Skip to content

Commit

Permalink
Add filtering (#40)
Browse files Browse the repository at this point in the history
Co-authored-by: Jujuyeh <[email protected]>
  • Loading branch information
Jujuyeh and Jujuyeh committed Jan 30, 2024
1 parent 9d1d3a9 commit c94900f
Show file tree
Hide file tree
Showing 10 changed files with 595 additions and 157 deletions.
28 changes: 28 additions & 0 deletions .github/workflows/scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,34 @@ jobs:
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/sarif.json

filtered-scan-from-registry:
runs-on: ubuntu-latest

steps:
# This step checks out a copy of your repository.
- name: Check out repository
uses: actions/checkout@v4

- name: Scan dummy-vuln-app from registry
id: scan
uses: ./
with:
# Tag of the image to analyse
image-tag: sysdiglabs/dummy-vuln-app:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
severity-at-least: medium
group-by-package: true

- name: Upload SARIF file
if: success() || failure() # Upload results regardless previous step fails
Expand Down
14 changes: 13 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,18 @@ Fail the job if the Policy Evaluation is Failed.

Fail the job if the Scanner terminates execution with errors.

### `severity-at-least`

Filtering option to only report vulnerabilities with at least the specified severity. Can take [`critical`|`high`|`medium`|`low`|`negligible`|`any`]. Default value "any" for no filtering.

For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported.

### `group-by-package`

Enable grouping the vulnerabilities in the SARIF report by package.

Useful if you want to manage security per package or condense the number of findings.

### `standalone`

Enable standalone mode. Do not depend on Sysdig backend for
Expand Down Expand Up @@ -79,7 +91,7 @@ Standalone mode.)

### `sysdig-secure-url`

Sysdig Secure Endpoint URL. Defaults to `https://secure-sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions.
Sysdig Secure Endpoint URL. Defaults to `https://secure.sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions.

### `sysdig-skip-tls`

Expand Down
8 changes: 8 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,14 @@ inputs:
override-pullstring:
description: Custom PullString to give the image when scanning and uploading.
required: false
severity-at-least:
description: Filtering option to only report vulnerabilities with at least the specified severity. Can take [critical|high|medium|low|negligible|any]. Default value "any" for no filtering.
default: any
required: false
group-by-package:
description: Enable grouping the vulnerabilities in the SARIF report by package.
default: "false"
required: false
image-tag:
description: Tag of the image to analyse.
required: true
Expand Down
Loading

0 comments on commit c94900f

Please sign in to comment.