action.yml

name: 'Vulnerability Scan GitHub Action for Amazon Inspector'
description: 'Generate SBOMs and scan for vulnerabilities in artifacts such as files, directories, containers, and more.'
branding:
  color: orange
  icon: cloud

inputs:
  artifact_type:
    description: 'The artifact you would like to scan with Amazon Inspector. Valid choices are "repository", "container", "binary", or "archive".'
    required: True
    default: 'repository'

  artifact_path:
    description: 'The file path to the artifact you would like to scan with Amazon Inspector. File paths are relative to the root project directory. If scanning a container image, you must provide a value that follows the docker pull convention: "NAME[:TAG|@DIGEST]", for example, "alpine:latest", or a path to an image exported as tarball using "docker save".'
    required: True
    default: './'

  display_vulnerability_findings:
    description: 'If set to "enabled", the action will display detailed vulnerability findings in the step summary page; see here for an example report: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/8878213714'
    required: True
    default: "disabled"

  output_sbom_path:
    description: "The destination file path for the generated SBOM."
    required: False
    default: './sbom_${{ github.run_id }}.json'

  output_inspector_scan_path:
    description: "The destination file path for Inspector's vulnerability scan (JSON format)."
    required: False
    default: 'inspector_scan_${{ github.run_id }}.json'

  output_inspector_scan_path_csv:
    description: "The destination file path for Inspector's vulnerability scan (CSV format)."
    required: False
    default: 'inspector_scan_${{ github.run_id }}.csv'

  output_inspector_scan_path_markdown:
    description: "The destination file path for Inspector's vulnerability scan (markdown format)."
    required: False
    default: 'inspector_scan_${{ github.run_id }}.md'

  output_inspector_dockerfile_scan_path_csv:
    description: "The destination file path for Inspector's Dockerfile vulnerability scan (CSV format)."
    required: False
    default: 'inspector_dockerfile_scan_${{ github.run_id }}.csv'

  output_inspector_dockerfile_scan_path_markdown:
    description: "The destination file path for Inspector's Dockerfile vulnerability scan (markdown format)."
    required: False
    default: 'inspector_dockerfile_scan_${{ github.run_id }}.md'

  sbomgen_version:
    description: "The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
    required: False
    default: "latest"

  critical_threshold:
    description: "Specifies the number of critical vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
    required: False
    default: 0

  high_threshold:
    description: "Specifies the number of high vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
    required: False
    default: 0

  medium_threshold:
    description: "Specifies the number of medium vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
    required: False
    default: 0

  low_threshold:
    description: "Specifies the number of low vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
    required: False
    default: 0

  other_threshold:
    description: "Specifies the number of other vulnerabilities needed to set the 'vulnerability_threshold_exceeded' flag."
    required: False
    default: 0

  scanners:
    description: "Specifies the file scanners that you would like inspector-sbomgen to execute. By default, inspector-sbomgen will try to run all file scanners that are applicable to the target artifact. If this argument is set, inspector-sbomgen will only execute the specified file scanners. Provide your input as a single string. Separate each file scanner with a comma. To view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
    required: False
    default: "''"
    # Example:
    #  scanners: "dpkg,python-requirements,javascript-npm-packagelock"

  skip_scanners:
    description: "Specifies a list of file scanners that should NOT be executed; this argument cannot be combined with 'scanners'. If this argument is set, inspector-sbomgen will execute all file scanners except those you specified. Provide your input as a single string. Separate each file scanner with a comma. To view a list of available file scanners, execute 'inspector-sbomgen list-scanners'. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html"
    required: False
    default: "''"
    # Example:
    #   skip_scanners: "binaries,alpine-apk,dpkg,php"

  skip_files:
    description: "Specifies one or more files and/or directories that should NOT be inventoried. Separate each file with a comma and enclose the entire string in double quotes."
    required: False
    default: "''"
    # Example:
    #   skip_files: "./media,/tmp/foo/,/bar/my_program"

  timeout:
    description: "Specifies a timeout in seconds. If this timeout is exceeded, the action will gracefully conclude and present any findings discovered up to that point."
    required: False
    default: 600 # 10 minutes

  platform:
    description: "Specifies the OS and CPU arch of the container image you wish to scan. Valid inputs are of the form 'os/cpu/variant' for example, 'linux/amd64', 'linux/arm64/v8', etc. If no platform is specified, the system will use the same platform as the host that is performing the scan. This argument only affects container image scans. Requires inspector-sbomgen 1.5.1 or later."
    required: False

outputs:
  artifact_sbom:
    description: "The filepath to the artifact's software bill of materials."

  inspector_scan_results:
    description: "The file path to the Inspector vulnerability scan findings in JSON format."

  inspector_scan_results_csv:
    description: "The file path to the Inspector vulnerability scan findings in CSV format."

  inspector_scan_results_markdown:
    description: "The file path to the Inspector vulnerability scan findings in markdown format."

  inspector_dockerile_scan_results_csv:
    description: "The file path to the Inspector Dockerfile vulnerability scan findings in CSV format."

  inspector_dockerile_scan_results_markdown:
    description: "The file path to the Inspector Dockerfile vulnerability scan findings in markdown format."


  vulnerability_threshold_exceeded:
    description: "This variable is set to 1 if any vulnerability threshold was exceeded, otherwise it is 0. This variable can be used to trigger custom logic, such as failing the job if vulnerabilities were detected."

runs:
  using: 'docker'
  image: 'Dockerfile'
  args:
    - --artifact-type=${{ inputs.artifact_type }}
    - --artifact-path=${{ inputs.artifact_path }}
    - --display-vuln-findings=${{ inputs.display_vulnerability_findings }}
    - --out-sbom=${{ inputs.output_sbom_path}}
    - --out-scan=${{ inputs.output_inspector_scan_path }}
    - --out-scan-csv=${{ inputs.output_inspector_scan_path_csv }}
    - --out-scan-markdown=${{ inputs.output_inspector_scan_path_markdown }}
    - --out-dockerfile-scan-csv=${{ inputs.output_inspector_dockerfile_scan_path_csv }}
    - --out-dockerfile-scan-md=${{ inputs.output_inspector_dockerfile_scan_path_markdown }}
    - --sbomgen-version=${{ inputs.sbomgen_version }}
    - --thresholds
    - --critical=${{ inputs.critical_threshold }}
    - --high=${{ inputs.high_threshold }}
    - --medium=${{ inputs.medium_threshold }}
    - --low=${{ inputs.low_threshold }}
    - --other=${{ inputs.other_threshold }}
    - --scanners=${{ inputs.scanners }}
    - --skip-scanners=${{ inputs.skip_scanners }}
    - --skip-files=${{ inputs.skip_files }}
    - --timeout=${{ inputs.timeout }}