add --out-scan-markdown CLI arg (#36)

* add --out-scan-markdown CLI arg

* change --out-scan-markdown to string from bool

* pass --display-vuln-findings as string

* write markdown report to disk

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

Author: bluesentinelsec

action.yml

@@ -13,9 +13,9 @@ inputs:
     default: './'
 
   display_vulnerability_findings:
-    description: 'If true, the action will display detailed vulnerability findings in the action summary page; see here for an example: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8742638284/attempts/1#summary-23991378549'
+    description: 'If set to "enabled", the action will display detailed vulnerability findings in the action summary page; see here for an example: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8742638284/attempts/1#summary-23991378549'
     required: True
-    default: False
+    default: "disabled"
 
   output_sbom_path:
     description: "The destination file path for the generated SBOM."
@@ -32,6 +32,11 @@ inputs:
     required: False
     default: 'inspector_scan_${{ github.run_id }}.csv'
 
+  output_inspector_scan_path_markdown:
+    description: "The destination file path for Inspector's vulnerability scan (CSV format)."
+    required: False
+    default: 'inspector_scan_${{ github.run_id }}.md'
+
 
   sbomgen_version:
     description: "The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
@@ -113,6 +118,7 @@ runs:
     - --out-sbom=${{ inputs.output_sbom_path}}
     - --out-scan=${{ inputs.output_inspector_scan_path }}
     - --out-scan-csv=${{ inputs.output_inspector_scan_path_csv }}
+    - --out-scan-markdown=${{ inputs.output_inspector_scan_path_markdown }}
     - --sbomgen-version=${{ inputs.sbomgen_version }}
     - --thresholds
     - --critical=${{ inputs.critical_threshold }}

entrypoint/entrypoint/cli.py

@@ -13,12 +13,16 @@ def init(sys_argv=None) -> argparse.Namespace:
                         help='The artifact you would like to scan with Amazon Inspector. Valid choices are "repository", "container", "binary", or "archive".')
     parser.add_argument("--artifact-path", type=str, default="./",
                         help='The path to the artifact you would like to scan with Amazon Inspector. If scanning a container image, you must provide a  value that follows the docker pull convention: "NAME[:TAG|@DIGEST]", for example, "alpine:latest", or a path to an image exported as tarball using "docker save".')
+    parser.add_argument("--display-vuln-findings", type=str, default="disabled",
+                        help="If set, this program will present Inspector findings in the GitHub Actions job summary page")
     parser.add_argument("--out-sbom", type=str, default="sbom.json",
                         help="The destination file path for the generated SBOM.")
     parser.add_argument("--out-scan", type=str, default="inspector-scan.json",
                         help="The destination file path for Inspector's vulnerability scan in JSON format.")
-    parser.add_argument("--out-scan-csv", type=str, default="/tmp/scan.csv",
+    parser.add_argument("--out-scan-csv", type=str, default="inspector-scan.csv",
                         help="The destination file path for Inspector's vulnerability scan in CSV format.")
+    parser.add_argument("--out-scan-markdown", type=str, default="inspector-scan.md",
+                        help="The destination file path for Inspector's vulnerability scan results in markdown format.")
     parser.add_argument("--verbose", action="store_true", help="Enables verbose console logging.")
     parser.add_argument("--sbomgen-version", type=str, default="latest",
                         help="The inspector-sbomgen version you wish to use for SBOM generation.")
@@ -42,8 +46,6 @@ def init(sys_argv=None) -> argparse.Namespace:
                         help="Specifies one or more files and/or directories that should NOT be inventoried.")
     parser.add_argument("--timeout", type=str, default="600",
                         help="The amount of time in seconds that inspector-sbomgne will run. When this timeout is exceeded, sbomgen will gracefully conclude and present any findings discovered up to that point.")
-    parser.add_argument("--display-vuln-findings", action='store_true',
-                        help="If toggled, this program will present Inspector findings in the GitHub Actions job summary page")
 
     args = ""
     if sys_argv:

entrypoint/entrypoint/orchestrator.py

@@ -334,10 +334,13 @@ def execute(args) -> int:
                                          lows=lows,
                                          others=others)
 
-        if args.display_vuln_findings:
+        if args.display_vuln_findings == "enabled":
             logging.info("posting markdown to job summary")
             converter.post_github_step_summary(markdown)
 
+        with open(args.out_scan_markdown, "w") as f:
+            f.write(markdown)
+
     is_exceeded = exceeds_threshold(criticals, args.critical,
                                     highs, args.high,
                                     mediums, args.medium,