-
Notifications
You must be signed in to change notification settings - Fork 7
88 lines (73 loc) · 3.61 KB
/
example_vulnerability_threshold_exceeded.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Example Sbomgen Threshold Conditionals
# This example workflow aims to provide an example of using Inspector Scan vulnerability_threshold_exceeded
# output to determine next steps in a pipeline
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
inspector_scan_job:
runs-on: ubuntu-latest
steps:
# Checkout Repo
- name: Checkout this repo
uses: actions/checkout@v4
# setup the environment
- name: Set up docker build prereqs (QEMU)
uses: docker/setup-qemu-action@v3
- name: Set up docker build prereqs (Buildx)
uses: docker/setup-buildx-action@v3
# build container
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: false
tags: vulnerable:latest
load: true
# Authenticate with AWS via OIDC
# More Detail: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
# IAM Role requirements: https://docs.aws.amazon.com/inspector/latest/user/configure-cicd-account.html#cicd-iam-role
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS IAM ROLE>
# Inspector scan
- name: Scan container with Inspector
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
id: inspector
with:
artifact_type: 'container' # configure Inspector for scanning a container
artifact_path: 'vulnerable:latest' # scan container built in above steps
display_vulnerability_findings: "enabled" # display results in step summary page
critical_threshold: 1 # set vulnerability_threshold_exceeded=1 if 1 or more critical vulnerabilities found
high_threshold: 10 # set vulnerability_threshold_exceeded=1 if 10 or more high vulnerabilities found
# Upload Inspector scan results as Artifacts
- name: Upload Inspector scan results
uses: actions/upload-artifact@v4
with:
name: Inspector Vulnerability Scan Artifacts
path: |
${{ steps.inspector.outputs.inspector_scan_results }}
${{ steps.inspector.outputs.inspector_scan_results_csv }}
${{ steps.inspector.outputs.artifact_sbom }}
${{ steps.inspector.outputs.inspector_scan_results_markdown }}
# Publish build to GitHub container registry, IF vulnerability_threshold_exceeded is not set to 1
- name: Push to GHCR container registry
run: docker push ghcr.io/your-repo/vulnerable:latest
if: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '0' }}
# GitHub conditional statements can also allow and/or logic, allowing vulnerability_threshold_exceeded to be overridden if desired
# Learn more: https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution
- name: Push to GHCR container registry (override allowed)
run: docker push ghcr.io/your-repo/vulnerable:latest
if: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '0' || env.SBOMGEN_OVERRIDE == 'TRUE' }}
env:
SBOMGEN_OVERRIDE: 'FALSE'
# Fail the workflow if there are enough critical/high vulnerabilities in build to set vulnerability_threshold_exceeded to 1
- name: Fail Action if Inspector vuln threshold exceeded
run: |
exit 1
if: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '1' }}