From b7a4aa5f32387280284bc853adee37e49ec1504e Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Mon, 29 Jul 2024 13:31:52 +0200 Subject: [PATCH] feat: update scanner version to 1.13.0 --- .github/workflows/ci-scan.yaml | 38 ++++++++++++++++++++++++++++++++++ action.yml | 3 +-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-scan.yaml b/.github/workflows/ci-scan.yaml index d47cc75..32a904a 100644 --- a/.github/workflows/ci-scan.yaml +++ b/.github/workflows/ci-scan.yaml @@ -77,6 +77,44 @@ jobs: echo "Scan failed as expected." fi + scan-with-old-scanner-version: + runs-on: ubuntu-latest + + steps: + # This step checks out a copy of your repository. + - name: Check out repository + uses: actions/checkout@v4 + + - name: Scan dummy-vuln-app from registry + id: scan + uses: ./ + continue-on-error: true + with: + # Old scanner version + cli-scanner-version: 1.8.1 + # Tag of the image to analyse + image-tag: sysdiglabs/dummy-vuln-app:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + stop-on-failed-policy-eval: true + stop-on-processing-error: true + severity-at-least: medium + + - name: Upload SARIF file + if: success() || failure() # Upload results regardless previous step fails + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ github.workspace }}/sarif.json + + - name: Check that the scan has failed + run: | + if [ "${{ steps.scan.outcome }}" == "success" ]; then + echo "Scan succeeded but the step should fail." + exit 1 + else + echo "Scan failed as expected." + fi + standalone-scan-from-registry: runs-on: ubuntu-latest diff --git a/action.yml b/action.yml index 3554421..cb6c94b 100644 --- a/action.yml +++ b/action.yml @@ -3,11 +3,10 @@ description: 'Perform image analysis on locally built container image and post t inputs: cli-scanner-url: description: URL to sysdig-cli-scanner binary download - default: https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.8.1/linux/amd64/sysdig-cli-scanner required: false cli-scanner-version: description: Custom sysdig-cli-scanner version to download - default: "1.8.1" + default: "1.13.0" required: false registry-user: description: Registry username.