Skip to content

Commit

Permalink
Merge pull request #5 from udit-uniyal/main
Browse files Browse the repository at this point in the history 
updated logic to fail the pipeline whenever there is a error in the curl command to push the result to accuknox saas & added label field as mandatory field
  • Loading branch information
@raviknox
raviknox authored Oct 17, 2024
2 parents d2c6396 + c9d67b9 commit b42c688
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 58 deletions.
47 changes: 24 additions & 23 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,22 @@

- [About Accuknox](https://www.accuknox.com/)

| Input Values | Description | Optional/Required | Default Values |
|---------------------|-------------------------------------------------------------------------------------------------------|-------------------|-----------------------------|
| dockerfile_context | The context of the Dockerfile to use for building the image. | Optional | Dockerfile |
| endpoint | The URL of the CSPM panel to push the scan results to. | Optional | `cspm.demo.accuknox.com` |
| token | The token for authenticating with the CSPM panel. | Required | - |
| tenant_id | The ID of the tenant associated with the CSPM panel. | Required | - |
| repository_name | Docker image repository name. | Required | - |
| tag | Add version tag to the repository. | Optional | `${{ github.run_id }}` |
| severity | Allows selection of severity level for the scan. Options include UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. | Optional | `UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL` |
| exit_code | Specifies pipeline behavior upon detecting specified severity level. '0' (continue) or '1' (halt). | Optional | 0 |
| Input Values | Description | Optional/Required | Default Values |
| ------------------ | ------------------------------------------------------------------------------------------------------ | ----------------- | -------------------------------------- |
| dockerfile_context | The context of the Dockerfile to use for building the image. | Optional | Dockerfile |
| endpoint | The URL of the CSPM panel to push the scan results to. | Optional | `cspm.demo.accuknox.com` |
| token | The token for authenticating with the CSPM panel. | Required | - |
| tenant_id | The ID of the tenant associated with the CSPM panel. | Required | - |
| repository_name | Docker image repository name. | Required | - |
| tag | Add version tag to the repository. | Optional | `${{ github.run_id }}` |
| severity | Allows selection of severity level for the scan. Options include UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. | Optional | `UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL` |
| exit_code | Specifies pipeline behavior upon detecting specified severity level. '0' (continue) or '1' (halt). | Optional | 0 |
| label | The label created in AccuKnox SaaS for associating scan results. | Required | - |

## Usage

Steps for using Install-action in a workflow yaml file
Steps for using Install-action in a workflow yaml file

- Checkout into the repo using checkout action.
- Utilize the accuknox/container-scan-action repository with version tag v0.0.1.

Expand All @@ -26,35 +28,33 @@ Steps for using Install-action in a workflow yaml file
Navigate to Tokens within the Settings section in the sidebar:
![1](https://github.com/udit-uniyal/container-scan-action/assets/115368361/8f4e188b-d9f3-4404-83af-134d5dc1417a)

Click on Create Token:
Click on Create Token:
After clicking on 'Create Token,' the Tenant ID will be visible.
![2](https://github.com/udit-uniyal/container-scan-action/assets/115368361/296bc611-acb8-4918-9d6b-3a8ec7733377)

Click on Generate:
![3](https://github.com/udit-uniyal/container-scan-action/assets/115368361/16032af0-bcac-4787-8f2a-a3fa0edc6ec6)


### workflow steps:

```yaml
- name: Run AccuKnox CSPM Scan
uses: accuknox/[email protected]
with:
token:
tenant_id:
repository_name:
with:
token:
tenant_id: #Required
repository_name: #Required
label: #Required
endpoint: #Optional
tag: #Optional
exit_code: #Optional
severity: #Optional
dockerfile_context: #Optional
```
## Minimalist Sample Configuration
## Minimalist Sample Configuration
```yaml

name: AccuKnox Scan Workflow

on:
Expand All @@ -70,12 +70,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
uses: actions/checkout@main

- name: Run AccuKnox CSPM Scan
uses: accuknox/[email protected]
with:
token: ${{ secrets.TOKEN }}
token: ${{ secrets.TOKEN }}
tenant_id: ${{ secrets.TENANT_ID }}
repository_name: ${{ github.repository }}
label: ${{ secrets.LABEL }}
```
79 changes: 44 additions & 35 deletions action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,38 +3,41 @@ description: Scan Docker images using AccuKnox and push the results to the CSPM

inputs:
dockerfile_context:
description: 'The context of the Dockerfile to use for building the image.'
description: "The context of the Dockerfile to use for building the image."
required: true
default: 'Dockerfile'
default: "Dockerfile"
endpoint:
description: 'The URL of the CSPM panel to push the scan results to.'
description: "The URL of the CSPM panel to push the scan results to."
required: true
default: 'cspm.demo.accuknox.com'
default: "cspm.demo.accuknox.com"
token:
description: 'The token for authenticating with the CSPM panel.'
description: "The token for authenticating with the CSPM panel."
required: true
tenant_id:
description: 'The ID of the tenant associated with the CSPM panel.'
description: "The ID of the tenant associated with the CSPM panel."
required: true
repository_name:
description: "Docker image repository name"
required: true
repository_name:
description: 'Docker image repository name'
required: true
tag:
description: 'Add version tag to the repository'
required: true
default: '${{ github.run_id }}'
description: "Add version tag to the repository"
required: true
default: "${{ github.run_id }}"
severity:
description: "Allows selection of severity level for the scan. Options include UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. If specified, the scan will target vulnerabilities of the selected severity level."
required: false
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
description: "Allows selection of severity level for the scan. Options include UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. If specified, the scan will target vulnerabilities of the selected severity level."
required: false
default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
exit_code:
description: "Values '0' and '1' are accepted. '0' is the default value, which indicates that the pipeline will not be halted if the specified severity is found, while '1' indicates that the pipeline will stop if a specified severity level is detected."
required: false
default: '0'
description: "Values '0' and '1' are accepted. '0' is the default value, which indicates that the pipeline will not be halted if the specified severity is found, while '1' indicates that the pipeline will stop if a specified severity level is detected."
required: false
default: "0"
label:
description: "The label created in AccuKnox SaaS for associating scan results."
required: true

runs:
using: 'composite'
steps:
using: "composite"
steps:
- name: Validate Inputs
run: |
curl -o validate_inputs.py https://raw.githubusercontent.com/accuknox/container-scan-action/main/validate_inputs.py
Expand All @@ -49,43 +52,49 @@ runs:
TAG: ${{ inputs.tag }}
SEVERITY: ${{ inputs.severity }}
CODE: ${{ inputs.exit_code }}

- name: Docker Build
run: |
docker build -t ${{ inputs.repository_name }}:${{ inputs.tag }} -f ${{ inputs.DOCKERFILE_CONTEXT }} .
shell: bash

- name: Download Vulnerability Scanner
run: |
curl -sfL $url | sh -s -- -b /usr/local/bin > /dev/null
env:
env:
url: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh
shell: bash

- name: Run AccuKnox Vulnerability Scanner
run: |
$Scan image --severity ${{ inputs.severity }} -f json ${{ inputs.repository_name }}:${{ inputs.tag }} -o results.json --quiet
env:
$Scan image --severity ${{ inputs.severity }} -f json ${{ inputs.repository_name }}:${{ inputs.tag }} -o results.json --quiet
env:
Scan: trivy
shell: bash
shell: bash

- name: Print AccuKnox Results
run: cat results.json
shell: bash

- name: Push report to CSPM panel
run: |
curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=TR&save_to_s3=false' --header 'Tenant-Id: ${{ inputs.tenant_id }}' --header 'Authorization: Bearer ${{ inputs.token }}' --form 'file=@"./results.json"'
response=$(curl --location --request POST 'https://${{ inputs.endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=TR&label_id=${{ inputs.label }}&save_to_s3=false' \
--header 'Tenant-Id: ${{ inputs.tenant_id }}' \
--header 'Authorization: Bearer ${{ inputs.token }}' \
--form 'file=@"./results.json"')
echo "Response: $response"
if [[ "$response" != *"File received successfully"* ]]; then
echo "Error: Failed to push report to CSPM panel"
exit 1
fi
shell: bash

- name: Run AccuKnox Vulnerability Scanner with specific tags
run: |
$Scan image --exit-code ${{ inputs.exit_code }} --severity ${{ inputs.severity }} ${{ inputs.repository_name }}:${{ inputs.tag }} --quiet >/dev/null
env:
env:
Scan: trivy
shell: bash

shell: bash

branding:
icon: 'shield'
color: 'green'
icon: "shield"
color: "green"

0 comments on commit b42c688

Please sign in to comment.