v1.1.0 (#52)

* test sbomgen v1.2.0-beta * test Dockerfile with vulns * Add Dockerfile vulnerabilities (#51) * Add test image for rendering Dockerfile checks * ignore .DS_Store (macOS) * Added starter tests * check if components and vulns are present * Added Dockerfile vuln parser * dockerfile finding markdown conversion * refactor for cleanliness * Remove mock secrets so I can push changes * Updated test data * testing for regression * Integrated Dockerfile checks system-wide * saving work * added CSV and MD integration tests --------- Co-authored-by: Michael Long <[email protected]> * Add workflow to demo Dockerfile vulns * Display Dockerfile scan results * Output Dockerfile findings as CSV only (debugging) * Change action url to this branch * Fix CLI typo * display sbomgen download url * debugging * debugging * debugging * debugging * roll back debug logs * roll back check() macro * check() becomes require_true() * fix typos in dockerfile inputs * fix typo when posting dockerfile csv * debugging set_github_actions_output() * add header to Dockerfile MD report * Update Dockerfile header * update workflow metadata * Add Dockerfile reports as download artifacts * Rename Dockerfile report header * Display Dockerfile findings in job terminal * Set Dockerfile dst csv * Debugging dockerfile reports in GHA terminal * Debug Dockerfile output variables * Test no vulns * Remove 'cat <report>' commands --------- Co-authored-by: Michael Long <[email protected]>
aws-actions · Jun 4, 2024 · a18de02 · a18de02
1 parent 3820085
commit a18de02
Show file tree

Hide file tree

Showing 53 changed files with 177,682 additions and 35,826 deletions.
diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml
@@ -47,20 +47,23 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.0.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
         id: inspector
         with:
           artifact_type: 'container'
           artifact_path: 'app:latest'
           display_vulnerability_findings: "enabled"
           output_sbom_path: 'sbom.json'
           output_inspector_scan_path: 'inspector_scan.json'
-          output_inspector_scan_path_csv: 'inspector_scan.csv'
+          output_inspector_scan_path_csv: 'inspector_pkg_scan.csv'
+          output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv'
+          output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md'
           critical_threshold: 1
           high_threshold: 1
           medium_threshold: 1
           low_threshold: 1
           other_threshold: 1
+          sbomgen_version: "1.2.0-beta"
 
       - name: Demonstrate SBOM Output (JSON)
         run: cat ${{ steps.inspector.outputs.artifact_sbom }}
@@ -71,14 +74,28 @@ jobs:
       - name: Demonstrate Inspector Scan Output (CSV)
         run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
 
+      - name: Display Dockerfile vulns (CSV)
+        run: cat inspector_dockerfile_scan.csv
+
+      - name: Display Dockerfile vulns (MD)
+        run: cat inspector_dockerfile_scan.md
+
+      - name: Debug Dockerfile output variables
+        run: |
+          echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
+          echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
+
       - name: Demonstrate Upload Scan Results
         uses: actions/upload-artifact@v4
         with:
           name: Inspector Scan SBOM Results
           path: |
+            ${{ steps.inspector.outputs.artifact_sbom }}
             ${{ steps.inspector.outputs.inspector_scan_results }}
             ${{ steps.inspector.outputs.inspector_scan_results_csv }}
-            ${{ steps.inspector.outputs.artifact_sbom }}
+            ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+            ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
+            ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
 
       - name: On vulnerability threshold exceeded
 

diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml
@@ -54,6 +54,7 @@ jobs:
           medium_threshold: 1
           low_threshold: 1
           other_threshold: 1
+          sbomgen_version: "1.2.0-beta"
 
           # Additional input arguments are available.
           # See 'action.yml' for additional input/output options.

diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml
@@ -37,6 +37,7 @@ jobs:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'
           display_vulnerability_findings: "enabled"
+          sbomgen_version: "1.2.0-beta"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml
@@ -37,6 +37,7 @@ jobs:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'
           display_vulnerability_findings: "enabled"
+          sbomgen_version: "1.2.0-beta"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml
@@ -37,6 +37,7 @@ jobs:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'
           display_vulnerability_findings: "enabled"
+          sbomgen_version: "1.2.0-beta"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml
@@ -0,0 +1,77 @@
+name: Test Dockerfile Vulnerabilities
+
+# This workflow tests that the action can successfully
+# scan a GitHub repository. This workflow runs automatically
+# every 6 hours, and on pushes.
+
+on:
+  schedule:
+    - cron: '0 */6 * * *' # runs every 6 hours
+  push:
+    branches: #
+      - '*'
+
+jobs:
+  daily_job:
+    runs-on: ubuntu-latest
+    environment:
+      name: plugin-development
+
+    steps:
+      - name: Checkout this repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+
+      - name: Scan Dockerfiles
+        id: inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
+        with:
+          artifact_type: 'repository'
+          artifact_path: './'
+          display_vulnerability_findings: "enabled"
+          sbomgen_version: "1.2.0-beta"
+
+      - name: Display scan results (JSON)
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
+
+      - name: Display package vulns (CSV)
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
+
+      - name: Display package vulns (MD)
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+
+      - name: Display Dockerfile vulns (CSV)
+        run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_csv }}
+
+      - name: Display Dockerfile vulns (MD)
+        run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_markdown }}
+
+      - name: Validate scan content
+        run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }}
+
+      - name: Demonstrate Upload Scan Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: Inspector Scan SBOM Results
+          path: |
+            ${{ steps.inspector.outputs.artifact_sbom }}
+            ${{ steps.inspector.outputs.inspector_scan_results }}
+            ${{ steps.inspector.outputs.inspector_scan_results_csv }}
+            ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+            ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
+            ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
+
+
+      # only run if the previous step failed
+      - name: Notify maintainers of validation failure
+        if: ${{ failure() }}
+        run: echo "this feature is not implemented"
+        # TODO: add steps to send notification to a Lambda to cut a ticket on job failure
+
diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml
@@ -33,6 +33,7 @@ jobs:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'
           display_vulnerability_findings: "enabled"
+          sbomgen_version: "1.2.0-beta"
 
       # only run if the previous step failed
       - name: Notify maintainers of installation failure

diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml
@@ -0,0 +1,54 @@
+name: Test No Vulns
+
+# confirm that reports are not displayed when no vulns are found
+
+on:
+  push:
+    branches: #
+      - '*'
+
+jobs:
+  daily_job:
+    runs-on: ubuntu-latest
+    environment:
+      name: plugin-development
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+
+      - name: Test binary scan
+        id: inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
+        with:
+          artifact_type: 'binary'
+          artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'
+          display_vulnerability_findings: "enabled"
+          output_sbom_path: 'sbom.json'
+          output_inspector_scan_path: 'inspector_scan.json'
+          output_inspector_scan_path_csv: 'inspector_pkg_scan.csv'
+          output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv'
+          output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md'
+          sbomgen_version: "1.2.0-beta"
+
+      - name: Demonstrate Upload Scan Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: Inspector Scan SBOM Results
+          path: |
+            ${{ steps.inspector.outputs.artifact_sbom }}
+            ${{ steps.inspector.outputs.inspector_scan_results }}
+            ${{ steps.inspector.outputs.inspector_scan_results_csv }}
+            ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+            ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
+            ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
+
diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml
@@ -36,6 +36,7 @@ jobs:
           artifact_type: 'repository'
           artifact_path: './'
           display_vulnerability_findings: "enabled"
+          sbomgen_version: "1.2.0-beta"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml
@@ -44,6 +44,7 @@ jobs:
           medium_threshold: 1
           low_threshold: 1
           other_threshold: 1
+          sbomgen_version: "1.2.0-beta"
 
       - name: Fail if vulnerability threshold is exceeded
         run: if [[  ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} != "1" ]]; then echo "test failed"; else echo "test passed"; fi

diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ plan.txt
 __pycache__
 scripts/entrypoint/test_data
 .coverage
+.DS_Store
diff --git a/README.md b/README.md
@@ -21,6 +21,12 @@ This action can scan the following artifact types for vulnerabilities:
 
 For more information, please refer to Amazon Inspector's supported [artifacts](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html) and [container operating systems](https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-os-ecr).
 
+To learn more about Amazon Inspector, as well as Inspector's free trial and pricing model, please see the links below:
+
+1. https://aws.amazon.com/inspector/
+2. https://aws.amazon.com/inspector/pricing/?nc=sn&loc=3
+
+
 ## Prerequisites
 
 1. **Required:** You must have an active AWS account to use this action. Guidance on creating an AWS account is

diff --git a/action.yml b/action.yml
@@ -40,6 +40,16 @@ inputs:
     required: False
     default: 'inspector_scan_${{ github.run_id }}.md'
 
+  output_inspector_dockerfile_scan_path_csv:
+    description: "The destination file path for Inspector's Dockerfile vulnerability scan (CSV format)."
+    required: False
+    default: 'inspector_dockerfile_scan_${{ github.run_id }}.csv'
+
+  output_inspector_dockerfile_scan_path_markdown:
+    description: "The destination file path for Inspector's Dockerfile vulnerability scan (markdown format)."
+    required: False
+    default: 'inspector_dockerfile_scan_${{ github.run_id }}.md'
+
   sbomgen_version:
     description: "The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
     required: False
@@ -109,6 +119,13 @@ outputs:
   inspector_scan_results_markdown:
     description: "The file path to the Inspector vulnerability scan findings in markdown format."
 
+  inspector_dockerile_scan_results_csv:
+    description: "The file path to the Inspector Dockerfile vulnerability scan findings in CSV format."
+
+  inspector_dockerile_scan_results_markdown:
+    description: "The file path to the Inspector Dockerfile vulnerability scan findings in markdown format."
+
+
   vulnerability_threshold_exceeded:
     description: "This variable is set to 1 if any vulnerability threshold was exceeded, otherwise it is 0. This variable can be used to trigger custom logic, such as failing the job if vulnerabilities were detected."
 
@@ -123,6 +140,8 @@ runs:
     - --out-scan=${{ inputs.output_inspector_scan_path }}
     - --out-scan-csv=${{ inputs.output_inspector_scan_path_csv }}
     - --out-scan-markdown=${{ inputs.output_inspector_scan_path_markdown }}
+    - --out-dockerfile-scan-csv=${{ inputs.output_inspector_dockerfile_scan_path_csv }}
+    - --out-dockerfile-scan-md=${{ inputs.output_inspector_dockerfile_scan_path_markdown }}
     - --sbomgen-version=${{ inputs.sbomgen_version }}
     - --thresholds
     - --critical=${{ inputs.critical_threshold }}

diff --git a/entrypoint/entrypoint/cli.py b/entrypoint/entrypoint/cli.py
@@ -23,6 +23,10 @@ def init(sys_argv=None) -> argparse.Namespace:
                         help="The destination file path for Inspector's vulnerability scan in CSV format.")
     parser.add_argument("--out-scan-markdown", type=str, default="inspector-scan.md",
                         help="The destination file path for Inspector's vulnerability scan results in markdown format.")
+    parser.add_argument("--out-dockerfile-scan-csv", type=str, default="inspector-dockerfile-scan.csv",
+                        help="The destination file path for Inspector's Dockerfile vulnerability scan in CSV format.")
+    parser.add_argument("--out-dockerfile-scan-md", type=str, default="inspector-dockerfile-scan.md",
+                        help="The destination file path for Inspector's Dockerfile vulnerability scan in markdown format.")
     parser.add_argument("--verbose", action="store_true", help="Enables verbose console logging.")
     parser.add_argument("--sbomgen-version", type=str, default="latest",
                         help="The inspector-sbomgen version you wish to use for SBOM generation.")