Skip to content

sicpa-foundations/security-sysdig-action-scan-image

 
 

Repository files navigation

Sysdig Secure Inline Scan Action

This action performs analysis on locally built container image and posts the result to Sysdig Secure. For more information about Secure Inline Scan, see Sysdig Secure documentation.

Inputs

image-tag

Required The tag of the local image to scan. Example: "sysdiglabs/dummy-vuln-app:latest".

sysdig-secure-token

Required API token for Sysdig Scanning auth. Example: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".

Directly specifying the API token in the action configuration is not recommended. A better approach is to store it in GitHub secrets, and reference ${{ secrets.MY_SECRET_NAME }} instead.

sysdig-secure-url

Sysdig Secure URL. Example: https://secure-sysdig.svc.cluster.local

If not specified, it will default to Sysdig Secure SaaS URL (https://secure.sysdig.com).

For SaaS, eee SaaS Regions and IP Ranges.

sysdig-skip-tls

Skip TLS verification when calling secure endpoints.

dockerfile-path

Path to Dockerfile. Example: "./Dockerfile".

ignore-failed-scan

Don't fail the execution of this action even if the scan result is FAILED.

input-type

If specified, where should we scan the image from. Possible values:

  • pull: Pull the image from the registry. Default if not specified.
  • docker-daemon: Get the image from the Docker daemon. The Docker socket must be available at /var/run/docker.sock
  • cri-o: Get the image from containers-storage (CRI-O and others). Images must be stored in /var/lib/containers
  • docker-archive: Image is provided as a Docker .tar file (from Docker save). Specify the path to the tar file with input-path parameter.
  • oci-archive: Image is provided as a OCI image tar file. Specify the path to the tar file with input-path parameter.
  • oci-dir: Image is provided as a OCI image, untared. Specify the path to the directory file with input-path parameter.

input-path

Path to the tar file or OCI layout directory, or the Docker daemon when using input-type: docker-daemon, in case the docker.sock file is not in the default path /var/run/docker.sock.

run-as-user

Run the scan container with this username or UID. It might be required when scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.

extra-parameters

Additional parameters added to the secure-inline-scan container execution.

extra-docker-parameters

Additional parameters added to the docker command when executing the secure-inline-scan container execution.

severity

Filter output annotations by severity. Default is "unknown". Possible values:

  • critical
  • high
  • medium
  • negligible
  • unknown

unique-report-by-package

Only one annotation by package name/version will be displayed in the build output. The last highest (by severity) vulnerability will be displayed by package. It increases the readability of the output, avoiding duplicates for the same package. Default to false.

inline-scan-image

The image quay.io/sysdig/secure-inline-scan:2, which points to the latest 2.x version of the Sysdig Secure inline scanner is used by default. This parameter allows overriding the default image, to use a specific version or for air-gapped environments.

SARIF Report

The action generates a SARIF report that can be uploaded using the codeql-action/upload-sarif action.

You need to assign an ID to the Sysdig Scan Action step, like:

    ...

    - name: Scan image
      id: scan
      uses: sysdiglabs/scan-action@v3
      with:
        ...

and then add another step for uploading the SARIF report, providing the path in the sarifReport output:

    ...
      - uses: github/codeql-action/upload-sarif@v1
        with:
          if: always()
          sarif_file: ${{ steps.scan.outputs.sarifReport }}

The if: always() option makes sure the SARIF report is uploaded even if the scan fails and interrupts the workflow.

Example usages

Build and scan image locally using Docker, and upload SARIF report

    ...

    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag sysdiglabs/dummy-vuln-app:latest

    - name: Scan image
      id: scan
      uses: sysdiglabs/scan-action@v3
      with:
        image-tag: "sysdiglabs/dummy-vuln-app:latest"
        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
        input-type: docker-daemon
        run-as-user: root

      - uses: github/codeql-action/upload-sarif@v1
        if: always()
        with:
          sarif_file: ${{ steps.scan.outputs.sarifReport }}

Pull and scan an image from a registry

    ...

    - name: Scan image
      uses: sysdiglabs/scan-action@v3
      with:
        image-tag: "sysdiglabs/dummy-vuln-app:latest"
        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}

Scan a Docker archive image

    ...

    - name: Scan image
      uses: sysdiglabs/scan-action@v3
      with:
        image-tag: "sysdiglabs/dummy-vuln-app:latest"
        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
        input-type: docker-archive
        input-path: artifacts/my-image.tar