Skip to content

ci: run scan on pr

ci: run scan on pr #1

Workflow file for this run

name: Scan Image on PR
on:
pull_request:
jobs:
scan-from-registry:
runs-on: ubuntu-latest
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v5
- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
continue-on-error: true
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium
- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json
- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi
filtered-scan-from-registry:
runs-on: ubuntu-latest
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
continue-on-error: true
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium
group-by-package: true
- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json
- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi
macos-scan-from-registry:
runs-on: macos-latest
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
continue-on-error: true
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json
- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi
standalone-scan-from-registry:
runs-on: ubuntu-latest
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
- name: Donate MainDB from scan
id: donnor-scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: false
stop-on-processing-error: true
skip-summary: true
- name: Scan dummy-vuln-app from registry
id: scan
continue-on-error: true
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
#sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
standalone: true
- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json
- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi