This action performs analysis on locally built container image and posts the result to Sysdig Secure. For more information about Secure Inline Scan, see Sysdig Secure documentation.
Required The tag of the local image to scan. Example: "sysdiglabs/dummy-vuln-app:latest".
Required API token for Sysdig Scanning auth. Example: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".
Directly specifying the API token in the action configuration is not recommended. A better approach is to store it in GitHub secrets, and reference ${{ secrets.MY_SECRET_NAME }} instead.
Sysdig Secure URL. Example: https://secure-sysdig.svc.cluster.local
If not specified, it will default to Sysdig Secure SaaS URL (https://secure.sysdig.com).
For SaaS, eee SaaS Regions and IP Ranges.
Skip TLS verification when calling secure endpoints.
Path to Dockerfile. Example: "./Dockerfile".
Don't fail the execution of this action even if the scan result is FAILED.
If specified, where should we scan the image from. Possible values:
- pull: Pull the image from the registry. Default if not specified.
- docker-daemon: Get the image from the Docker daemon. The Docker socket must be available at
/var/run/docker.sock - cri-o: Get the image from containers-storage (CRI-O and others). Images must be stored in
/var/lib/containers - docker-archive: Image is provided as a Docker .tar file (from Docker save). Specify the path to the tar file with
input-pathparameter. - oci-archive: Image is provided as a OCI image tar file. Specify the path to the tar file with
input-pathparameter. - oci-dir: Image is provided as a OCI image, untared. Specify the path to the directory file with
input-pathparameter.
Path to the tar file or OCI layout directory, or the Docker daemon when using input-type: docker-daemon, in case the docker.sock file is not in the default path /var/run/docker.sock.
Run the scan container with this username or UID. It might be required when scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
Additional parameters added to the secure-inline-scan container execution.
Additional parameters added to the docker command when executing the secure-inline-scan container execution.
The image quay.io/sysdig/secure-inline-scan:2, which points to the latest 2.x version of the Sysdig Secure inline scanner is used by default.
This parameter allows overriding the default image, to use a specific version or for air-gapped environments.
The action generates a SARIF report that can be uploaded using the codeql-action/upload-sarif action.
You need to assign an ID to the Sysdig Scan Action step, like:
...
- name: Scan image
id: scan
uses: sysdiglabs/scan-action@v3
with:
...and then add another step for uploading the SARIF report, providing the path in the sarifReport output:
...
- uses: github/codeql-action/upload-sarif@v1
with:
if: always()
sarif_file: ${{ steps.scan.outputs.sarifReport }}The if: always() option makes sure the SARIF report is uploaded even if the scan fails and interrupts the workflow.
...
- name: Build the Docker image
run: docker build . --file Dockerfile --tag sysdiglabs/dummy-vuln-app:latest
- name: Scan image
id: scan
uses: sysdiglabs/scan-action@v3
with:
image-tag: "sysdiglabs/dummy-vuln-app:latest"
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
input-type: docker-daemon
run-as-user: root
- uses: github/codeql-action/upload-sarif@v1
if: always()
with:
sarif_file: ${{ steps.scan.outputs.sarifReport }}
...
- name: Scan image
uses: sysdiglabs/scan-action@v3
with:
image-tag: "sysdiglabs/dummy-vuln-app:latest"
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} ...
- name: Scan image
uses: sysdiglabs/scan-action@v3
with:
image-tag: "sysdiglabs/dummy-vuln-app:latest"
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
input-type: docker-archive
input-path: artifacts/my-image.tar
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent