From 38bef587916744818bbdf4176c119c2b79bc0b4b Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 10:21:11 -0400 Subject: [PATCH 01/15] added multi-arch image workflow --- .github/workflows/test_multi_arch_images.yml | 53 ++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/test_multi_arch_images.yml diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml new file mode 100644 index 0000000..8ed2d88 --- /dev/null +++ b/.github/workflows/test_multi_arch_images.yml @@ -0,0 +1,53 @@ +name: Test Multi-arch images + +on: + schedule: + - cron: '0 */6 * * *' # runs every 6 hours + push: + branches: # + - '*' + +permissions: + contents: read + id-token: write + +jobs: + daily_job: + runs-on: ubuntu-latest + environment: + name: plugin-development + + steps: + + - name: Checkout this repository + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + + - name: Test multi-arch image + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + with: + artifact_type: 'container' + artifact_path: 'debian:trixie' + platform: "linux/arm/v5" + display_vulnerability_findings: "enabled" + sbomgen_version: "latest" + + - name: Display scan results + run: cat ${{ steps.inspector.outputs.inspector_scan_results }} + + - name: Validate scan content + run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} + + # only run if the previous step failed + - name: Notify maintainers of validation failure + if: ${{ failure() }} + run: echo "this feature is not implemented" + From 8af1823ec2072c75f64c671ec581137757981d0f Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 10:24:04 -0400 Subject: [PATCH 02/15] disable scan validator --- .github/workflows/test_multi_arch_images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 8ed2d88..37980b1 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -43,8 +43,8 @@ jobs: - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - name: Validate scan content - run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} + #- name: Validate scan content + # run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} # only run if the previous step failed - name: Notify maintainers of validation failure From 912bfff716df89d0f17f6ce2ca986517e0d305c5 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 10:34:55 -0400 Subject: [PATCH 03/15] debugging multi arch CICD --- .github/workflows/test_multi_arch_images.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 37980b1..df0b7ec 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -40,6 +40,9 @@ jobs: display_vulnerability_findings: "enabled" sbomgen_version: "latest" + - name: Demonstrate SBOM Output (JSON) + run: cat ${{ steps.inspector.outputs.artifact_sbom }} + - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} From d0d77dc7c3662c3aa58cf28bf03564a369eb4a64 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 11:19:07 -0400 Subject: [PATCH 04/15] added 'platform' argument to action.yml --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index cc9a20f..af79fd8 100644 --- a/action.yml +++ b/action.yml @@ -162,6 +162,7 @@ runs: - --thresholds - ${{ inputs.threshold_fixable_only == 'true' && '--threshold-fixable-only' || '--no-op' }} - ${{ inputs.show_only_fixable_vulns == 'true' && '--show-only-fixable-vulns'|| '--no-op' }} + - --platform=${{ inputs.platform || '' }} - --critical=${{ inputs.critical_threshold }} - --high=${{ inputs.high_threshold }} - --medium=${{ inputs.medium_threshold }} From 736a9f4b57afd2136db1dc4aa3363f5b650b8bc0 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 11:22:03 -0400 Subject: [PATCH 05/15] set action version to investigation branch --- .github/workflows/test_multi_arch_images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index df0b7ec..ce2b837 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -32,7 +32,7 @@ jobs: - name: Test multi-arch image id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'container' artifact_path: 'debian:trixie' From 136e9a8e634edf74bfb424ee625423fca6de0a4c Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 11:26:21 -0400 Subject: [PATCH 06/15] test amd64 images --- .github/workflows/test_multi_arch_images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index ce2b837..71827b4 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -36,7 +36,7 @@ jobs: with: artifact_type: 'container' artifact_path: 'debian:trixie' - platform: "linux/arm/v5" + platform: "linux/amd64" display_vulnerability_findings: "enabled" sbomgen_version: "latest" From 84a8ccc0c771782645ec7a9af43dbc75981949ab Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 14:09:56 -0400 Subject: [PATCH 07/15] test multi-arch matrix --- .github/workflows/test_multi_arch_images.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 71827b4..56be0b2 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -12,10 +12,21 @@ permissions: id-token: write jobs: - daily_job: + test_multi_arch: runs-on: ubuntu-latest environment: name: plugin-development + strategy: + matrix: + platform: + - "linux/386" + - "linux/amd64" + - "linux/arm/v5" + - "linux/arm/v7" + - "linux/arm64/v8" + - "linux/ppc64le" + - "linux/riscv64" + - "linux/s390x" steps: @@ -30,13 +41,13 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - - name: Test multi-arch image + - name: Test multi-arch image - ${{ matrix.platform }} id: inspector uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'container' artifact_path: 'debian:trixie' - platform: "linux/amd64" + platform: ${{ matrix.platform }} display_vulnerability_findings: "enabled" sbomgen_version: "latest" From 0f8fa6824b9c008bfd4a0d7077580603e98b56d6 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 14:16:57 -0400 Subject: [PATCH 08/15] verify workaround --- .github/workflows/test_tarball_workaround.yml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/test_tarball_workaround.yml diff --git a/.github/workflows/test_tarball_workaround.yml b/.github/workflows/test_tarball_workaround.yml new file mode 100644 index 0000000..4d0cee2 --- /dev/null +++ b/.github/workflows/test_tarball_workaround.yml @@ -0,0 +1,60 @@ +name: Test Tarball Workaround for Multi-arch + +on: + schedule: + - cron: '0 */6 * * *' # runs every 6 hours + push: + branches: # + - '*' + +permissions: + contents: read + id-token: write + +jobs: + test_tarball_workaround: + runs-on: ubuntu-latest + environment: + name: plugin-development + + steps: + + - name: Checkout this repository + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + + - name: Pull specific architecture image + run: docker pull --platform linux/arm64 debian:trixie + + - name: Save image as tarball + run: docker save debian:trixie > debian-arm64.tar + + - name: Verify tarball created + run: ls -lh debian-arm64.tar + + - name: Test tarball scan + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + with: + artifact_type: 'container' + artifact_path: './debian-arm64.tar' + display_vulnerability_findings: "enabled" + sbomgen_version: "latest" + + - name: Demonstrate SBOM Output (JSON) + run: cat ${{ steps.inspector.outputs.artifact_sbom }} + + - name: Display scan results + run: cat ${{ steps.inspector.outputs.inspector_scan_results }} + + # only run if the previous step failed + - name: Notify maintainers of validation failure + if: ${{ failure() }} + run: echo "this feature is not implemented" From afbd08d21f00a3153af99b008cba8950fd388e09 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 14:45:25 -0400 Subject: [PATCH 09/15] Add multi-platform validation to prevent regression of platform argument - Add validate_multi_platform_image_support.py script to validate SBOM architecture matches expected platform - Update test_multi_arch_images.yml workflow to validate platform argument is correctly passed through to inspector-sbomgen --- .github/workflows/test_multi_arch_images.yml | 3 + .../validate_multi_platform_image_support.py | 74 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 validator/validate_multi_platform_image_support.py diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 56be0b2..8f3807a 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -57,6 +57,9 @@ jobs: - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} + - name: Validate platform architecture - ${{ matrix.platform }} + run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}" + #- name: Validate scan content # run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} diff --git a/validator/validate_multi_platform_image_support.py b/validator/validate_multi_platform_image_support.py new file mode 100644 index 0000000..9c2b2e4 --- /dev/null +++ b/validator/validate_multi_platform_image_support.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 + +import argparse +import json +import sys + + +def get_expected_arch(platform): + """Map platform string to expected architecture value in SBOM""" + platform_to_arch = { + "linux/386": "386", + "linux/amd64": "amd64", + "linux/arm/v5": "arm", + "linux/arm/v7": "arm", + "linux/arm64/v8": "arm64", + "linux/ppc64le": "ppc64le", + "linux/riscv64": "riscv64", + "linux/s390x": "s390x" + } + + if platform not in platform_to_arch: + raise ValueError(f"Unknown platform: {platform}") + + return platform_to_arch[platform] + + +def extract_arch_from_sbom(sbom_file): + """Extract architecture from SBOM metadata""" + try: + with open(sbom_file, 'r') as f: + sbom = json.load(f) + + properties = sbom.get('metadata', {}).get('component', {}).get('properties', []) + + for prop in properties: + if prop.get('name') == 'amazon:inspector:sbom_generator:image_arch': + return prop.get('value') + + raise ValueError("Architecture property not found in SBOM") + + except Exception as e: + raise ValueError(f"Failed to parse SBOM: {e}") + + +def main(): + parser = argparse.ArgumentParser(description='Validate SBOM architecture matches expected platform') + parser.add_argument('--platform', required=True, help='Expected platform (e.g., linux/amd64)') + parser.add_argument('--sbom', required=True, help='Path to SBOM file') + + args = parser.parse_args() + + try: + expected_arch = get_expected_arch(args.platform) + actual_arch = extract_arch_from_sbom(args.sbom) + + print(f"Platform: {args.platform}") + print(f"Expected arch: {expected_arch}") + print(f"Actual arch: {actual_arch}") + + if actual_arch != expected_arch: + print(f"❌ Architecture mismatch for platform {args.platform}") + print(f" Expected: {expected_arch}") + print(f" Found: {actual_arch}") + sys.exit(1) + + print(f"✅ Architecture validation passed: {actual_arch} matches expected {expected_arch}") + + except Exception as e: + print(f"❌ Validation failed: {e}") + sys.exit(1) + + +if __name__ == '__main__': + main() From bff0cb4e9d3c542bd4738c48594ffe1e33de5880 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 14:47:31 -0400 Subject: [PATCH 10/15] re-enable inspector scan validation --- .github/workflows/test_multi_arch_images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 8f3807a..eb33ae0 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -60,8 +60,8 @@ jobs: - name: Validate platform architecture - ${{ matrix.platform }} run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}" - #- name: Validate scan content - # run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} + - name: Validate scan content + run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} # only run if the previous step failed - name: Notify maintainers of validation failure From 7c6cf78d7ff1226ff55901450f2b3f50d7a9cd40 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 14:54:46 -0400 Subject: [PATCH 11/15] remove inspector-scan validator, not applicable --- .github/workflows/test_multi_arch_images.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index eb33ae0..8b2f146 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -57,11 +57,9 @@ jobs: - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - name: Validate platform architecture - ${{ matrix.platform }} + - name: Validate multi-arch - ${{ matrix.platform }} run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}" - - name: Validate scan content - run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} # only run if the previous step failed - name: Notify maintainers of validation failure From 915bac214d06430666f3b4e1fa949789b7b036f1 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 15:08:56 -0400 Subject: [PATCH 12/15] remove boilerplate --- .github/workflows/test_multi_arch_images.yml | 5 -- .github/workflows/test_tarball_workaround.yml | 60 ------------------- 2 files changed, 65 deletions(-) delete mode 100644 .github/workflows/test_tarball_workaround.yml diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 8b2f146..888cbf4 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -61,8 +61,3 @@ jobs: run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}" - # only run if the previous step failed - - name: Notify maintainers of validation failure - if: ${{ failure() }} - run: echo "this feature is not implemented" - diff --git a/.github/workflows/test_tarball_workaround.yml b/.github/workflows/test_tarball_workaround.yml deleted file mode 100644 index 4d0cee2..0000000 --- a/.github/workflows/test_tarball_workaround.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Test Tarball Workaround for Multi-arch - -on: - schedule: - - cron: '0 */6 * * *' # runs every 6 hours - push: - branches: # - - '*' - -permissions: - contents: read - id-token: write - -jobs: - test_tarball_workaround: - runs-on: ubuntu-latest - environment: - name: plugin-development - - steps: - - - name: Checkout this repository - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - - - name: Pull specific architecture image - run: docker pull --platform linux/arm64 debian:trixie - - - name: Save image as tarball - run: docker save debian:trixie > debian-arm64.tar - - - name: Verify tarball created - run: ls -lh debian-arm64.tar - - - name: Test tarball scan - id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 - with: - artifact_type: 'container' - artifact_path: './debian-arm64.tar' - display_vulnerability_findings: "enabled" - sbomgen_version: "latest" - - - name: Demonstrate SBOM Output (JSON) - run: cat ${{ steps.inspector.outputs.artifact_sbom }} - - - name: Display scan results - run: cat ${{ steps.inspector.outputs.inspector_scan_results }} - - # only run if the previous step failed - - name: Notify maintainers of validation failure - if: ${{ failure() }} - run: echo "this feature is not implemented" From 0c2ec1ce53b14f1a1dc67a161e320fce2e1e1571 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Mon, 22 Sep 2025 15:41:47 -0400 Subject: [PATCH 13/15] test action against multi-arch fix --- .github/workflows/build_scan_container.yml | 2 +- .github/workflows/example_display_findings.yml | 2 +- .github/workflows/example_vulnerability_threshold_exceeded.yml | 2 +- .github/workflows/test_archive.yml | 2 +- .github/workflows/test_binary.yml | 2 +- .github/workflows/test_containers.yml | 2 +- .github/workflows/test_dockerfile_vulns.yml | 2 +- .github/workflows/test_installation.yml | 2 +- .github/workflows/test_no_vulns.yml | 2 +- .github/workflows/test_reports_no_vulns.yml | 2 +- .github/workflows/test_repository.yml | 2 +- .github/workflows/test_vuln_thresholds.yml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml index 6b5bf92..049cfa2 100644 --- a/.github/workflows/build_scan_container.yml +++ b/.github/workflows/build_scan_container.yml @@ -52,7 +52,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan built image with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch id: inspector with: artifact_type: 'container' diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml index 8ad4b4e..100e91a 100644 --- a/.github/workflows/example_display_findings.yml +++ b/.github/workflows/example_display_findings.yml @@ -33,7 +33,7 @@ jobs: # modify this block to scan your intended artifact - name: Inspector Scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: # change artifact_type to either 'repository', 'container', 'binary', or 'archive'. # this example scans a container image diff --git a/.github/workflows/example_vulnerability_threshold_exceeded.yml b/.github/workflows/example_vulnerability_threshold_exceeded.yml index 248ecca..41c5e66 100644 --- a/.github/workflows/example_vulnerability_threshold_exceeded.yml +++ b/.github/workflows/example_vulnerability_threshold_exceeded.yml @@ -48,7 +48,7 @@ jobs: # Inspector scan - name: Scan container with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch id: inspector with: artifact_type: 'container' # configure Inspector for scanning a container diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml index c4afb81..2272cec 100644 --- a/.github/workflows/test_archive.yml +++ b/.github/workflows/test_archive.yml @@ -36,7 +36,7 @@ jobs: - name: Test archive scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'archive' artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml index 3f86f61..57cebf5 100644 --- a/.github/workflows/test_binary.yml +++ b/.github/workflows/test_binary.yml @@ -36,7 +36,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen' diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml index d49bb1b..442b8fd 100644 --- a/.github/workflows/test_containers.yml +++ b/.github/workflows/test_containers.yml @@ -36,7 +36,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'container' artifact_path: 'ubuntu:14.04' diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml index 4cd1c1c..f595efb 100644 --- a/.github/workflows/test_dockerfile_vulns.yml +++ b/.github/workflows/test_dockerfile_vulns.yml @@ -35,7 +35,7 @@ jobs: - name: Scan Dockerfiles id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml index c4459c2..335a2bf 100644 --- a/.github/workflows/test_installation.yml +++ b/.github/workflows/test_installation.yml @@ -32,7 +32,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Test Amazon Inspector GitHub Actions plugin - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml index c5bbb79..a20db97 100644 --- a/.github/workflows/test_no_vulns.yml +++ b/.github/workflows/test_no_vulns.yml @@ -32,7 +32,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary' diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml index 68be31c..aa90a65 100644 --- a/.github/workflows/test_reports_no_vulns.yml +++ b/.github/workflows/test_reports_no_vulns.yml @@ -31,7 +31,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml index 3091846..cbdb2c9 100644 --- a/.github/workflows/test_repository.yml +++ b/.github/workflows/test_repository.yml @@ -35,7 +35,7 @@ jobs: - name: Test repository scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml index 31503cd..945f4e6 100644 --- a/.github/workflows/test_vuln_thresholds.yml +++ b/.github/workflows/test_vuln_thresholds.yml @@ -34,7 +34,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan artifact with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch id: inspector with: artifact_type: 'archive' From 873ffaedb7a61b93743b432653258ac8b15e8d10 Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Tue, 23 Sep 2025 10:18:50 -0400 Subject: [PATCH 14/15] revert test workflows to v1.4.0 --- .github/workflows/build_scan_container.yml | 2 +- .github/workflows/example_display_findings.yml | 2 +- .github/workflows/example_vulnerability_threshold_exceeded.yml | 2 +- .github/workflows/test_archive.yml | 2 +- .github/workflows/test_binary.yml | 2 +- .github/workflows/test_containers.yml | 2 +- .github/workflows/test_dockerfile_vulns.yml | 2 +- .github/workflows/test_installation.yml | 2 +- .github/workflows/test_no_vulns.yml | 2 +- .github/workflows/test_reports_no_vulns.yml | 2 +- .github/workflows/test_repository.yml | 2 +- .github/workflows/test_vuln_thresholds.yml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml index 049cfa2..6b5bf92 100644 --- a/.github/workflows/build_scan_container.yml +++ b/.github/workflows/build_scan_container.yml @@ -52,7 +52,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan built image with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 id: inspector with: artifact_type: 'container' diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml index 100e91a..8ad4b4e 100644 --- a/.github/workflows/example_display_findings.yml +++ b/.github/workflows/example_display_findings.yml @@ -33,7 +33,7 @@ jobs: # modify this block to scan your intended artifact - name: Inspector Scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: # change artifact_type to either 'repository', 'container', 'binary', or 'archive'. # this example scans a container image diff --git a/.github/workflows/example_vulnerability_threshold_exceeded.yml b/.github/workflows/example_vulnerability_threshold_exceeded.yml index 41c5e66..248ecca 100644 --- a/.github/workflows/example_vulnerability_threshold_exceeded.yml +++ b/.github/workflows/example_vulnerability_threshold_exceeded.yml @@ -48,7 +48,7 @@ jobs: # Inspector scan - name: Scan container with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 id: inspector with: artifact_type: 'container' # configure Inspector for scanning a container diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml index 2272cec..c4afb81 100644 --- a/.github/workflows/test_archive.yml +++ b/.github/workflows/test_archive.yml @@ -36,7 +36,7 @@ jobs: - name: Test archive scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'archive' artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml index 57cebf5..3f86f61 100644 --- a/.github/workflows/test_binary.yml +++ b/.github/workflows/test_binary.yml @@ -36,7 +36,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen' diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml index 442b8fd..d49bb1b 100644 --- a/.github/workflows/test_containers.yml +++ b/.github/workflows/test_containers.yml @@ -36,7 +36,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'container' artifact_path: 'ubuntu:14.04' diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml index f595efb..4cd1c1c 100644 --- a/.github/workflows/test_dockerfile_vulns.yml +++ b/.github/workflows/test_dockerfile_vulns.yml @@ -35,7 +35,7 @@ jobs: - name: Scan Dockerfiles id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml index 335a2bf..c4459c2 100644 --- a/.github/workflows/test_installation.yml +++ b/.github/workflows/test_installation.yml @@ -32,7 +32,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Test Amazon Inspector GitHub Actions plugin - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml index a20db97..c5bbb79 100644 --- a/.github/workflows/test_no_vulns.yml +++ b/.github/workflows/test_no_vulns.yml @@ -32,7 +32,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary' diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml index aa90a65..68be31c 100644 --- a/.github/workflows/test_reports_no_vulns.yml +++ b/.github/workflows/test_reports_no_vulns.yml @@ -31,7 +31,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml index cbdb2c9..3091846 100644 --- a/.github/workflows/test_repository.yml +++ b/.github/workflows/test_repository.yml @@ -35,7 +35,7 @@ jobs: - name: Test repository scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml index 945f4e6..31503cd 100644 --- a/.github/workflows/test_vuln_thresholds.yml +++ b/.github/workflows/test_vuln_thresholds.yml @@ -34,7 +34,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan artifact with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 id: inspector with: artifact_type: 'archive' From 4ef16021e333917f37f4b60a3d4db01a072207fa Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Tue, 23 Sep 2025 14:15:41 -0400 Subject: [PATCH 15/15] remove emoji characters from console logs --- validator/validate_multi_platform_image_support.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/validator/validate_multi_platform_image_support.py b/validator/validate_multi_platform_image_support.py index 9c2b2e4..0b933bb 100644 --- a/validator/validate_multi_platform_image_support.py +++ b/validator/validate_multi_platform_image_support.py @@ -58,15 +58,15 @@ def main(): print(f"Actual arch: {actual_arch}") if actual_arch != expected_arch: - print(f"❌ Architecture mismatch for platform {args.platform}") + print(f" Architecture mismatch for platform {args.platform}") print(f" Expected: {expected_arch}") print(f" Found: {actual_arch}") sys.exit(1) - print(f"✅ Architecture validation passed: {actual_arch} matches expected {expected_arch}") + print(f"Architecture validation passed: {actual_arch} matches expected {expected_arch}") except Exception as e: - print(f"❌ Validation failed: {e}") + print(f"Validation failed: {e}") sys.exit(1)