项目作者: anchore

项目描述 :
Anchore container analysis and scan provided as a GitHub Action
高级语言: JavaScript
项目地址: git://github.com/anchore/scan-action.git
创建时间: 2019-10-03T22:24:30Z
项目社区:https://github.com/anchore/scan-action

开源协议:MIT License

下载


GitHub Action for Vulnerability Scanning

:zap: Find threats in files or containers at lightning speed :zap:

Test Status
GitHub release
License: MIT
Join our Discourse

This is a GitHub Action for invoking the Grype scanner and returning the vulnerabilities found,
and optionally fail if a vulnerability is found with a configurable severity level.

Use this in your workflows to quickly verify files or containers’ content after a build and before pushing, allowing PRs, or deploying updates.

The action invokes the grype command-line tool, with these benefits:

  • Runs locally, without sending data outbound - no credentials required!
  • Speedy scan operations
  • Scans both paths and container images
  • Easy failure evaluation depending on vulnerability severity

The example workflows have lots of usage examples for scanning both containers and directories.

By default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:

Supported Linux Distributions:

  • Alpine
  • BusyBox
  • CentOS and RedHat
  • Debian and Debian-based distros like Ubuntu

Supported packages and libraries:

  • Ruby Bundles
  • Python Wheel, Egg, requirements.txt
  • JavaScript NPM/Yarn
  • Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
  • Go modules

Container scanning

The simplest workflow for scanning a localbuild/testimage container:

  1. - name: Set up Docker Buildx
  2. uses: docker/setup-buildx-action@v2
  3. - name: build local container
  4. uses: docker/build-push-action@v4
  5. with:
  6. tags: localbuild/testimage:latest
  7. push: false
  8. load: true
  9. - name: Scan image
  10. uses: anchore/scan-action@v6
  11. with:
  12. image: "localbuild/testimage:latest"

Directory scanning

To scan a directory, add the following step:

  1. - name: Scan current project
  2. uses: anchore/scan-action@v6
  3. with:
  4. path: "."

The path key allows any valid path for the current project. The root of the path ("." in this example) is the repository root.

Scanning an SBOM file

Use the sbom key to scan an SBOM file:

  1. - name: Create SBOM
  2. uses: anchore/sbom-action@v0
  3. with:
  4. format: spdx-json
  5. output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
  6. - name: Scan SBOM
  7. uses: anchore/scan-action@v6
  8. with:
  9. sbom: "${{ github.event.repository.name }}-sbom.spdx.json"

Failing a build on vulnerability severity

By default, if any vulnerability at medium or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the severity-cutoff field to one of low, high, or critical:

With a different severity level:

  1. - name: Scan image
  2. uses: anchore/scan-action@v6
  3. with:
  4. image: "localbuild/testimage:latest"
  5. fail-build: true
  6. severity-cutoff: critical

Optionally, change the fail-build field to false to avoid failing the build regardless of severity:

  1. - name: Scan image
  2. uses: anchore/scan-action@v6
  3. with:
  4. image: "localbuild/testimage:latest"
  5. fail-build: false

Action Inputs

The inputs image, path, and sbom are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:

Input Name Description Default Value
image The image to scan N/A
path The file path to scan N/A
sbom The SBOM to scan N/A
registry-username The registry username to use when authenticating to an external registry
registry-password The registry password to use when authenticating to an external registry
fail-build Fail the build if a vulnerability is found with a higher severity. That severity defaults to medium and can be set with severity-cutoff. true
output-format Set the output parameter after successful action execution. Valid choices are json, sarif, cyclonedx-xml, cyclonedx-json, and table; where table output will also display in the logs. sarif
output-file File to output the Grype scan results to. Defaults to a file in the system temp directory, available in the action outputs
severity-cutoff Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are “negligible”, “low”, “medium”, “high” and “critical”. Any vulnerability with a severity less than this value will lead to a “warning” result. Default is “medium”. medium
only-fixed Specify whether to only report vulnerabilities that have a fix available. false
add-cpes-if-none Specify whether to autogenerate missing CPEs. false
by-cve Specify whether to orient results by CVE rather than GHSA. false
vex Specify a list of VEX documents to consider when producing scanning results. false
cache-db Cache the Grype DB in GitHub action cache and restore before checking for updates false
grype-version An optional Grype version to download, defaults to the pinned version in GrypeVersion.js.

Action Outputs

Output Name Description Type
sarif Path to the SARIF report file, if output-format is sarif string
json Path to the report file , if output-format is json string
cyclonedx-xml Path to the CycloneDX report file, if output-format is cyclonedx string
cyclonedx-json Path to the CycloneDX JSON report file, if output-format is cyclonedx-json string

Example Workflows

Assuming your repository has a Dockerfile in the root directory:

  1. name: Container Image CI
  2. on: [push]
  3. jobs:
  4. build:
  5. runs-on: ubuntu-latest
  6. steps:
  7. - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  8. - name: Build the container image
  9. run: docker build . --file Dockerfile --tag localbuild/testimage:latest
  10. - uses: anchore/scan-action@v6
  11. with:
  12. image: "localbuild/testimage:latest"
  13. fail-build: true

Same example as above, but with SARIF output format - as is the default, the action will generate a SARIF report, which can be uploaded and then displayed as a Code Scanning Report in the GitHub UI.

:bulb: Code Scanning is a Github service that is currently in Beta. @latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository">Follow the instructions on how to enable this service for your project.

  1. name: Container Image CI
  2. on: [push]
  3. jobs:
  4. build:
  5. runs-on: ubuntu-latest
  6. # Permissions key is required for CodeQL SARIF Upload, per the docs:
  7. # https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
  8. permissions:
  9. security-events: write
  10. steps:
  11. - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  12. - name: Build the Container image
  13. run: docker build . --file Dockerfile --tag localbuild/testimage:latest
  14. - uses: anchore/scan-action@v6
  15. id: scan
  16. with:
  17. image: "localbuild/testimage:latest"
  18. - name: upload Anchore scan SARIF report
  19. uses: github/codeql-action/upload-sarif@v3
  20. with:
  21. sarif_file: ${{ steps.scan.outputs.sarif }}

Optionally, you can add a step to inspect the SARIF report produced:

  1. - name: Inspect action SARIF report
  2. run: cat ${{ steps.scan.outputs.sarif }}

Additional configuration

You may add a .grype.yaml file at your repository root
for more Grype configuration
such as ignoring certain matches.

anchore/scan-action/download-grype

A sub-action to download Grype and optionally cache the Grype DB.

Input parameters:

Parameter Description Default
grype-version An optional Grype version to download, defaults to the pinned version in GrypeVersion.js.
cache-db Cache the Grype DB in GitHub action cache and restore before checking for updates false

Output parameters:

Parameter Description
cmd a reference to the Grype binary.

cmd can be referenced in a workflow like other output parameters:
${{ steps.<step-id>.outputs.cmd }}

Example usage:

  1. - uses: anchore/scan-action/download-grype@v3
  2. id: grype
  3. - run: ${{steps.grype.outputs.cmd}} dir:.

Contributing

We love contributions, feedback, and bug reports. For issues with the invocation of this action, file issues in this repository.

For contributing, see Contributing.

More Information

For documentation on Grype itself, including other output capabilities, see the grype project

Connect with the community directly on Discourse.

Diagnostics

This action makes extensive use of GitHub Action debug logging,
which can be enabled as described here
by setting a secret in your repository of ACTIONS_STEP_DEBUG to true.