refactor: organize action.yml into logical groups (#148)

bluesentinelsec · web-flow · commit 02acd54f5409 · 2025-11-04T11:25:20.000-05:00
- Group inputs by function: Artifact Config, SBOM Generation, Thresholds, Output
- Improve artifact_path description with clearer examples per artifact type
- Clarify threshold descriptions to explain vulnerability_threshold_exceeded output
- Maintain full backward compatibility with existing input names and defaults
diff --git a/action.yml b/action.yml
@@ -5,81 +5,27 @@ branding:
   icon: cloud
 
 inputs:
+  # Artifact Configuration
   artifact_type:
     description: 'The artifact you would like to scan with Amazon Inspector. Valid choices are "repository", "container", "binary", or "archive".'
     required: True
     default: 'repository'
 
   artifact_path:
-    description: 'The file path to the artifact you would like to scan with Amazon Inspector. File paths are relative to the root project directory. If scanning a container image, you must provide a value that follows the docker pull convention: "NAME[:TAG|@DIGEST]", for example, "alpine:latest", or a path to an image exported as tarball using "docker save".'
+    description: 'Path to the artifact to scan. For repositories/files: relative path from project root (e.g., "./", "src/"). For containers: image reference that follows the docker pull convention: "NAME[:TAG|@DIGEST]" (e.g., "alpine:latest") or path to saved tarball. For binaries/archives: file path relative to project root.'
     required: True
     default: './'
 
-  display_vulnerability_findings:
-    description: 'If set to "enabled", the action will display detailed vulnerability findings in the step summary page; see here for an example report: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8878213714'
-    required: True
-    default: "disabled"
-
-  output_sbom_path:
-    description: "The destination file path for the generated SBOM."
-    required: False
-    default: './sbom_${{ github.run_id }}.json'
-
-  output_inspector_scan_path:
-    description: "The destination file path for Inspector's vulnerability scan (JSON format)."
-    required: False
-    default: 'inspector_scan_${{ github.run_id }}.json'
-
-  output_inspector_scan_path_csv:
-    description: "The destination file path for Inspector's vulnerability scan (CSV format)."
-    required: False
-    default: 'inspector_scan_${{ github.run_id }}.csv'
-
-  output_inspector_scan_path_markdown:
-    description: "The destination file path for Inspector's vulnerability scan (markdown format)."
-    required: False
-    default: 'inspector_scan_${{ github.run_id }}.md'
-
-  output_inspector_dockerfile_scan_path_csv:
-    description: "The destination file path for Inspector's Dockerfile vulnerability scan (CSV format)."
-    required: False
-    default: 'inspector_dockerfile_scan_${{ github.run_id }}.csv'
-
-  output_inspector_dockerfile_scan_path_markdown:
-    description: "The destination file path for Inspector's Dockerfile vulnerability scan (markdown format)."
+  platform:
+    description: "Specifies the OS and CPU arch of the container image you wish to scan. Valid inputs are of the form 'os/cpu/variant' for example, 'linux/amd64', 'linux/arm64/v8', etc. If no platform is specified, the system will use the same platform as the host that is performing the scan. This argument only affects container image scans. Requires inspector-sbomgen 1.5.1 or later."
     required: False
-    default: 'inspector_dockerfile_scan_${{ github.run_id }}.md'
 
+  # SBOM Generation Configuration
   sbomgen_version:
     description: "The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
     required: False
     default: "latest"
 
-  critical_threshold:
-    description: "Specifies the number of critical vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
-    required: False
-    default: 0
-
-  high_threshold:
-    description: "Specifies the number of high vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
-    required: False
-    default: 0
-
-  medium_threshold:
-    description: "Specifies the number of medium vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
-    required: False
-    default: 0
-
-  low_threshold:
-    description: "Specifies the number of low vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
-    required: False
-    default: 0
-
-  other_threshold:
-    description: "Specifies the number of other vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
-    required: False
-    default: 0
-
   scanners:
     description: "Specifies the file scanners that you would like inspector-sbomgen to execute. By default, inspector-sbomgen will try to run all file scanners that are applicable to the target artifact. If this argument is set, inspector-sbomgen will only execute the specified file scanners. Provide your input as a single string. Separate each file scanner with a comma. To view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
     required: False
@@ -106,22 +52,80 @@ inputs:
     required: False
     default: 600 # 10 minutes
 
-  platform:
-    description: "Specifies the OS and CPU arch of the container image you wish to scan. Valid inputs are of the form 'os/cpu/variant' for example, 'linux/amd64', 'linux/arm64/v8', etc. If no platform is specified, the system will use the same platform as the host that is performing the scan. This argument only affects container image scans. Requires inspector-sbomgen 1.5.1 or later."
+  # Vulnerability Threshold Configuration
+  critical_threshold:
+    description: "Set 'vulnerability_threshold_exceeded' output to true if critical vulnerabilities found >= this number. Set to 0 to ignore critical vulnerabilities."
+    required: False
+    default: 0
+
+  high_threshold:
+    description: "Set 'vulnerability_threshold_exceeded' output to true if critical vulnerabilities found >= this number. Set to 0 to ignore high vulnerabilities."
+    required: False
+    default: 0
+
+  medium_threshold:
+    description: "Set 'vulnerability_threshold_exceeded' output to true if critical vulnerabilities found >= this number. Set to 0 to ignore medium vulnerabilities."
+    required: False
+    default: 0
+
+  low_threshold:
+    description: "Set 'vulnerability_threshold_exceeded' output to true if critical vulnerabilities found >= this number. Set to 0 to ignore low vulnerabilities."
     required: False
+    default: 0
+
+  other_threshold:
+    required: False
+    description: "Set 'vulnerability_threshold_exceeded' output to true if critical vulnerabilities found >= this number. Set to 0 to ignore other vulnerabilities."
+    default: 0
 
   threshold_fixable_only:
     description: 'If set to true, only count vulnerabilities with a fix towards threshold exceeded condition.'
     required: False
     default: false
     type: boolean
 
+  # Output Configuration
+  display_vulnerability_findings:
+    description: 'If set to "enabled", the action will display detailed vulnerability findings in the step summary page; see here for an example report: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8878213714'
+    required: True
+    default: "disabled"
+
   show_only_fixable_vulns:
     description: "If set to true, this action will show only fixed vulnerabilities in the GitHub Actions step summary page. All vulnerability metadata is still retained in the raw Inspector scan files."
     required: False
     default: false
     type: boolean
 
+  output_sbom_path:
+    description: "The destination file path for the generated SBOM."
+    required: False
+    default: './sbom_${{ github.run_id }}.json'
+
+  output_inspector_scan_path:
+    description: "The destination file path for Inspector's vulnerability scan (JSON format)."
+    required: False
+    default: 'inspector_scan_${{ github.run_id }}.json'
+
+  output_inspector_scan_path_csv:
+    description: "The destination file path for Inspector's vulnerability scan (CSV format)."
+    required: False
+    default: 'inspector_scan_${{ github.run_id }}.csv'
+
+  output_inspector_scan_path_markdown:
+    description: "The destination file path for Inspector's vulnerability scan (markdown format)."
+    required: False
+    default: 'inspector_scan_${{ github.run_id }}.md'
+
+  output_inspector_dockerfile_scan_path_csv:
+    description: "The destination file path for Inspector's Dockerfile vulnerability scan (CSV format)."
+    required: False
+    default: 'inspector_dockerfile_scan_${{ github.run_id }}.csv'
+
+  output_inspector_dockerfile_scan_path_markdown:
+    description: "The destination file path for Inspector's Dockerfile vulnerability scan (markdown format)."
+    required: False
+    default: 'inspector_dockerfile_scan_${{ github.run_id }}.md'
+
 outputs:
   artifact_sbom:
     description: "The filepath to the artifact's software bill of materials."
