${{ steps.docker-build.outputs.image-name }}"
+        if [ "${{ inputs.enable-docker-build }}" = "true" ]; then
+          echo "IMAGE_NAME=${{ steps.docker-build.outputs.image-name }}" >> $GITHUB_ENV
         else
-          echo "::set-output name=image_name::${{ inputs.image-name }}"
+          echo "IMAGE_NAME=${{ inputs.image-name }}" >> $GITHUB_ENV
         fi
+      shell: bash
 
-    - name: Scan container image for vulnerabilities using Lacework
+    - name: Scan Container Image
+      id: scan
       uses: lacework/[email protected]
       with:
         LW_ACCOUNT_NAME: ${{ inputs.lw-account-name }}
         LW_ACCESS_TOKEN: ${{ inputs.lw-access-token }}
-        IMAGE_NAME: ${{ steps.set_image_name.outputs.image_name }}
+        IMAGE_NAME: ${{ env.IMAGE_NAME }}
         IMAGE_TAG: ${{ inputs.image-tag }}
         SAVE_RESULTS_IN_LACEWORK: true
-        RESULTS_IN_GITHUB_SUMMARY: true
-        PRETTY_OUTPUT: true
-
-    - name: Check if Lacework scan results file exist
-      id: check-results
-      run: |
-        if [ -f results.stdout ]; then
-          echo "Scan results file (results.stdout) exists"
-          exit 0
-        else
-          echo "Scan results file (results.stdout) does not exist"
-          exit 1
-        fi
-      shell: bash
-
-    - name: Change formatting for PR
-      if: always()
-      run: |
-        echo "## Lacework Inline Scanner Results" > pr-results.md
-        echo "<details><summary>Click to expand</summary>" >> pr-results.md
-        echo "<pre>" >> pr-results.md
-        cat results.stdout >> pr-results.md
-        echo "</pre>" >> pr-results.md
-        echo "</details>" >> pr-results.md
-      shell: bash
+        ADDITIONAL_PARAMETERS: "-j"
 
-    - name: Check for previous report comment
-      id: fc
-      if: github.event_name == 'pull_request' && github.event.pull_request.number != ''
-      uses: peter-evans/find-comment@v3
-      with:
-        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: "github-actions[bot]"
-        body-includes: "Lacework Inline Scanner Results"
-
-    - name: Delete previous test report comment
-      if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
-      uses: winterjung/comment@v1
-      with:
-        type: delete
-        comment_id: ${{ steps.fc.outputs.comment-id }}
-        token: ${{ inputs.github-token }}
-
-    - name: Comment PR
-      if: github.event_name == 'pull_request'
-      uses: thollander/actions-comment-pull-request@v3
-      with:
-        filePath: pr-results.md
-        mode: recreate
-        comment_tag: to_recreate
-
-    - name: Cleanup docker image
+    - name: Cleanup Docker Image
       if: always()
       run: |
-        docker image rm ${{ steps.docker-build.outputs.image-name }}:${{ inputs.image-tag }}
+        if [[ -n "${IMAGE_NAME}" ]]; then
+          docker image rm "${IMAGE_NAME}:${{ inputs.image-tag }}" || true
+        fi
       shell: bash