Test consec workflow

tenable · Apr 27, 2021 · 474eed0 · 474eed0
1 parent dcf4392
commit 474eed0
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 27 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,3 +1,4 @@
+name: Tests
 on: [push]
 
 jobs:
@@ -26,16 +27,15 @@ jobs:
         with:
             context: .
             push: false
-            tags: user/app:latest
+            tags: action/consec:latest
             load: true
       - name: Runs the container security scan
         uses: ./
         id: consec
         with:
-          repo_name: user/app
+          repo_name: action/consec
           tag_name: latest
-          check_thresholds: true
-          risk_threshold: 0
+          wait_for_results: true
         env:
           ACCESS_KEY: ${{ secrets.ACCESS_KEY }}
           SECRET_KEY: ${{ secrets.SECRET_KEY }}

diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 # container-security-action
-Tenable's Container security action
+Tenable's Container security action ![Build](https://github.com/tenable/container-security-action/actions/workflows/main.yml/badge.svg)
 
 This action can be used to trigger a container security scan for your build images. The user must have a Tenable.io account and also a license for container security. The action will upload the image to the tenable registry which kicks off the scan. The detailed results for each scan can be found within the container security dashboard on Tenable.io.
 Users can specify thresholds within their workflows to enforce SLAs.

diff --git a/action.yml b/action.yml
@@ -6,6 +6,9 @@ inputs:
     description: "Name of the repository which includes the image name"
   tag_name:
     description: "Name of the tag associated with the image"
+  wait_for_results:
+    description: "If the action should wait for scan results"
+    default: "false"
   check_thresholds:
     description: "If the user wants to block builds based on the threshold checks"
     default: "false"

diff --git a/src/main/main.py b/src/main/main.py
@@ -89,36 +89,40 @@ def main():
     risk_threshold = int(os.environ["INPUT_RISK_THRESHOLD"])
     findinds_threshold = int(os.environ["INPUT_FINDINGS_THRESHOLD"])
     malware_threshold = int(os.environ["INPUT_MALWARE_THRESHOLD"])
-    check_thresholds = str(os.environ["INPUT_CHECK_THRESHOLDS"])
     repository = str(os.environ["INPUT_REPO_NAME"])
     image = repository.split("/")[1]
     tag = str(os.environ["INPUT_TAG_NAME"])
+    check_thresholds = True if str(os.environ["INPUT_CHECK_THRESHOLDS"]) == "true" else False
+    wait_for_results = True if str(os.environ["INPUT_WAIT_FOR_RESULTS"]) == "true" else False
 
     registry = "registry.cloud.tenable.com"
     url = f"https://cloud.tenable.com/container-security/api/v2/reports/library/{image}/{tag}"   
 
     push_docker_image(access_key, secret_key, registry, repository, image, tag)
-    response_dict = get_report(url, access_key, secret_key)
-
-    number_of_findings = len(response_dict["findings"])
-    risk_score =  response_dict["risk_score"]
-    number_of_malware_findings = len(response_dict["malware"])
-    cve_info = get_cve_info(response_dict["findings"])
-
-    if check_thresholds is "true":
-        check_threshold(
-            risk_score, 
-            number_of_findings, 
-            number_of_malware_findings, 
-            risk_threshold, 
-            findinds_threshold, 
-            malware_threshold
-        )
-
-    logger.info(f"::set-output name=risk_score::{risk_score}")
-    logger.info(f"::set-output name=number_of_findings::{number_of_findings}")
-    logger.info(f"::set-output name=number_of_malware_findings::{number_of_malware_findings}")
-    logger.info(f"::set-output name=cve_info::{cve_info}")
+    if wait_for_results:
+        response_dict = get_report(url, access_key, secret_key)
+
+        number_of_findings = len(response_dict["findings"])
+        risk_score =  response_dict["risk_score"]
+        number_of_malware_findings = len(response_dict["malware"])
+        cve_info = get_cve_info(response_dict["findings"])
+
+        if check_thresholds:
+            check_threshold(
+                risk_score, 
+                number_of_findings, 
+                number_of_malware_findings, 
+                risk_threshold, 
+                findinds_threshold, 
+                malware_threshold
+            )
+
+        logger.info(f"::set-output name=risk_score::{risk_score}")
+        logger.info(f"::set-output name=number_of_findings::{number_of_findings}")
+        logger.info(f"::set-output name=number_of_malware_findings::{number_of_malware_findings}")
+        logger.info(f"::set-output name=cve_info::{cve_info}")
+    else:
+        logger.info("Kicking off scan and not waiting for results")
 
 if __name__ == "__main__":
     main()