v1.4.0

.github/workflows/build_scan_container.yml

@@ -12,6 +12,11 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write  # For uploading artifacts
+
 jobs:
   build:
     name: Build docker image
@@ -47,7 +52,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'container'

.github/workflows/example_display_findings.yml

@@ -8,6 +8,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -29,7 +33,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container

.github/workflows/run_unit_tests.yml

@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/scan_repo_with_semgrep.yml

@@ -2,6 +2,9 @@ name: Semgrep Scan
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     runs-on: ubuntu-latest

.github/workflows/test_archive.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'

.github/workflows/test_binary.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'

.github/workflows/test_containers.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'

.github/workflows/test_dockerfile_vulns.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -31,7 +35,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_installation.yml

@@ -11,6 +11,10 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -28,7 +32,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@1.x
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_no_vulns.yml

@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -28,7 +32,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'

.github/workflows/test_reports_no_vulns.yml

@@ -5,6 +5,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -26,7 +30,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_repository.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -31,7 +35,7 @@ jobs:
 
       - name: Test repository scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_vuln_thresholds.yml

@@ -10,6 +10,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     name: Build docker image
@@ -30,7 +34,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan artifact with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'archive'

Dockerfile

@@ -1,11 +1,7 @@
-FROM public.ecr.aws/amazonlinux/amazonlinux:latest
-
-RUN dnf install python3 aws-cli -y
+FROM public.ecr.aws/aws-cli/aws-cli:latest
 
-COPY ./entrypoint . 
+WORKDIR /
+COPY ./entrypoint .
 RUN chmod 0500 /main.py
 
 ENTRYPOINT ["/main.py"]
-
-# note: don't set a WORKDIR in this image, it conflicts with github actions:
-# https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#workdir