Skip to content

Commit 50ba29e

Browse files
bluesentinelsecMichael Long
bluesentinelsec
and
Michael Long
authored
Minor README and workflow refinements (#42)
* updated workflows and license text * minor README updates --------- Co-authored-by: Michael Long <mlongii@amazon.com>
1 parent 4dc144b commit 50ba29e

File tree

1 file changed

+27
-27
lines changed

1 file changed

+27
-27
lines changed

README.md

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ An active AWS account is required to use this action.
1212

1313
This action works by first generating a CycloneDX software bill of materials (SBOM) for the provided artifact.
1414

15-
The SBOM is then sent to Amazon Inspector; Inspector scans the provided SBOM for known vulnerabilities, and returns its
15+
The SBOM is then sent to Amazon Inspector. Inspector scans the provided SBOM for known vulnerabilities, and returns its
1616
results to the calling action.
1717

1818
This action can scan the following artifact types for software vulnerabilities:
@@ -156,7 +156,7 @@ Perform the following steps to quickly add this action to your GitHub Actions pi
156156
run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
157157
```
158158
159-
2. Save your workflow file then git commit / git push the workflow to GitHub.
159+
2. Save your workflow file, then git commit / git push the workflow to GitHub.
160160
161161
GitHub should automatically run your new workflow; review its results and make any needed changes to the input and
162162
output arguments.
@@ -165,17 +165,17 @@ For additional examples, see [this repository's workflow definitions](.github/wo
165165
166166
### Configuring Vulnerability Scan Outputs
167167
168-
This action provides detailed Inspector scan findings in JSON, CSV, and markdown, plus, a CycloneDX software bill of
168+
This action provides detailed Inspector scan findings in JSON, CSV, and markdown, as well as a CycloneDX software bill of
169169
materials in JSON.
170170
171-
By default, this action will only display the number of vulnerabilities detected in the GitHub Actions job terminal;
172-
detailed vulnerability findings are not shown.
171+
By default, this action will only display the number of vulnerabilities detected in the GitHub Actions job terminal.
172+
Detailed vulnerability findings are not shown by design.
173173
174174
This is done so **you** can control how and where your vulnerability findings are presented and stored.
175175
176176
The example below shows how to present this action's outputs in various locations and formats.
177177
178-
Exercise caution to ensure you do not accidentally post vulnerability information to untrusted viewers.
178+
**Exercise caution to ensure you do not accidentally post vulnerability information to untrusted viewers.**
179179
180180
```yaml
181181
- name: Scan container
@@ -254,7 +254,7 @@ The example below shows how to set up vulnerability thresholds and fail the job
254254
This action supports a common use case that entails building a container image, scanning the built image for
255255
vulnerabilities, and optionally, failing the workflow before the image is deployed to a container registry or elsewhere.
256256
257-
We provide an example of this workflow below; you must modify this workflow to suit your environment:
257+
We provide an example of this workflow below. You must modify this workflow to suit your environment:
258258
259259
```yaml
260260
name: Build & Scan Container Image
@@ -319,29 +319,29 @@ jobs:
319319

320320
## Action Inputs and Outputs
321321

322-
The following input and output options are provided by this action; see [action.yml](./action.yml) for more detail.
322+
The following input and output options are provided by this action. See [action.yml](./action.yml) for more detail.
323323

324324
### Input Options
325325

326-
| **Name** | **Description** | **Required** | **Default** |
327-
|---|---|---|---|
328-
| artifact_type | The artifact you would like to scan with Amazon Inspector. Valid choices are "repository", "container", "binary", or "archive". | True | repository |
329-
| artifact_path | The file path to the artifact you would like to scan with Amazon Inspector. File paths are relative to the root project directory. If scanning a container image, you must provide a value that follows the docker pull convention: "NAME[:TAG\|@DIGEST]", for example, "alpine:latest", or a path to an image exported as tarball using "docker save". | True | ./ |
330-
| display_vulnerability_findings | If set to "enabled", the action will display detailed vulnerability findings in the action summary page; see here for an example: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8742638284/attempts/1#summary-23991378549 | True | disabled |
331-
| output_sbom_path | The destination file path for the generated SBOM. | False | ./sbom_${{ github.run_id }}.json |
332-
| output_inspector_scan_path | The destination file path for Inspector's vulnerability scan (JSON format). | False | inspector_scan_${{ github.run_id }}.json |
333-
| output_inspector_scan_path_csv | The destination file path for Inspector's vulnerability scan (CSV format). | False | inspector_scan_${{ github.run_id }}.csv |
334-
| output_inspector_scan_path_markdown | The destination file path for Inspector's vulnerability scan (markdown format). | False | inspector_scan_${{ github.run_id }}.md |
335-
| sbomgen_version | The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html | False | latest |
336-
| critical_threshold | Specifies the number of critical vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
337-
| high_threshold | Specifies the number of high vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
338-
| medium_threshold | Specifies the number of medium vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
339-
| low_threshold | Specifies the number of low vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
340-
| other_threshold | Specifies the number of other vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
341-
| scanners | Specifies the file scanners that you would like inspector-sbomgen to execute. By default, inspector-sbomgen will try to run all file scanners that are applicable to the target artifact. If this argument is set, inspector-sbomgen will only execute the specified file scanners. Provide your input as a single string. Separate each file scanner with a comma. For example: scanners: dpkg,python-requirements,javascript-nodejsTo view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html | False | '' |
342-
| skip_scanners | Specifies a list of file scanners that should NOT be executed; this argument cannot be combined with 'scanners'. If this argument is set, inspector-sbomgen will execute all file scanners except those you specified. Provide your input as a single string. Separate each file scanner with a comma. For example: skip_scanners: 'binaries,alpine-apk,dpkg,php'To view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html | False | '' |
343-
| skip_files | Specifies one or more files and/or directories that should NOT be inventoried. Separate each file with a comma and enclose the entire string in double quotes, for example: skip_files: "./media,/tmp/foo/,/bar/my_program" | False | '' |
344-
| timeout | Specifies a timeout in seconds. If this timeout is exceeded, the action will gracefully conclude and present any findings discovered up to that point. Default value is 600 seconds or 10 minutes. | False | 600 |
326+
| **Name** | **Description** | **Required** | **Default** |
327+
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|
328+
| artifact_type | The artifact you would like to scan with Amazon Inspector. Valid choices are "repository", "container", "binary", or "archive". | True | repository |
329+
| artifact_path | The file path to the artifact you would like to scan with Amazon Inspector. File paths are relative to the root project directory. If scanning a container image, you must provide a value that follows the docker pull convention: "NAME[:TAG\ |@DIGEST]", for example, "alpine:latest", or a path to an image exported as tarball using "docker save". | True | ./ |
330+
| display_vulnerability_findings | If set to "enabled", the action will display detailed vulnerability findings in the action summary page; see here for an example: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8742638284/attempts/1#summary-23991378549 | True | disabled |
331+
| output_sbom_path | The destination file path for the generated SBOM. | False | ./sbom_${{ github.run_id }}.json |
332+
| output_inspector_scan_path | The destination file path for Inspector's vulnerability scan (JSON format). | False | inspector_scan_${{ github.run_id }}.json |
333+
| output_inspector_scan_path_csv | The destination file path for Inspector's vulnerability scan (CSV format). | False | inspector_scan_${{ github.run_id }}.csv |
334+
| output_inspector_scan_path_markdown | The destination file path for Inspector's vulnerability scan (markdown format). | False | inspector_scan_${{ github.run_id }}.md |
335+
| sbomgen_version | The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html | False | latest |
336+
| critical_threshold | Specifies the number of critical vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
337+
| high_threshold | Specifies the number of high vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
338+
| medium_threshold | Specifies the number of medium vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
339+
| low_threshold | Specifies the number of low vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
340+
| other_threshold | Specifies the number of other vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag. | False | 0 |
341+
| scanners | Specifies the file scanners that you would like inspector-sbomgen to execute. By default, inspector-sbomgen will try to run all file scanners that are applicable to the target artifact. If this argument is set, inspector-sbomgen will only execute the specified file scanners. Provide your input as a single string. Separate each file scanner with a comma. For example: scanners: dpkg,python-requirements,javascript-nodejs. To view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html | False | '' |
342+
| skip_scanners | Specifies a list of file scanners that should NOT be executed; this argument cannot be combined with 'scanners'. If this argument is set, inspector-sbomgen will execute all file scanners except those you specified. Provide your input as a single string. Separate each file scanner with a comma. For example: skip_scanners: 'binaries,alpine-apk,dpkg,php'. To view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html | False | '' |
343+
| skip_files | Specifies one or more files and/or directories that should NOT be inventoried. Separate each file with a comma and enclose the entire string in double quotes, for example: skip_files: "./media,/tmp/foo/,/bar/my_program" | False | '' |
344+
| timeout | Specifies a timeout in seconds. If this timeout is exceeded, the action will gracefully conclude and present any findings discovered up to that point. The default value is 600 seconds (i.e. 10 minutes). | False | 600 |
345345

346346
### Output Options
347347

0 commit comments

Comments
 (0)