Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions .github/workflows/ci-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan dummy-vuln-app from registry
id: scan
Expand All @@ -27,7 +27,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -46,7 +46,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan dummy-vuln-app from registry
id: scan
Expand All @@ -64,7 +64,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -83,7 +83,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan dummy-vuln-app from registry
id: scan
Expand All @@ -102,7 +102,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -121,7 +121,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Donate MainDB from scan
id: donnor-scan
Expand Down Expand Up @@ -149,7 +149,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -159,7 +159,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan repository with multiple IaC policies
id: scan
Expand Down Expand Up @@ -187,7 +187,7 @@ jobs:

steps:
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan with correct checksum
id: scan
Expand All @@ -213,7 +213,7 @@ jobs:

steps:
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan with incorrect checksum
id: scan
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 20
- run: npm ci
- uses: pre-commit/action@v3.0.1
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
8 changes: 4 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
changes: ${{ steps.check_changes.outputs.changes }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 2

Expand All @@ -41,7 +41,7 @@ jobs:
cancel-in-progress: false
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
Expand All @@ -51,7 +51,7 @@ jobs:
run: echo "version=v$(jq -r '.version' package.json)" >> "$GITHUB_OUTPUT"

- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22

- name: Install git-chglog
run: nix profile install nixpkgs#git-chglog
Expand All @@ -63,7 +63,7 @@ jobs:
run: git-chglog -c .github/git-chglog/config.yml -o RELEASE_CHANGELOG.md "${{ steps.version.outputs.version }}"

- name: Create release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
name: ${{ steps.version.outputs.version }}
tag_name: ${{ steps.version.outputs.version }}
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan dummy-vuln-app from registry
id: scan
Expand All @@ -26,7 +26,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -36,7 +36,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan dummy-vuln-app from registry
id: scan
Expand All @@ -53,7 +53,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -63,7 +63,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Donate MainDB from scan
id: donnor-scan
Expand Down Expand Up @@ -91,7 +91,7 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json

Expand All @@ -101,7 +101,7 @@ jobs:
steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Scan hello-world from registry
id: scan
Expand All @@ -118,6 +118,6 @@ jobs:

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ github.workspace }}/sarif.json
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v9
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ This action performs analysis on a specific container image and posts the result
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| `cli-scanner-url` | URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/). | |
| `mode` | Mode of operation. Can be "vm" or "iac". | `vm` |
| `cli-scanner-version` | Custom sysdig-cli-scanner version to download. Minimum required version is 1.18.0. Please note that for VM mode the Action has only been tested with the current default version and it is not guaranteed that it will work as expected with other versions. | `1.22.6` |
| `cli-scanner-version` | Custom sysdig-cli-scanner version to download. Minimum required version is 1.18.0. Please note that for VM mode the Action has only been tested with the current default version and it is not guaranteed that it will work as expected with other versions. | `1.26.0` |
| `cli-scanner-sha256sum` | SHA256 sum of the Sysdig CLI scanner binary to verify the download. If not provided, the action will automatically download the official checksum from Sysdig for verification. The scanner download is always verified. | |
| `registry-user` | Registry username to authenticate to while pulling the image to scan. | |
| `registry-password` | Registry password to authenticate to while pulling the image to scan. | |
Expand Down Expand Up @@ -136,7 +136,7 @@ The `if: success() || failure()` option makes sure the SARIF report is uploaded
uses: sysdiglabs/scan-action@v6
with:
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
cli-scanner-version: 1.22.6
cli-scanner-version: 1.26.0
mode: iac
iac-scan-path: ./terraform
```
Expand Down
2 changes: 1 addition & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ inputs:
description: URL to sysdig-cli-scanner binary download
required: false
cli-scanner-version:
description: Custom sysdig-cli-scanner version to download. Oldest supported version is 1.22.6.
description: Custom sysdig-cli-scanner version to download. Oldest supported version is 1.26.0.
default: "1.24.1"
required: false
cli-scanner-sha256sum:
Expand Down
Loading
Loading