forked from sysdiglabs/scan-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
98 lines (97 loc) · 3.45 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: 'Sysdig Secure Inline Scan'
description: 'Perform image analysis on locally built container image and post the result of the analysis to Sysdig Secure.'
inputs:
cli-scanner-url:
description: URL to sysdig-cli-scanner binary download
required: false
cli-scanner-version:
description: Custom sysdig-cli-scanner version to download
default: "1.13.0"
required: false
registry-user:
description: Registry username.
required: false
registry-password:
description: Registry password.
required: false
stop-on-failed-policy-eval:
description: Fail the job if the Policy Evaluation is Failed.
default: "false"
required: false
stop-on-processing-error:
description: Fail the job if the Scanner terminates execution with errors.
default: "false"
required: false
standalone:
description: Enable standalone mode. Do not depend on Sysdig backend for execution, avoiding the need of specifying 'sysdig-secure-token' and 'sysdig-secure-url'.
default: "false"
required: false
db-path:
description: Specify directory for database to use while scanning.
required: false
skip-upload:
description: Skip uploading results to Sysdig Secure.
default: "false"
required: false
skip-summary:
description: Skip generating Summary.
default: "false"
required: false
use-policies:
description: Specify Sysdig Secure VM Policies to evaluate the image.
required: false
override-pullstring:
description: Custom PullString to give the image when scanning and uploading.
required: false
severity-at-least:
description: Filtering option to only report vulnerabilities with at least the specified severity. Can take [critical|high|medium|low|negligible|any]. Default value "any" for no filtering.
default: any
required: false
group-by-package:
description: Enable grouping the vulnerabilities in the SARIF report by package.
default: "false"
required: false
image-tag:
description: Tag of the image to analyse. (Required if not in IaC mode.)
required: false
sysdig-secure-token:
description: API token for Sysdig Scanning auth. (Required if not in Standalone mode.)
required: false
sysdig-secure-url:
description: 'Sysdig Secure URL (ex: "https://secure-sysdig.com").'
required: false
default: https://secure.sysdig.com
sysdig-skip-tls:
description: Skip TLS verification when calling secure endpoints.
required: false
extra-parameters:
description: Additional parameters added to the secure-inline-scan container execution.
required: false
mode:
description: 'Mode of operation. Can be "vm" or "iac".'
required: false
default: vm
recursive:
description: 'Recursively scan all folders within the folder specified in the iacScanPath.'
required: false
default: "false"
minimum-severity:
description: 'Minimum severity to fail when scanning in IaC mode'
required: false
default: "high"
iac-scan-path:
description: 'Path to the IaC files to scan.'
required: false
default: "./"
outputs:
scanReport:
description: Path to a JSON file containing the report results, failed evaluation gates, and found vulnerabilities.
sarifReport:
description: |
Path to a SARIF report, that can be uploaded using the codeql-action/upload-sarif action. See the README for more information.
branding:
icon: 'shield'
color: 'orange'
runs:
using: 'node20'
main: 'dist/index.js'