From 5e116cb9e84c5d4a3bea833aadc4494a4717c17d Mon Sep 17 00:00:00 2001 From: Manuel Boira Cuevas Date: Thu, 16 Sep 2021 10:47:05 +0200 Subject: [PATCH 1/9] Sysdig Secure Inline Scan with SARIF report to starter workflows --- .../properties/sysdig-scan.properties.json | 7 +++ code-scanning/sysdig-scan.yml | 43 +++++++++++++++++++ icons/sysdig.svg | 37 ++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml create mode 100644 icons/sysdig.svg diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..02db691 --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdigh Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "cst-logo", + "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..ea52006 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@v3 + with: + # Tag of the image to analyse + image-tag: "${{ github.head_ref }}:latest" + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + + - uses: github/codeql-action/upload-sarif@v1 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport } diff --git a/icons/sysdig.svg b/icons/sysdig.svg new file mode 100644 index 0000000..e98d27d --- /dev/null +++ b/icons/sysdig.svg @@ -0,0 +1,37 @@ + + + + + + + From 38d4e3bfd23aa791fd5906ba8479c09087f3da7e Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Mon, 20 Sep 2021 11:52:53 +0200 Subject: [PATCH 2/9] Added some extra comments, Github Actions V2 and changed env vars --- code-scanning/sysdig-scan.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index ea52006..58b4543 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -20,24 +20,35 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v2 - name: Build the Docker image - run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest - name: Sysdig Secure Inline Scan id: scan uses: sysdiglabs/scan-action@v3 with: - # Tag of the image to analyse - image-tag: "${{ github.head_ref }}:latest" + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest # API token for Sysdig Scanning auth - sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com dockerfile-path: ./Dockerfile input-type: docker-daemon ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport } + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file From 7d41cdb581da65551176526658e7d4d756ca3078 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 21 Sep 2021 11:03:21 +0200 Subject: [PATCH 3/9] Reviews from PR #1110 --- code-scanning/properties/sysdig-scan.properties.json | 4 ++-- code-scanning/sysdig-scan.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 02db691..87c87cd 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -2,6 +2,6 @@ "name": "Sysdigh Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", - "iconName": "cst-logo", - "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] + "iconName": "sysdig", + "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 58b4543..49841d7 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -29,7 +29,7 @@ jobs: - name: Sysdig Secure Inline Scan id: scan - uses: sysdiglabs/scan-action@v3 + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 with: # Tag of the image to analyse. # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above From 9b4fcbf91135a5c58a6baa6eea122dad129c3dd1 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 21 Sep 2021 11:25:16 +0200 Subject: [PATCH 4/9] Adding 'Dockerfile' to category list --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 87c87cd..09bbd7b 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", "iconName": "sysdig", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } From 2a1abda503bbc05d90f27f56dc0820c20dfdb17c Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 09:30:45 +0200 Subject: [PATCH 5/9] Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 09bbd7b..e61c2e1 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -2,6 +2,6 @@ "name": "Sysdigh Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", - "iconName": "sysdig", + "iconName": "sysdig-scan", "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } From b7d9f15826dd424115512f2e638a9b1c952a3787 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 09:30:53 +0200 Subject: [PATCH 6/9] Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index e61c2e1..d39072e 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -1,5 +1,5 @@ { - "name": "Sysdigh Inline Scan", + "name": "Sysdig Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", "iconName": "sysdig-scan", From b55a65157e3ea87ec372ce9a4c4fdbacf6c12f1b Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 10:39:56 +0200 Subject: [PATCH 7/9] Changed svg logo --- icons/sysdig.svg | 51 ++++++++++++++---------------------------------- 1 file changed, 15 insertions(+), 36 deletions(-) diff --git a/icons/sysdig.svg b/icons/sysdig.svg index e98d27d..31101c8 100644 --- a/icons/sysdig.svg +++ b/icons/sysdig.svg @@ -1,37 +1,16 @@ - - - - - - + + + + + + + + + + + + + From b258b332347865c37c04023d8a5b24a6289e1523 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 15:02:00 +0200 Subject: [PATCH 8/9] Rename sysdig.svg to sysdig-scan.svg --- icons/{sysdig.svg => sysdig-scan.svg} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename icons/{sysdig.svg => sysdig-scan.svg} (100%) diff --git a/icons/sysdig.svg b/icons/sysdig-scan.svg similarity index 100% rename from icons/sysdig.svg rename to icons/sysdig-scan.svg From 3c200bdb2180e82004d0c31c6d76685718232883 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 15:09:31 +0200 Subject: [PATCH 9/9] Switched svg logo (again) for a better fit --- icons/sysdig-scan.svg | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg index 31101c8..85d5de0 100644 --- a/icons/sysdig-scan.svg +++ b/icons/sysdig-scan.svg @@ -1,16 +1 @@ - - - - - - - - - - - - - - +Artboard 1 \ No newline at end of file