From f1df858ee9390a6a5e9a2a8305373e75e47565f3 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Wed, 1 Jul 2026 22:23:37 -0600 Subject: [PATCH 1/5] Add sysdig scanning to the MATS home app This is a trial run for ITS --- .github/workflows/build-home.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/build-home.yml b/.github/workflows/build-home.yml index 3ee5f11f2b..be8a0ddda0 100644 --- a/.github/workflows/build-home.yml +++ b/.github/workflows/build-home.yml @@ -118,6 +118,23 @@ jobs: output: 'trivy-results-home.sarif' ignore-unfixed: true + - name: Scan image with Sysdig + id: scan + uses: sysdiglabs/scan-action@v6 + with: + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ secrets.SYSDIG_SECURE_ENDPOINT }} + image-tag: '${{ env.DEV_REGISTRY }}/home:${{ env.BRANCH }}' + stop-on-failed-policy-eval: false + stop-on-processing-error: false + severity-at-least: high + + - name: Upload Sysdig scan results + if: success() || failure() + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: ${{ github.workspace }}/sarif.json + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 with: From 44b97d253fee9889b690bb6fa99059c43156d57a Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Wed, 1 Jul 2026 22:38:10 -0600 Subject: [PATCH 2/5] Use the correct primitive for the Sysdig endpoint It's a variable at the org-level, not a secret --- .github/workflows/build-home.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-home.yml b/.github/workflows/build-home.yml index be8a0ddda0..7cdb40709e 100644 --- a/.github/workflows/build-home.yml +++ b/.github/workflows/build-home.yml @@ -123,7 +123,7 @@ jobs: uses: sysdiglabs/scan-action@v6 with: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - sysdig-secure-url: ${{ secrets.SYSDIG_SECURE_ENDPOINT }} + sysdig-secure-url: ${{ vars.SYSDIG_SECURE_ENDPOINT }} image-tag: '${{ env.DEV_REGISTRY }}/home:${{ env.BRANCH }}' stop-on-failed-policy-eval: false stop-on-processing-error: false From fb9935b53a6cb3928030cbae94a72907b6fdf363 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:22:27 -0600 Subject: [PATCH 3/5] Add Sysdig Scanner to MATS --- .github/workflows/build-mats.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/build-mats.yml b/.github/workflows/build-mats.yml index 5783781d65..ade0b47aa9 100644 --- a/.github/workflows/build-mats.yml +++ b/.github/workflows/build-mats.yml @@ -183,6 +183,23 @@ jobs: with: sarif_file: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' + - name: Scan image with Sysdig + id: scan + uses: sysdiglabs/scan-action@v6 + with: + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ vars.SYSDIG_SECURE_ENDPOINT }} + image-tag: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' + stop-on-failed-policy-eval: false + stop-on-processing-error: false + severity-at-least: high + + - name: Upload Sysdig scan results + if: success() || failure() + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: ${{ github.workspace }}/sarif.json + - name: Upload Resource Metrics if: always() uses: actions/upload-artifact@v7 From 86a9de3883093a088ab1a4d02aa2c5643b1cf810 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:36:33 -0600 Subject: [PATCH 4/5] Group SARIF findings by package This should reduce duplicate findings --- .github/workflows/build-home.yml | 3 ++- .github/workflows/build-mats.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-home.yml b/.github/workflows/build-home.yml index 7cdb40709e..4da0e904d8 100644 --- a/.github/workflows/build-home.yml +++ b/.github/workflows/build-home.yml @@ -126,8 +126,9 @@ jobs: sysdig-secure-url: ${{ vars.SYSDIG_SECURE_ENDPOINT }} image-tag: '${{ env.DEV_REGISTRY }}/home:${{ env.BRANCH }}' stop-on-failed-policy-eval: false - stop-on-processing-error: false + stop-on-processing-error: true severity-at-least: high + group-by-package: true - name: Upload Sysdig scan results if: success() || failure() diff --git a/.github/workflows/build-mats.yml b/.github/workflows/build-mats.yml index ade0b47aa9..da9824bc15 100644 --- a/.github/workflows/build-mats.yml +++ b/.github/workflows/build-mats.yml @@ -191,8 +191,9 @@ jobs: sysdig-secure-url: ${{ vars.SYSDIG_SECURE_ENDPOINT }} image-tag: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' stop-on-failed-policy-eval: false - stop-on-processing-error: false + stop-on-processing-error: true severity-at-least: high + group-by-package: true - name: Upload Sysdig scan results if: success() || failure() From 9036a475328970b818046f0db87b8f6f37ab0c65 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:46:33 -0600 Subject: [PATCH 5/5] Note we want to fail CI if the scan doesn't pass Right now we're still evaluating Sysdig, so let the pipeline pass if the scan fails. --- .github/workflows/build-home.yml | 2 +- .github/workflows/build-mats.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-home.yml b/.github/workflows/build-home.yml index 4da0e904d8..c3a6c802db 100644 --- a/.github/workflows/build-home.yml +++ b/.github/workflows/build-home.yml @@ -125,7 +125,7 @@ jobs: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ vars.SYSDIG_SECURE_ENDPOINT }} image-tag: '${{ env.DEV_REGISTRY }}/home:${{ env.BRANCH }}' - stop-on-failed-policy-eval: false + stop-on-failed-policy-eval: false # TODO - switch to true once we're ready to use sysdig as our primary scanner stop-on-processing-error: true severity-at-least: high group-by-package: true diff --git a/.github/workflows/build-mats.yml b/.github/workflows/build-mats.yml index da9824bc15..8cdcce63b9 100644 --- a/.github/workflows/build-mats.yml +++ b/.github/workflows/build-mats.yml @@ -190,7 +190,7 @@ jobs: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ vars.SYSDIG_SECURE_ENDPOINT }} image-tag: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' - stop-on-failed-policy-eval: false + stop-on-failed-policy-eval: false # TODO - switch to true once we're ready to use sysdig as our primary scanner stop-on-processing-error: true severity-at-least: high group-by-package: true