diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml index 6b5bf92..ebb539b 100644 --- a/.github/workflows/build_scan_container.yml +++ b/.github/workflows/build_scan_container.yml @@ -52,7 +52,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan built image with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 id: inspector with: artifact_type: 'container' diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml index 8ad4b4e..dbb800f 100644 --- a/.github/workflows/example_display_findings.yml +++ b/.github/workflows/example_display_findings.yml @@ -33,7 +33,7 @@ jobs: # modify this block to scan your intended artifact - name: Inspector Scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: # change artifact_type to either 'repository', 'container', 'binary', or 'archive'. # this example scans a container image diff --git a/.github/workflows/example_vulnerability_threshold_exceeded.yml b/.github/workflows/example_vulnerability_threshold_exceeded.yml index 248ecca..f2e2a68 100644 --- a/.github/workflows/example_vulnerability_threshold_exceeded.yml +++ b/.github/workflows/example_vulnerability_threshold_exceeded.yml @@ -48,7 +48,7 @@ jobs: # Inspector scan - name: Scan container with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 id: inspector with: artifact_type: 'container' # configure Inspector for scanning a container diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml index c4afb81..296b6ea 100644 --- a/.github/workflows/test_archive.yml +++ b/.github/workflows/test_archive.yml @@ -36,7 +36,7 @@ jobs: - name: Test archive scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'archive' artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml index 3f86f61..399e94d 100644 --- a/.github/workflows/test_binary.yml +++ b/.github/workflows/test_binary.yml @@ -36,7 +36,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen' diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml index d49bb1b..3d2e158 100644 --- a/.github/workflows/test_containers.yml +++ b/.github/workflows/test_containers.yml @@ -36,7 +36,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'ubuntu:14.04' diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml index 4cd1c1c..14e1233 100644 --- a/.github/workflows/test_dockerfile_vulns.yml +++ b/.github/workflows/test_dockerfile_vulns.yml @@ -35,7 +35,7 @@ jobs: - name: Scan Dockerfiles id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml index c4459c2..d5625aa 100644 --- a/.github/workflows/test_installation.yml +++ b/.github/workflows/test_installation.yml @@ -32,7 +32,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Test Amazon Inspector GitHub Actions plugin - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml new file mode 100644 index 0000000..956c5a1 --- /dev/null +++ b/.github/workflows/test_multi_arch_images.yml @@ -0,0 +1,63 @@ +name: Test Multi-arch images + +on: + schedule: + - cron: '0 */6 * * *' # runs every 6 hours + push: + branches: # + - '*' + +permissions: + contents: read + id-token: write + +jobs: + test_multi_arch: + runs-on: ubuntu-latest + environment: + name: plugin-development + strategy: + matrix: + platform: + - "linux/386" + - "linux/amd64" + - "linux/arm/v5" + - "linux/arm/v7" + - "linux/arm64/v8" + - "linux/ppc64le" + - "linux/riscv64" + - "linux/s390x" + + steps: + + - name: Checkout this repository + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + + - name: Test multi-arch image - ${{ matrix.platform }} + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 + with: + artifact_type: 'container' + artifact_path: 'debian:trixie' + platform: ${{ matrix.platform }} + display_vulnerability_findings: "enabled" + sbomgen_version: "latest" + + - name: Demonstrate SBOM Output (JSON) + run: cat ${{ steps.inspector.outputs.artifact_sbom }} + + - name: Display scan results + run: cat ${{ steps.inspector.outputs.inspector_scan_results }} + + - name: Validate multi-arch - ${{ matrix.platform }} + run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}" + + diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml index c5bbb79..91600fc 100644 --- a/.github/workflows/test_no_vulns.yml +++ b/.github/workflows/test_no_vulns.yml @@ -32,7 +32,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary' diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml index 68be31c..2712a3f 100644 --- a/.github/workflows/test_reports_no_vulns.yml +++ b/.github/workflows/test_reports_no_vulns.yml @@ -31,7 +31,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml index 3091846..6cafffb 100644 --- a/.github/workflows/test_repository.yml +++ b/.github/workflows/test_repository.yml @@ -35,7 +35,7 @@ jobs: - name: Test repository scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml index 31503cd..d3fa83e 100644 --- a/.github/workflows/test_vuln_thresholds.yml +++ b/.github/workflows/test_vuln_thresholds.yml @@ -34,7 +34,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan artifact with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 id: inspector with: artifact_type: 'archive' diff --git a/action.yml b/action.yml index cc9a20f..af79fd8 100644 --- a/action.yml +++ b/action.yml @@ -162,6 +162,7 @@ runs: - --thresholds - ${{ inputs.threshold_fixable_only == 'true' && '--threshold-fixable-only' || '--no-op' }} - ${{ inputs.show_only_fixable_vulns == 'true' && '--show-only-fixable-vulns'|| '--no-op' }} + - --platform=${{ inputs.platform || '' }} - --critical=${{ inputs.critical_threshold }} - --high=${{ inputs.high_threshold }} - --medium=${{ inputs.medium_threshold }} diff --git a/validator/validate_multi_platform_image_support.py b/validator/validate_multi_platform_image_support.py new file mode 100644 index 0000000..0b933bb --- /dev/null +++ b/validator/validate_multi_platform_image_support.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 + +import argparse +import json +import sys + + +def get_expected_arch(platform): + """Map platform string to expected architecture value in SBOM""" + platform_to_arch = { + "linux/386": "386", + "linux/amd64": "amd64", + "linux/arm/v5": "arm", + "linux/arm/v7": "arm", + "linux/arm64/v8": "arm64", + "linux/ppc64le": "ppc64le", + "linux/riscv64": "riscv64", + "linux/s390x": "s390x" + } + + if platform not in platform_to_arch: + raise ValueError(f"Unknown platform: {platform}") + + return platform_to_arch[platform] + + +def extract_arch_from_sbom(sbom_file): + """Extract architecture from SBOM metadata""" + try: + with open(sbom_file, 'r') as f: + sbom = json.load(f) + + properties = sbom.get('metadata', {}).get('component', {}).get('properties', []) + + for prop in properties: + if prop.get('name') == 'amazon:inspector:sbom_generator:image_arch': + return prop.get('value') + + raise ValueError("Architecture property not found in SBOM") + + except Exception as e: + raise ValueError(f"Failed to parse SBOM: {e}") + + +def main(): + parser = argparse.ArgumentParser(description='Validate SBOM architecture matches expected platform') + parser.add_argument('--platform', required=True, help='Expected platform (e.g., linux/amd64)') + parser.add_argument('--sbom', required=True, help='Path to SBOM file') + + args = parser.parse_args() + + try: + expected_arch = get_expected_arch(args.platform) + actual_arch = extract_arch_from_sbom(args.sbom) + + print(f"Platform: {args.platform}") + print(f"Expected arch: {expected_arch}") + print(f"Actual arch: {actual_arch}") + + if actual_arch != expected_arch: + print(f" Architecture mismatch for platform {args.platform}") + print(f" Expected: {expected_arch}") + print(f" Found: {actual_arch}") + sys.exit(1) + + print(f"Architecture validation passed: {actual_arch} matches expected {expected_arch}") + + except Exception as e: + print(f"Validation failed: {e}") + sys.exit(1) + + +if __name__ == '__main__': + main() diff --git a/version.txt b/version.txt index 3eefcb9..347f583 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -1.0.0 +1.4.1