Skip to content

Commit

Permalink
Merge branch 'master' into v5
Browse files Browse the repository at this point in the history
  • Loading branch information
@tembleking
tembleking committed Jul 29, 2024
2 parents 1f1eb8a + 55113c7 commit 4b04450
Show file tree
Hide file tree
Showing 26 changed files with 12,366 additions and 7,839 deletions.
5 changes: 5 additions & 0 deletions .envrc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
has nix && use flake
dotenv_if_exists .env # You can create a .env file with your env vars for this project. You can also use .secrets if you are using act. See the line below.
dotenv_if_exists .secrets # Used by [act](https://nektosact.com/) to load secrets into the pipelines

export GITHUB_STEP_SUMMARY=/tmp/github_summary.html
155 changes: 155 additions & 0 deletions .github/workflows/ci-scan.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
name: Scan Image on PR

on:
pull_request:

jobs:
scan-from-registry:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
continue-on-error: true
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json

- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi
filtered-scan-from-registry:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
continue-on-error: true
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium
group-by-package: true

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json

- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi
scan-with-old-scanner-version:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
continue-on-error: true
with:
# Old scanner version
cli-scanner-version: 1.8.1
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json

- name: Check that the scan has failed
run: |
if [ "${{ steps.scan.outcome }}" == "success" ]; then
echo "Scan succeeded but the step should fail."
exit 1
else
echo "Scan failed as expected."
fi
standalone-scan-from-registry:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Donate MainDB from scan
id: donnor-scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: false
stop-on-processing-error: true
skip-summary: true

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
#sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
standalone: true

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json

28 changes: 1 addition & 27 deletions .github/workflows/scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,32 +57,6 @@ jobs:
with:
sarif_file: ${{ github.workspace }}/sarif.json

macos-scan-from-registry:
runs-on: macos-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json


standalone-scan-from-registry:
runs-on: ubuntu-latest

Expand Down Expand Up @@ -119,4 +93,4 @@ jobs:
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json
sarif_file: ${{ github.workspace }}/sarif.json
Loading

0 comments on commit 4b04450

Please sign in to comment.