1+ name : Example Sbomgen Threshold Conditionals
2+
3+ # This example workflow aims to provide an example of using Inspector Scan vulnerability_threshold_exceeded
4+ # output to determine next steps in a pipeline
5+
6+ on :
7+ workflow_dispatch :
8+
9+ permissions :
10+ id-token : write
11+ contents : read
12+
13+ jobs :
14+ inspector_scan_job :
15+ runs-on : ubuntu-latest
16+
17+ steps :
18+
19+ # Checkout Repo
20+ - name : Checkout this repo
21+ uses : actions/checkout@v4
22+
23+ # setup the environment
24+ - name : Set up docker build prereqs (QEMU)
25+ uses : docker/setup-qemu-action@v3
26+
27+ - name : Set up docker build prereqs (Buildx)
28+ uses : docker/setup-buildx-action@v3
29+
30+ # build container
31+ - name : Build Docker image
32+ uses : docker/build-push-action@v5
33+ with :
34+ context : .
35+ file : ./Dockerfile
36+ push : false
37+ tags : vulnerable:latest
38+ load : true
39+
40+ # Authenticate with AWS via OIDC
41+ # More Detail: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
42+ # IAM Role requirements: https://docs.aws.amazon.com/inspector/latest/user/configure-cicd-account.html#cicd-iam-role
43+ - name : Configure AWS credentials
44+ uses : aws-actions/configure-aws-credentials@v4
45+ with :
46+ aws-region : us-east-1
47+ role-to-assume : arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS IAM ROLE>
48+
49+ # Inspector scan
50+ - name : Scan container with Inspector
51+ uses : aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
52+ id : inspector
53+ with :
54+ artifact_type : ' container' # configure Inspector for scanning a container
55+ artifact_path : ' vulnerable:latest' # scan container built in above steps
56+ display_vulnerability_findings : " enabled" # display results in step summary page
57+ critical_threshold : 1 # set vulnerability_threshold_exceeded=1 if 1 or more critical vulnerabilities found
58+ high_threshold : 10 # set vulnerability_threshold_exceeded=1 if 10 or more high vulnerabilities found
59+
60+ # Upload Inspector scan results as Artifacts
61+ - name : Upload Inspector scan results
62+ uses : actions/upload-artifact@v4
63+ with :
64+ name : Inspector Vulnerability Scan Artifacts
65+ path : |
66+ ${{ steps.inspector.outputs.inspector_scan_results }}
67+ ${{ steps.inspector.outputs.inspector_scan_results_csv }}
68+ ${{ steps.inspector.outputs.artifact_sbom }}
69+ ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
70+
71+ # Publish build to GitHub container registry, IF vulnerability_threshold_exceeded is not set to 1
72+ - name : Push to GHCR container registry
73+ run : docker push ghcr.io/your-repo/vulnerable:latest
74+ if : ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '0' }}
75+
76+ # GitHub conditional statements can also allow and/or logic, allowing vulnerability_threshold_exceeded to be overridden if desired
77+ # Learn more: https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution
78+ - name : Push to GHCR container registry (override allowed)
79+ run : docker push ghcr.io/your-repo/vulnerable:latest
80+ if : ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '0' || env.SBOMGEN_OVERRIDE == 'TRUE' }}
81+ env :
82+ SBOMGEN_OVERRIDE : ' FALSE'
83+
84+ # Fail the workflow if there are enough critical/high vulnerabilities in build to set vulnerability_threshold_exceeded to 1
85+ - name : Fail Action if Inspector vuln threshold exceeded
86+ run : |
87+ exit 1
88+ if : ${{ steps.inspector.outputs.vulnerability_threshold_exceeded == '1' }}
0 commit comments