Valdate vulnerability threshold

build-failure · Mar 1, 2024 · 6d98b93 · 6d98b93
1 parent ea460e5
commit 6d98b93
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/.github/workflows/amazon-inspector-image-scan.yml b/.github/workflows/amazon-inspector-image-scan.yml
@@ -34,9 +34,10 @@ jobs:
         ports:
           - 5000:5000
     env:
-      inspector_sbomgen_output_path: "${{ github.workspace }}/results.json"
+      inspector_sbomgen_output_path: "${{ github.workspace }}/container-sbom.json"
       inspector_scan_endpoint: "${{ inputs.amazon-inspector-scan-endpoint }}"
       inspector_scan_region: "${{ inputs.amazon-inspector-scan-region }}"
+      inspector_vulnerability_report_path: "${{ github.workspace }}/vulnerability-report.json"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -47,7 +48,6 @@ jobs:
           push: false
           tags: ${{ inputs.docker-image-name }}:latest
       - name: Setup Amazon Inspector SBOM Generator
-        id: setup-sbomgen
         uses: build-failure/setup-inspector-sbomgen@v1
       - name: Scan Local Image
         run: "$inspector_sbomgen container --image ${{ inputs.docker-image-name }}:latest -o $inspector_sbomgen_output_path"
@@ -61,11 +61,14 @@ jobs:
       - id: scan_sbom
         name: Retrieve Vulnerability Report
         run: >
-          echo "report=$(
           aws inspector-scan scan-sbom
           --sbom file://"$inspector_sbomgen_output_path"
           --endpoint "$inspector_scan_endpoint"
           --region "$inspector_scan_region"
-          )" >> $GITHUB_OUTPUT
-      - name: Display report
-        run: echo ${{ steps.scan_sbom.outputs.report }}
+          )" >> $inspector_vulnerability_report_path
+      - name: vulnerability-threshold
+        uses: build-failure/vulnerability-threshold@v1
+        with:
+          report-path: ${{ env.$inspector_vulnerability_report_path }}
+          format: AmazonInspector
+          threshold: critical