-
Notifications
You must be signed in to change notification settings - Fork 6
86 lines (78 loc) · 2.61 KB
/
import.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: import-vulnerabilities
on:
workflow_call:
inputs:
image_digest:
description: 'Fully-qualified image uri (repo/image@digest)'
required: true
type: string
auth_provider:
description: 'OIDC provider ID'
required: true
type: string
auth_user:
description: 'OIDC user ID'
required: true
type: string
target_project:
description: 'Target project ID where vulnerability scan will be imported'
required: true
type: string
report_path:
description: 'Path to vulnerability scan report'
type: string
default: 'report.json'
permissions:
contents: read
jobs:
import:
runs-on: ubuntu-latest
permissions:
actions: read
id-token: write
steps:
- name: Checkout Code
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
- id: auth
name: Auth GCP
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0
with:
token_format: "access_token"
workload_identity_provider: ${{ inputs.auth_provider }}
service_account: ${{ inputs.auth_user }}
# Scan the image for vulnerabilities using Trivy
- id: scan
name: Vulnerability Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.image_digest }}
scanners: vuln
format: json
output: ${{ inputs.report_path }}
timeout: 5m
hide-progress: true
# Import the vulnerability scan report to Google Container Analysis
# Note: In this one repo only, do not pin this action by commit as
# that will create never-ending loop of new dependabot PRs
# which, you guest it, create a new commit hash.
# TODO: Implement attestation import.
- uses: GoogleCloudPlatform/aactl/@main
with:
type: vulnerability
project: ${{ inputs.target_project }}
digest: ${{ inputs.image_digest }}
file: ${{ inputs.report_path }}
format: trivy