forked from docker/scout-action
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yaml
135 lines (123 loc) · 3.71 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# https://help.github.com/en/articles/metadata-syntax-for-github-actions
name: Docker Scout
description: List vulnerabilities in images; find better base images and upload an image SBOM to Docker Scout
author: Docker
inputs:
command:
required: true
description: |
Command(s) to run.
Use a comma separated list to run several commands on the same set of parameters, for instance quickview,compare
debug:
required: false
description: Debug
verbose-debug:
required: false
description: Print more verbose debug messages
summary:
required: false
description: Publish the output as GitHub Action summary
default: true
organization:
required: false
description: Namespace of the Docker organization
image:
required: false
description: Image to analyze
platform:
required: false
description: Platform of the image to analyze
ref:
required: false
description: Ref if needed
# compare flags
to:
required: false
description: Image to compare to
to-ref:
required: false
description: Ref of image to compare
to-stream:
required: false
description: Compare to image in stream
deprecationMessage: Use to-env instead
to-env:
required: false
description: Compare to image in environment
to-latest:
required: false
description: Compare to latest pushed image
# stream/environment flags
stream:
required: false
description: Name of the stream to record the image
deprecationMessage: Use environment instead
environment:
required: false
description: Name of the environment to record the image
# policy flags
hide-policies:
required: false
description: Hide policies from the output altogether
# filter flags
ignore-base:
required: false
description: Ignore vulnerabilities from base image
ignore-unchanged:
required: false
description: Filter out unchanged packages
ignore-vex:
required: false
description: Filter out CVEs that are marked not affected by a VEX statement
only-fixed:
required: false
description: Filter to fixable CVEs
only-unfixed:
required: false
description: Filter to unfixed CVEs
only-severities:
required: false
description: Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
only-package-types:
required: false
description: Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
exit-code:
required: false
description: Fail the action step if vulnerability changes are detected
exit-on:
required: false
description: "(compare only) Comma separated list of conditions to fail the action step if worsened, options are: vulnerability, policy"
sarif-file:
required: false
description: Write output to a SARIF file for further processing or upload into GitHub code scanning
dockerhub-user:
required: false
description: Docker Hub User
dockerhub-password:
required: false
description: Docker Hub PAT
# credentials needed to pull private images
registry-user:
description: Registry user to pull images
required: false
registry-password:
description: Registry password to pull images
required: false
# comments
github-token:
description: GitHub Token to write comments
default: ${{ github.token }}
required: false
write-comment:
description: Write the output as a Pull Request comment
required: false
default: true
keep-previous-comments:
description: If set, keep but hide previous comment. If not set, keep and update one single comment per job
required: false
runs:
using: node16
main: index.js
branding:
icon: shield
color: gray-dark