KSOC scans for CVEs in your images as part of your GitHub Actions CI workflow.
This action is using Grype to scan for CVEs in given image.
Build a local image and scan it for CVEs. It will fail the workflow if any CVE with medium
severity is found. It will ignore CVEs with IDs CVE-2021-1234
and CVE-2021-5678
. Default output format will be used (table
) which will be printed to the standard output of the action.
name: ksoc-image-scan
on:
pull_request:
jobs:
ksoc-image-scan:
permissions:
# only required for workflows in private repositories
actions: read
contents: read
runs-on: ubuntu-latest
steps:
- name: Build Local Container
uses: docker/build-push-action@v4
with:
tags: localbuild/testimage:latest
push: false
load: true
- name: KSOC Image Scan
uses: ksoclabs/[email protected]
with:
fail_on_severity: medium
ignore_cves: |
CVE-2021-1234
CVE-2021-5678
image: localbuild/testimage:latest
This action also supports SARIF output format. Note the additional permission security-events: write
which is required to upload security report.
name: ksoc-image-scan
on:
pull_request:
jobs:
ksoc-image-scan:
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
runs-on: ubuntu-latest
steps:
- name: Build Local Container
uses: docker/build-push-action@v4
with:
tags: localbuild/testimage:latest
push: false
load: true
- name: KSOC Image Scan
id: scan
uses: ksoclabs/[email protected]
with:
fail_on_severity: medium
format: sarif
ignore_cves: |
CVE-2021-1234
CVE-2021-5678
image: localbuild/testimage:latest
- name: Upload Image Scan SARIF Report
if: success() || failure()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
fail_on_severity
: The severity level that will cause the action to fail. If not provided, the action doesn't fail. Possible values arenegligible
,low
,medium
,high
andcritical
.format
: The output format of the action. Possible values aretable
andsarif
. If not provided, the default value istable
.ignore_cves
: A multiline string of CVEs to ignore. Each line should contain a single CVE ID. If not provided, no CVEs will be ignored.image
: The image to scan. This is a required input.
sarif
: Location of the SARIF output file of the action. This output is only available ifformat
input is set tosarif
.
Guard Action is Apache 2.0 licensed and accepts contributions via GitHub pull requests. See the CONTRIBUTING file for details.