diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..d39072e --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdig Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "sysdig-scan", + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..49841d7 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg new file mode 100644 index 0000000..85d5de0 --- /dev/null +++ b/icons/sysdig-scan.svg @@ -0,0 +1 @@ +Artboard 1 \ No newline at end of file