forked from neuvector/scan-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
79 lines (77 loc) · 2.79 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: 'NeuVector Vulnerability Scan Action'
description: 'Scans a container image for vulnerabilities with [NeuVector](https://neuvector.com)'
author: 'SUSE NeuVector'
inputs:
image-registry:
description: 'Registry of the image to scan, e.g. `https://registry.organization.com/`'
required: false
default: ''
image-registry-username:
description: 'Username for the registry authentication'
required: false
default: ''
image-registry-password:
description: 'Password for the registry authentication'
required: false
default: ''
image-repository:
description: 'Repository of the image to scan, e.g. `org/image-name`'
required: true
image-tag:
description: 'Tag of the image to scan, e.g. `1.0.0`'
required: true
min-high-cves-to-fail:
description: 'Minimum CVEs with high severity to fail the job'
required: false
default: '0'
min-medium-cves-to-fail:
description: 'Minimum CVEs with medium severity to fail the job'
required: false
default: '0'
cve-names-to-fail:
description: 'Comma-separated list of CVE names(without spaces between the entries) that make the job fail, e.g. `CVE-2021-4160,CVE-2022-0778'
required: false
default: ''
cve-names-to-exempt:
description: 'Comma-separated list of CVE names(without spaces between the entries) that exempt the job fail, e.g. `CVE-2021-4160,CVE-2022-0778'
required: false
default: ''
nv-scanner-image:
description: 'NeuVector Scanner image to use for scanning'
required: false
default: 'neuvector/scanner:latest'
output:
description: 'Output format, one of: `text`, `json`, `csv`'
required: false
default: 'text'
debug:
description: 'Debug mode, on of: `true`, `false`'
required: false
default: 'false'
outputs:
vulnerability_count:
description: 'Number of found vulnerabilities'
high_vulnerability_count:
description: 'Number of found vulnerabilities with high severity'
medium_vulnerability_count:
description: 'Number of found vulnerabilities with medium severity'
runs:
using: "docker"
image: 'Dockerfile'
env:
HIGH_VUL_TO_FAIL: ${{ inputs.min-high-cves-to-fail }}
MEDIUM_VUL_TO_FAIL: ${{ inputs.min-medium-cves-to-fail }}
VUL_NAMES_TO_FAIL: ${{ inputs.cve-names-to-fail }}
VUL_NAMES_TO_EXEMPT: ${{ inputs.cve-names-to-exempt }}
SCANNER_REPOSITORY: ${{ inputs.image-repository }}
SCANNER_TAG: ${{ inputs.image-tag }}
SCANNER_REGISTRY: ${{ inputs.image-registry }}
SCANNER_REGISTRY_USERNAME: ${{ inputs.image-registry-username }}
SCANNER_REGISTRY_PASSWORD: ${{ inputs.image-registry-password }}
NV_SCANNER_IMAGE: ${{ inputs.nv-scanner-image }}
DEBUG: ${{ inputs.debug }}
OUTPUT: ${{ inputs.output }}
GITHUB_OUTPUT: $GITHUB_OUTPUT
branding:
icon: search
color: green