Skip to content

Commit

Permalink
feat: add support for iac mode
Browse files Browse the repository at this point in the history
  • Loading branch information
@BenediktFloeser
BenediktFloeser committed Sep 4, 2024
1 parent 1db362d commit 65f7f9e
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 8 deletions.
33 changes: 28 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ The action assumes a locally built image that is subsequently scanned.

## Example Usage

Scan image for vulnerabilities:

```yaml
jobs:
build:
Expand All @@ -30,18 +32,39 @@ jobs:
# ...
```

Perform IaC scan:

```yaml
jobs:
build:
# ...
steps:
# ...
- name: Scan k8s manifests
uses: ZeitOnline/[email protected]
with:
gha_vault_role: ${{ steps.baseproject.outputs.gha_vault_role }}
mode: iac
iac_scan_path: ./k8s
recursive: true
# ...
```

This usage assumes a preceding step with id `baseproject` that outputs the `gha_vault_role`. This is needed to authenticate to Vault
for fetching the Sysdig secure token.

## Reference

Here are all the inputs available through `with`:

| Input | Description | Default | Required |
| -------------------- | --------------------------------------------------------------------------------- | ------- | -------- |
| `gha_default_role` | The name of the GHA default role as output by the baseproject action | ||
| `image_tag` | The name and tag of the Docker image to be scanned. Assumes locally built image | ||
| `stop_on_failed_policy_eval` | Whether to fail the action when the policy evaluation fails | 'true' | |
| Input | Description | Default | Required |
| ---------------------------- | --------------------------------------------------------------------------------- | ------- | -------- |
| `mode` | Whether to scan OCI images (`vm`) or IaC files (`iac`) | `vm` ||
| `gha_default_role` | The name of the GHA default role as output by the baseproject action | ||
| `image_tag` | The name and tag of the Docker image to be scanned. Assumes locally built image | | |
| `stop_on_failed_policy_eval` | Whether to fail the action when the policy evaluation fails | 'true' | |
| `iac_scan_path` | Directory path where IaC files to be scanned reside | | |
| `recursive` | Whether to scan IaC files recursively | | |

## Releases

Expand Down
16 changes: 13 additions & 3 deletions action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,22 @@ name: ZON image scanning action
description: A composite action to scan images with Sysdig

inputs:
mode:
description: Whether to scan OCI images or IaC files
default: 'vm'
required: true
gha_vault_role:
description: The gha_vault_role as output by the baseproject action
description: The gha_vault_role as output by the baseproject action. Required if mode is 'vm'
required: true
image_tag:
description: The name and tag of the image to be scanned
required: true
description: The name and tag of the image to be scanned. Required if mode is 'vm'
stop_on_failed_policy_eval:
description: Whether to fail the action when the policy evaluation fails
default: 'true'
iac_scan_path:
description: Directory path where IaC files to be scanned reside
recursive:
description: Whether to scan IaC files recursively

runs:
using: "composite"
Expand All @@ -32,7 +39,10 @@ runs:
- name: Scan image
uses: sysdiglabs/scan-action@v5
with:
mode: ${{ inputs.mode }}
image-tag: ${{ inputs.image_tag }}
stop-on-failed-policy-eval: ${{ inputs.stop_on_failed_policy_eval }}
iac-scan-path: ${{ inputs.iac_scan_path }}
recursive: ${{ inputs.recursive }}
sysdig-secure-token: ${{ env.SYSDIG_SECURE_TOKEN }}
sysdig-secure-url: https://eu1.app.sysdig.com/secure

0 comments on commit 65f7f9e

Please sign in to comment.