Example Workflow: Using Inspector Scan output in pipeline decisions (#58)

Co-authored-by: Michael Long <31821088+bluesentinelsec@users.noreply.github.com>

Author: fritzdal

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -0,0 +1,88 @@
+name: Example Sbomgen Threshold Conditionals  
+
+# This example workflow aims to provide an example of using Inspector Scan vulnerability_threshold_exceeded
+# output to determine next steps in a pipeline 
+
+on:
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  inspector_scan_job:
+    runs-on: ubuntu-latest
+
+    steps:
+
+      # Checkout Repo
+      - name: Checkout this repo
+        uses: actions/checkout@v4
+
+      # setup the environment
+      - name: Set up docker build prereqs (QEMU)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up docker build prereqs (Buildx)
+        uses: docker/setup-buildx-action@v3
+
+      # build container
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          tags: vulnerable:latest
+          load: true
+
+      # Authenticate with AWS via OIDC
+      # More Detail: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+      # IAM Role requirements: https://docs.aws.amazon.com/inspector/latest/user/configure-cicd-account.html#cicd-iam-role
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS IAM ROLE>
+
+      # Inspector scan
+      - name: Scan container with Inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
+        id: inspector
+        with:
+          artifact_type: 'container' # configure Inspector for scanning a container
+          artifact_path: 'vulnerable:latest' # scan container built in above steps
+          display_vulnerability_findings: "enabled" # display results in step summary page
+          critical_threshold: 1 # set vulnerability_threshold_exceeded=1 if 1 or more critical vulnerabilities found
+          high_threshold: 10 # set vulnerability_threshold_exceeded=1 if 10 or more high vulnerabilities found
+
+      # Upload Inspector scan results as Artifacts
+      - name: Upload Inspector scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: Inspector Vulnerability Scan Artifacts
+          path: |
+            ${{ steps.inspector.outputs.inspector_scan_results }}
+            ${{ steps.inspector.outputs.inspector_scan_results_csv }}
+            ${{ steps.inspector.outputs.artifact_sbom }}
+            ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+
+      # Publish build to GitHub container registry, IF vulnerability_threshold_exceeded is not set to 1
+      - name: Push to GHCR container registry
+        run: docker push ghcr.io/your-repo/vulnerable:latest
+        if: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '0' }}
+
+      # GitHub conditional statements can also allow and/or logic, allowing vulnerability_threshold_exceeded to be overridden if desired
+      # Learn more: https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution
+      - name: Push to GHCR container registry (override allowed)
+        run: docker push ghcr.io/your-repo/vulnerable:latest
+        if: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '0' || env.SBOMGEN_OVERRIDE == 'TRUE' }}
+        env:
+          SBOMGEN_OVERRIDE: 'FALSE'
+
+      # Fail the workflow if there are enough critical/high vulnerabilities in build to set vulnerability_threshold_exceeded to 1
+      - name: Fail Action if Inspector vuln threshold exceeded
+        run: |
+          exit 1
+        if: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '1' }}