From 5e116cb9e84c5d4a3bea833aadc4494a4717c17d Mon Sep 17 00:00:00 2001 From: Manuel Boira Cuevas Date: Thu, 16 Sep 2021 10:47:05 +0200 Subject: [PATCH] Sysdig Secure Inline Scan with SARIF report to starter workflows --- .../properties/sysdig-scan.properties.json | 7 +++ code-scanning/sysdig-scan.yml | 43 +++++++++++++++++++ icons/sysdig.svg | 37 ++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml create mode 100644 icons/sysdig.svg diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..02db691 --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdigh Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "cst-logo", + "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..ea52006 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@v3 + with: + # Tag of the image to analyse + image-tag: "${{ github.head_ref }}:latest" + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + + - uses: github/codeql-action/upload-sarif@v1 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport } diff --git a/icons/sysdig.svg b/icons/sysdig.svg new file mode 100644 index 0000000..e98d27d --- /dev/null +++ b/icons/sysdig.svg @@ -0,0 +1,37 @@ + + + + + + +