add sysdig cli scanner (#55)

* add sysdig cli scanner * add repo refs
ideacrew · Sep 30, 2024 · 7b660b2 · 7b660b2
1 parent cda5cf8
commit 7b660b2
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -13,6 +13,9 @@ concurrency:
   group: docker-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
+
 jobs:
   prep:
     runs-on: ubuntu-latest
@@ -92,6 +95,49 @@ jobs:
           # And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
           cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
 
+      - name: Setup cache
+        uses: actions/cache@v3
+        with:
+          path: cache
+          key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
+          restore-keys: ${{ runner.os }}-cache-
+
+      - name: Scan docker image
+        if: github.event_name != 'pull_request'
+        id: scan
+        uses: anchore/scan-action@main
+        with:
+          image: ghcr.io/${{ needs.prep.outputs.taggedImage }}
+          acs-report-enable: true
+          fail-build: false
+          severity-cutoff: critical
+
+      - name: Download sysdig-cli-scanner if needed and scan the image with sysdig scanner
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+        run: |
+          curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
+          mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
+          if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] || [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
+            cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
+            curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+            chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
+          else
+            echo "Latest version of sysdig cli scanner is already downloaded"
+          fi
+          ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
+            --apiurl "${SYSDIG_SECURE_ENDPOINT}" \
+            ghcr.io/${{ needs.prep.outputs.taggedImage }} \
+            --console-log \
+            --dbpath="${GITHUB_WORKSPACE}/cache/db/" \
+            --cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"
+
+      - name: Upload anchore scan SARIF report
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
       - name: Move cache
         run: |
           rm -rf /tmp/.buildx-cache