v1.3.0

.github/workflows/build_scan_container.yml

@@ -47,7 +47,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         id: inspector
         with:
           artifact_type: 'container'

.github/workflows/example_display_findings.yml

@@ -29,7 +29,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container

.github/workflows/test_archive.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'

.github/workflows/test_binary.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'

.github/workflows/test_containers.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'

.github/workflows/test_dockerfile_vulns.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_installation.yml

@@ -28,7 +28,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_no_vulns.yml

@@ -28,7 +28,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'

.github/workflows/test_reports_no_vulns.yml

@@ -26,7 +26,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_repository.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Test repository scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_vuln_thresholds.yml

@@ -30,7 +30,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan artifact with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         id: inspector
         with:
           artifact_type: 'archive'
@@ -45,8 +45,8 @@ jobs:
           low_threshold: 1
           other_threshold: 1
           sbomgen_version: "latest"
+          threshold_fixable_only: true
+          show_only_fixable_vulns: true
 
       - name: Fail if vulnerability threshold is exceeded
         run: if [[  ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} != "1" ]]; then echo "test failed"; else echo "test passed"; fi
-
-        # TODO: handle failure case

README.md

@@ -372,4 +372,6 @@ See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more inform
 
 This project is licensed under the MIT license.
 
-Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved
+This project leverages the [Amazon Inspector SBOM Generator](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html), which is distributed under the [AWS Intellectual Property License](https://aws.amazon.com/legal/aws-ip-license-terms/).
+
+Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved

action.yml

@@ -110,6 +110,18 @@ inputs:
     description: "Specifies the OS and CPU arch of the container image you wish to scan. Valid inputs are of the form 'os/cpu/variant' for example, 'linux/amd64', 'linux/arm64/v8', etc. If no platform is specified, the system will use the same platform as the host that is performing the scan. This argument only affects container image scans. Requires inspector-sbomgen 1.5.1 or later."
     required: False
 
+  threshold_fixable_only:
+    description: 'If set to true, only count vulnerabilities with a fix towards threshold exceeded condition.'
+    required: False
+    default: false
+    type: boolean
+
+  show_only_fixable_vulns:
+    description: "If set to true, this action will show only fixed vulnerabilities in the GitHub Actions step summary page. All vulnerability metadata is still retained in the raw Inspector scan files."
+    required: False
+    default: false
+    type: boolean
+
 outputs:
   artifact_sbom:
     description: "The filepath to the artifact's software bill of materials."
@@ -148,6 +160,8 @@ runs:
     - --out-dockerfile-scan-md=${{ inputs.output_inspector_dockerfile_scan_path_markdown }}
     - --sbomgen-version=${{ inputs.sbomgen_version }}
     - --thresholds
+    - ${{ inputs.threshold_fixable_only == 'true' && '--threshold-fixable-only' || '--no-op' }}
+    - ${{ inputs.show_only_fixable_vulns == 'true' && '--show-only-fixable-vulns'|| '--no-op' }}
     - --critical=${{ inputs.critical_threshold }}
     - --high=${{ inputs.high_threshold }}
     - --medium=${{ inputs.medium_threshold }}

entrypoint/entrypoint/cli.py

@@ -50,13 +50,19 @@ def init(sys_argv=None) -> argparse.Namespace:
                         help="Specifies one or more files and/or directories that should NOT be inventoried.")
     parser.add_argument("--timeout", type=str, default="600",
                         help="The amount of time in seconds that inspector-sbomgne will run. When this timeout is exceeded, sbomgen will gracefully conclude and present any findings discovered up to that point.")
+    parser.add_argument("--show-only-fixable-vulns", action="store_true", default=False,
+                        help="Only show fixed vulnerabilities in the GitHub Actions job summary page.")
+    parser.add_argument("--threshold-fixable-only", action="store_true", default=False,
+                        help="Only count vulnerabilities with a fix towards threshold exceeded condition.")
 
     parser.add_argument("--platform", type=str,
                         help="Specifies the OS and CPU arch of the container image you wish to scan. Valid inputs are "
                              "of the form 'os/cpu/variant' for example, 'linux/amd64', 'linux/arm64/v8', etc. If no platform is "
                              "specified, the system will use the same platform as the host that is performing the "
                              "scan. This argument only affects container image scans. Requires inspector-sbomgen "
                              "1.5.1 or later.")
+    parser.add_argument("--no-op", action="store_true", default=False,
+                        help="A no operation argument, used as the default from the GitHub Actions caller when boolean arguments are not set. This is a workaround because GitHub Actions doesn't have a clean way to invoke or not invoke action='store_true' arguments")
 
     args = ""
     if sys_argv:

entrypoint/entrypoint/fixed_vulns.py

@@ -0,0 +1,10 @@
+from dataclasses import dataclass
+
+
+@dataclass
+class FixedVulns:
+    criticals: int
+    highs: int
+    mediums: int
+    lows: int
+    others: int