Merge pull request #8 from aws/add_inspector_scan_workflow #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan repo with Inspector | |
| on: [push] | |
| jobs: | |
| daily_job: | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: InspectorScanSbom | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| role-to-assume: ${{ secrets.AWS_IAM_ROLE }} | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Scan project with Inspector | |
| id: inspector | |
| uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.0.0 | |
| with: | |
| artifact_type: 'repository' | |
| artifact_path: './' | |
| display_vulnerability_findings: "enabled" | |
| critical_threshold: 1 | |
| high_threshold: 1 | |
| medium_threshold: 1 | |
| low_threshold: 1 | |
| other_threshold: 1 | |
| - name: Display SBOM | |
| run: cat ${{ steps.inspector.outputs.artifact_sbom }} | |
| - name: Display vulnerability scan | |
| run: cat ${{ steps.inspector.outputs.inspector_scan_results }} | |
| - name: Upload scan results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Inspector Vulnerability Scan Artifacts | |
| path: | | |
| ${{ steps.inspector.outputs.inspector_scan_results }} | |
| ${{ steps.inspector.outputs.artifact_sbom }} | |
| - name: Fail if vulns detected | |
| run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} | |