Skip to content

Commit a18de02

Browse files
bluesentinelsecMichael Long
bluesentinelsec
and
Michael Long
authored
v1.1.0 (#52)
* test sbomgen v1.2.0-beta * test Dockerfile with vulns * Add Dockerfile vulnerabilities (#51) * Add test image for rendering Dockerfile checks * ignore .DS_Store (macOS) * Added starter tests * check if components and vulns are present * Added Dockerfile vuln parser * dockerfile finding markdown conversion * refactor for cleanliness * Remove mock secrets so I can push changes * Updated test data * testing for regression * Integrated Dockerfile checks system-wide * saving work * added CSV and MD integration tests --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Add workflow to demo Dockerfile vulns * Display Dockerfile scan results * Output Dockerfile findings as CSV only (debugging) * Change action url to this branch * Fix CLI typo * display sbomgen download url * debugging * debugging * debugging * debugging * roll back debug logs * roll back check() macro * check() becomes require_true() * fix typos in dockerfile inputs * fix typo when posting dockerfile csv * debugging set_github_actions_output() * add header to Dockerfile MD report * Update Dockerfile header * update workflow metadata * Add Dockerfile reports as download artifacts * Rename Dockerfile report header * Display Dockerfile findings in job terminal * Set Dockerfile dst csv * Debugging dockerfile reports in GHA terminal * Debug Dockerfile output variables * Test no vulns * Remove 'cat <report>' commands --------- Co-authored-by: Michael Long <mlongii@amazon.com>
1 parent 3820085 commit a18de02

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

53 files changed

+177682
-35826
lines changed

.github/workflows/build_scan_container.yml

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,20 +47,23 @@ jobs:
4747
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
4848

4949
- name: Scan built image with Inspector
50-
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.0.0
50+
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
5151
id: inspector
5252
with:
5353
artifact_type: 'container'
5454
artifact_path: 'app:latest'
5555
display_vulnerability_findings: "enabled"
5656
output_sbom_path: 'sbom.json'
5757
output_inspector_scan_path: 'inspector_scan.json'
58-
output_inspector_scan_path_csv: 'inspector_scan.csv'
58+
output_inspector_scan_path_csv: 'inspector_pkg_scan.csv'
59+
output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv'
60+
output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md'
5961
critical_threshold: 1
6062
high_threshold: 1
6163
medium_threshold: 1
6264
low_threshold: 1
6365
other_threshold: 1
66+
sbomgen_version: "1.2.0-beta"
6467

6568
- name: Demonstrate SBOM Output (JSON)
6669
run: cat ${{ steps.inspector.outputs.artifact_sbom }}
@@ -71,14 +74,28 @@ jobs:
7174
- name: Demonstrate Inspector Scan Output (CSV)
7275
run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
7376

77+
- name: Display Dockerfile vulns (CSV)
78+
run: cat inspector_dockerfile_scan.csv
79+
80+
- name: Display Dockerfile vulns (MD)
81+
run: cat inspector_dockerfile_scan.md
82+
83+
- name: Debug Dockerfile output variables
84+
run: |
85+
echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
86+
echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
87+
7488
- name: Demonstrate Upload Scan Results
7589
uses: actions/upload-artifact@v4
7690
with:
7791
name: Inspector Scan SBOM Results
7892
path: |
93+
${{ steps.inspector.outputs.artifact_sbom }}
7994
${{ steps.inspector.outputs.inspector_scan_results }}
8095
${{ steps.inspector.outputs.inspector_scan_results_csv }}
81-
${{ steps.inspector.outputs.artifact_sbom }}
96+
${{ steps.inspector.outputs.inspector_scan_results_markdown }}
97+
${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
98+
${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
8299
83100
- name: On vulnerability threshold exceeded
84101

.github/workflows/example_display_findings.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ jobs:
5454
medium_threshold: 1
5555
low_threshold: 1
5656
other_threshold: 1
57+
sbomgen_version: "1.2.0-beta"
5758

5859
# Additional input arguments are available.
5960
# See 'action.yml' for additional input/output options.

.github/workflows/test_archive.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ jobs:
3737
artifact_type: 'archive'
3838
artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'
3939
display_vulnerability_findings: "enabled"
40+
sbomgen_version: "1.2.0-beta"
4041

4142
- name: Display scan results
4243
run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

.github/workflows/test_binary.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ jobs:
3737
artifact_type: 'binary'
3838
artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'
3939
display_vulnerability_findings: "enabled"
40+
sbomgen_version: "1.2.0-beta"
4041

4142
- name: Display scan results
4243
run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

.github/workflows/test_containers.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ jobs:
3737
artifact_type: 'container'
3838
artifact_path: 'ubuntu:14.04'
3939
display_vulnerability_findings: "enabled"
40+
sbomgen_version: "1.2.0-beta"
4041

4142
- name: Display scan results
4243
run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

.github/workflows/test_dockerfile_vulns.yml

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
name: Test Dockerfile Vulnerabilities
2+
3+
# This workflow tests that the action can successfully
4+
# scan a GitHub repository. This workflow runs automatically
5+
# every 6 hours, and on pushes.
6+
7+
on:
8+
schedule:
9+
- cron: '0 */6 * * *' # runs every 6 hours
10+
push:
11+
branches: #
12+
- '*'
13+
14+
jobs:
15+
daily_job:
16+
runs-on: ubuntu-latest
17+
environment:
18+
name: plugin-development
19+
20+
steps:
21+
- name: Checkout this repository
22+
uses: actions/checkout@v4
23+
24+
- name: Configure AWS credentials
25+
uses: aws-actions/configure-aws-credentials@v4
26+
with:
27+
aws-region: ${{ secrets.AWS_REGION }}
28+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
29+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
30+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
31+
32+
- name: Scan Dockerfiles
33+
id: inspector
34+
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
35+
with:
36+
artifact_type: 'repository'
37+
artifact_path: './'
38+
display_vulnerability_findings: "enabled"
39+
sbomgen_version: "1.2.0-beta"
40+
41+
- name: Display scan results (JSON)
42+
run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
43+
44+
- name: Display package vulns (CSV)
45+
run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
46+
47+
- name: Display package vulns (MD)
48+
run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
49+
50+
- name: Display Dockerfile vulns (CSV)
51+
run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_csv }}
52+
53+
- name: Display Dockerfile vulns (MD)
54+
run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_markdown }}
55+
56+
- name: Validate scan content
57+
run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }}
58+
59+
- name: Demonstrate Upload Scan Results
60+
uses: actions/upload-artifact@v4
61+
with:
62+
name: Inspector Scan SBOM Results
63+
path: |
64+
${{ steps.inspector.outputs.artifact_sbom }}
65+
${{ steps.inspector.outputs.inspector_scan_results }}
66+
${{ steps.inspector.outputs.inspector_scan_results_csv }}
67+
${{ steps.inspector.outputs.inspector_scan_results_markdown }}
68+
${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
69+
${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
70+
71+
72+
# only run if the previous step failed
73+
- name: Notify maintainers of validation failure
74+
if: ${{ failure() }}
75+
run: echo "this feature is not implemented"
76+
# TODO: add steps to send notification to a Lambda to cut a ticket on job failure
77+

.github/workflows/test_installation.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ jobs:
3333
artifact_type: 'container'
3434
artifact_path: 'alpine:latest'
3535
display_vulnerability_findings: "enabled"
36+
sbomgen_version: "1.2.0-beta"
3637

3738
# only run if the previous step failed
3839
- name: Notify maintainers of installation failure

.github/workflows/test_no_vulns.yml

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
name: Test No Vulns
2+
3+
# confirm that reports are not displayed when no vulns are found
4+
5+
on:
6+
push:
7+
branches: #
8+
- '*'
9+
10+
jobs:
11+
daily_job:
12+
runs-on: ubuntu-latest
13+
environment:
14+
name: plugin-development
15+
16+
steps:
17+
18+
- name: Checkout
19+
uses: actions/checkout@v4
20+
21+
- name: Configure AWS credentials
22+
uses: aws-actions/configure-aws-credentials@v4
23+
with:
24+
aws-region: ${{ secrets.AWS_REGION }}
25+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
26+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
27+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
28+
29+
- name: Test binary scan
30+
id: inspector
31+
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
32+
with:
33+
artifact_type: 'binary'
34+
artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'
35+
display_vulnerability_findings: "enabled"
36+
output_sbom_path: 'sbom.json'
37+
output_inspector_scan_path: 'inspector_scan.json'
38+
output_inspector_scan_path_csv: 'inspector_pkg_scan.csv'
39+
output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv'
40+
output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md'
41+
sbomgen_version: "1.2.0-beta"
42+
43+
- name: Demonstrate Upload Scan Results
44+
uses: actions/upload-artifact@v4
45+
with:
46+
name: Inspector Scan SBOM Results
47+
path: |
48+
${{ steps.inspector.outputs.artifact_sbom }}
49+
${{ steps.inspector.outputs.inspector_scan_results }}
50+
${{ steps.inspector.outputs.inspector_scan_results_csv }}
51+
${{ steps.inspector.outputs.inspector_scan_results_markdown }}
52+
${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
53+
${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}
54+

.github/workflows/test_repository.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ jobs:
3636
artifact_type: 'repository'
3737
artifact_path: './'
3838
display_vulnerability_findings: "enabled"
39+
sbomgen_version: "1.2.0-beta"
3940

4041
- name: Display scan results
4142
run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

.github/workflows/test_vuln_thresholds.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ jobs:
4444
medium_threshold: 1
4545
low_threshold: 1
4646
other_threshold: 1
47+
sbomgen_version: "1.2.0-beta"
4748

4849
- name: Fail if vulnerability threshold is exceeded
4950
run: if [[ ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} != "1" ]]; then echo "test failed"; else echo "test passed"; fi

0 commit comments

Comments
 (0)