-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Switch to ksoc docker image with grype
Signed-off-by: Pawel Kowalak <[email protected]>
- Loading branch information
1 parent
138e07e
commit d2033c7
Showing
4 changed files
with
18 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
FROM us.gcr.io/ksoc-public/image-scan:0.0.2 | ||
|
||
COPY entrypoint.sh /entrypoint.sh | ||
|
||
ENTRYPOINT ["/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,14 +27,15 @@ jobs: | |
push: false | ||
load: true | ||
- name: KSOC Image Scan | ||
uses: ksoclabs/[email protected].1 | ||
uses: ksoclabs/[email protected].2 | ||
with: | ||
image: "localbuild/testimage:latest" | ||
fail_on_severity: "medium" | ||
``` | ||
Above example shows how to build a local image and scan it for CVEs. By default, it will fail if CVEs with severity `high` or `critical` are found. This can be changed by setting the `fail_on_severity` input to a different severity level. | ||
Above example shows how to build a local image and scan it for CVEs. It will fail the workflow if any CVE with `medium` severity is found. If `fail_on_severity` input is not provided, the action won't fail. | ||
|
||
## Inputs | ||
|
||
- `image`: The image to scan. This is a required input. | ||
- `fail_on_severity`: The severity level that will cause the action to fail. If not provided, the action will fail if `high` or `critical` severity CVEs are found. | ||
- `fail_on_severity`: The severity level that will cause the action to fail. If not provided, the action doesn't fail. Possible values are `negligible`, `low`, `medium`, `high` and `critical`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/bin/sh -l | ||
|
||
[ -z ${FAIL_ON_SEVERITY} ] || PARAM_FAIL_ON_SEVERITY="-f ${FAIL_ON_SEVERITY}" | ||
|
||
/grype ${PARAM_FAIL_ON_SEVERITY} ${IMAGE} |