Skip to content
Build and Scan artifact with Amazon Inspector

Add files via upload #40

Sign in to view logs

Add files via upload

Add files via upload #40

Workflow file for this run

.github/workflows/build_and_scan_image.yml at c8b8d23
name: Build and Scan artifact with Amazon Inspector
on: [push]
jobs:
daily_job:
runs-on: ubuntu-latest
# Configura los permisos para habilitar la autenticación con OIDC
permissions:
id-token: write
contents: read
steps:
# Clean up AWS credentials cache if any
- name: Clean up old AWS credentials
run: |
rm -rf ~/.aws
# modify this block based on how you authenticate to AWS
# make sure you have permission to access the Inspector ScanSbom API
# https://docs.aws.amazon.com/inspector/latest/user/configure-cicd-account.html#cicd-iam-role
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: "us-east-1"
role-to-assume: "arn:aws:iam::066849108148:role/InspectorRoleForGithub"
# Check out your repository if needed
- name: Checkout this repository
uses: actions/checkout@v4
# modify this block to scan your intended artifact
- name: Inspector Scan
id: inspector
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
with:
# change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
artifact_type: 'repository'
# change artifact_path to the file path or container image you would like to scan.
# File paths should be relative to your root project directory.
# For containers, this action accepts 'docker pull'-style references to containers,
# such as 'alpine:latest' or a file path to an image exported as TAR using docker save.
artifact_path: './'
# If enabled, this setting will display Inspector's vulnerability scan findings
# as a GitHub actions step summary. See here for an example step summary:
# https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8800085041
display_vulnerability_findings: "enabled"
# Set vulnerability thresholds; if the number of vulnerabilities is
# equal to or greater than any of the specified thresholds, this
# action will set the 'vulnerability_threshold_exceeded'
# output flag to 1.
critical_threshold: 1
high_threshold: 1
medium_threshold: 1
low_threshold: 1
other_threshold: 1
# Additional input arguments are available to control scan behavior.
# See 'action.yml' for additional input/output options.
# The following steps illustrate how to
# display scan results in the GitHub Actions job terminal.
- name: Display CycloneDX SBOM (JSON)
run: cat ${{ steps.inspector.outputs.artifact_sbom }}
- name: Display Inspector vulnerability scan results (JSON)
run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
- name: Display Inspector vulnerability scan results (CSV)
run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
- name: Display Inspector vulnerability scan results (Markdown)
run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
# The following steps illustrate how to
# upload scan results as a GitHub actions job artifact
- name: Upload Scan Results
uses: actions/upload-artifact@v4
with:
name: Inspector Vulnerability Scan Artifacts
path: |
${{ steps.inspector.outputs.inspector_scan_results }}
${{ steps.inspector.outputs.inspector_scan_results_csv }}
${{ steps.inspector.outputs.artifact_sbom }}
${{ steps.inspector.outputs.inspector_scan_results_markdown }}
# This step illustrates how to add custom logic if
# the vulnerability threshold is exceeded. This example
# simply prints the 'vulnerability_threshold_exceeded' value
# to the GitHub actions job terminal.
# Replace 'echo' with 'exit' if you want to fail the job.
- name: On vulnerability threshold exceeded
run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}