Test Dockerfile Vulnerabilities #669

Summary
Jobs
- daily_job
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/test_dockerfile_vulns.yml at d771038

	name: Test Dockerfile Vulnerabilities

	# This workflow tests that the action can successfully
	# scan a GitHub repository. This workflow runs automatically
	# every 6 hours, and on pushes.

	on:
	schedule:
	- cron: '0 /6 * *' # runs every 6 hours
	push:
	branches: #
	- '*'

	jobs:
	daily_job:
	runs-on: ubuntu-latest
	environment:
	name: plugin-development

	steps:
	- name: Checkout this repository
	uses: actions/checkout@v4

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: ${{ secrets.AWS_REGION }}
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	role-to-assume: ${{ secrets.AWS_IAM_ROLE }}

	- name: Scan Dockerfiles
	id: inspector
	uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
	with:
	artifact_type: 'repository'
	artifact_path: './'
	display_vulnerability_findings: "enabled"
	sbomgen_version: "latest"

	- name: Display scan results (JSON)
	run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

	- name: Display package vulns (CSV)
	run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}

	- name: Display package vulns (MD)
	run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }}

	- name: Display Dockerfile vulns (CSV)
	run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_csv }}

	- name: Display Dockerfile vulns (MD)
	run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_markdown }}

	- name: Validate scan content
	run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }}

	- name: Demonstrate Upload Scan Results
	uses: actions/upload-artifact@v4
	with:
	name: Inspector Scan SBOM Results
	path: \|
	${{ steps.inspector.outputs.artifact_sbom }}
	${{ steps.inspector.outputs.inspector_scan_results }}
	${{ steps.inspector.outputs.inspector_scan_results_csv }}
	${{ steps.inspector.outputs.inspector_scan_results_markdown }}
	${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
	${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}


	# only run if the previous step failed
	- name: Notify maintainers of validation failure
	if: ${{ failure() }}
	run: echo "this feature is not implemented"
	# TODO: add steps to send notification to a Lambda to cut a ticket on job failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Test Dockerfile Vulnerabilities #669

Workflow file

Test Dockerfile Vulnerabilities #669

Jobs

Run details

Workflow file for this run