diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml index 458f142..6b5bf92 100644 --- a/.github/workflows/build_scan_container.yml +++ b/.github/workflows/build_scan_container.yml @@ -12,6 +12,11 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + actions: write # For uploading artifacts + jobs: build: name: Build docker image @@ -47,7 +52,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan built image with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 id: inspector with: artifact_type: 'container' diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml index cc745a1..8ad4b4e 100644 --- a/.github/workflows/example_display_findings.yml +++ b/.github/workflows/example_display_findings.yml @@ -8,6 +8,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -29,7 +33,7 @@ jobs: # modify this block to scan your intended artifact - name: Inspector Scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: # change artifact_type to either 'repository', 'container', 'binary', or 'archive'. # this example scans a container image diff --git a/.github/workflows/example_vulnerability_threshold_exceeded.yml b/.github/workflows/example_vulnerability_threshold_exceeded.yml index b88fe1b..248ecca 100644 --- a/.github/workflows/example_vulnerability_threshold_exceeded.yml +++ b/.github/workflows/example_vulnerability_threshold_exceeded.yml @@ -48,7 +48,7 @@ jobs: # Inspector scan - name: Scan container with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 id: inspector with: artifact_type: 'container' # configure Inspector for scanning a container diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index 454e94a..2c1e0f2 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -7,6 +7,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/scan_repo_with_semgrep.yml b/.github/workflows/scan_repo_with_semgrep.yml index 91dcae6..1d2e8a5 100644 --- a/.github/workflows/scan_repo_with_semgrep.yml +++ b/.github/workflows/scan_repo_with_semgrep.yml @@ -2,6 +2,9 @@ name: Semgrep Scan on: [push] +permissions: + contents: read + jobs: semgrep: runs-on: ubuntu-latest diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml index 203007b..c4afb81 100644 --- a/.github/workflows/test_archive.yml +++ b/.github/workflows/test_archive.yml @@ -11,6 +11,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -32,7 +36,7 @@ jobs: - name: Test archive scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'archive' artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml index 23ab702..3f86f61 100644 --- a/.github/workflows/test_binary.yml +++ b/.github/workflows/test_binary.yml @@ -11,6 +11,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -32,7 +36,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen' diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml index ae48569..d49bb1b 100644 --- a/.github/workflows/test_containers.yml +++ b/.github/workflows/test_containers.yml @@ -11,6 +11,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -32,7 +36,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'container' artifact_path: 'ubuntu:14.04' diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml index 258e544..4cd1c1c 100644 --- a/.github/workflows/test_dockerfile_vulns.yml +++ b/.github/workflows/test_dockerfile_vulns.yml @@ -11,6 +11,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -31,7 +35,7 @@ jobs: - name: Scan Dockerfiles id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml index b43a5a7..c4459c2 100644 --- a/.github/workflows/test_installation.yml +++ b/.github/workflows/test_installation.yml @@ -11,6 +11,10 @@ on: branches: - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -28,7 +32,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Test Amazon Inspector GitHub Actions plugin - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'container' artifact_path: 'alpine:latest' @@ -40,7 +44,4 @@ jobs: if: ${{ failure() }} run: echo "this feature is not implemented" -# TODO: update this to point to public v1.0.0 release -# TODO: add steps to send notification to a Lambda to cut a ticket on job failure -# TODO: delete on push condition when finished with development -# TODO: use an IAM role + diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml index b5277bb..c5bbb79 100644 --- a/.github/workflows/test_no_vulns.yml +++ b/.github/workflows/test_no_vulns.yml @@ -7,6 +7,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -28,7 +32,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary' diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml index bb99415..68be31c 100644 --- a/.github/workflows/test_reports_no_vulns.yml +++ b/.github/workflows/test_reports_no_vulns.yml @@ -5,6 +5,11 @@ on: branches: # - '*' + +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -26,7 +31,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml index ffb5a34..3091846 100644 --- a/.github/workflows/test_repository.yml +++ b/.github/workflows/test_repository.yml @@ -11,6 +11,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: daily_job: runs-on: ubuntu-latest @@ -31,7 +35,7 @@ jobs: - name: Test repository scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml index 0ae050b..31503cd 100644 --- a/.github/workflows/test_vuln_thresholds.yml +++ b/.github/workflows/test_vuln_thresholds.yml @@ -10,6 +10,10 @@ on: branches: # - '*' +permissions: + contents: read + id-token: write + jobs: build: name: Build docker image @@ -30,7 +34,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan artifact with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 id: inspector with: artifact_type: 'archive' diff --git a/Dockerfile b/Dockerfile index 82c1641..07d1935 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,7 @@ -FROM public.ecr.aws/amazonlinux/amazonlinux:latest - -RUN dnf install python3 aws-cli -y +FROM public.ecr.aws/aws-cli/aws-cli:latest -COPY ./entrypoint . +WORKDIR / +COPY ./entrypoint . RUN chmod 0500 /main.py ENTRYPOINT ["/main.py"] - -# note: don't set a WORKDIR in this image, it conflicts with github actions: -# https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#workdir