Integrate with Github Action

You can integrate the Sysdig CLI Scanner to your Github Action pipeline to scan a specific container image and post the scanning result to Sysdig Secure for further analysis.

Prerequisites

Use the SECURE_SECURE_TOKEN environment variable to define the secret containing the API Token and make it available in the pipeline. This is not applicable to the standalone mode.
Use the SYSDIG_SECURE_URL environment variable to define the Sysdig Secure endpoint and make it available in the pipeline. This is not applicable to the standalone mode.
The container image to be scanned

Configuration Parameters

Parameters	Description
`cli-scanner-url`	The URL to the `sysdig-cli-scanner` binary download. The action will detect the operating system and architecture. The version of the CLI Scanner is set to `1.8.1` by default. Use `cli-scanner-version` to set a different version.
`mode`	The mode in which the scan should run. Supported options are `vm` and `iac`. The default is `vm`.
`cli-scanner-version`	The custom `sysdig-cli-scanner` version to download. It is set to `1.8.1` by default. You can specify a different version. Note: If you are using `iac` mode, minimum required version is 1.9.0. For VM mode, the Action has only been tested with `1.8.x` versions and it is not guaranteed that it will work as expected with other versions.
`registry-user`	The registry username that is required for authentication when pulling the image to scan.
`registry-password`	The password associated with yout `registry-user`. This is the password required for authentication when pulling the image to scan.
`stop-on-failed-policy-eval`	Terminate the scanning operation if the policy evaluation is failed.
`stop-on-processing-error`	Terminate the scanning operation if the `sysdig-cli-scanner` terminates the execution with errors.
`severity-at-least`	Filtering option to only report vulnerabilities with at least the specified severity. Supported options are `critical`, `high`, `medium`, `low`, `negligible`, and `any`. The default value `any` performs no filtering. For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported.
`group-by-package`	Enable grouping the vulnerabilities by package in the SARIF report. This option helps manage security on a per-package basis and allows for consolidating the number of findings.
`standalone`	Specify the directory for the vulnerabilities database to use while scanning. Useful when running in standalone mode.
`skip-upload`	Skips uploading scanning results to Sysdig Secure.
`skip-summary`	Skips generating scanning summary.
`use-policies`	Specify the Sysdig Secure VM Policies to evaluate the image.
`override-pullstring`	Custom PullString to give the image when scanning and uploading. Useful when building images in a pipeline with temporary names. The custom PullString will be used to identify the scanned image in Sysdig Secure.
`image-tag`	The tag of the image to analyse in the scanning operation.
`sysdig-secure-token`	The API token for Sysdig scanning authentication. Required if not in standalone mode.
`sysdig-secure-url`	The Sysdig Secure endpoint URL. Defaults to `https://secure.sysdig.com`. See SaaS Regions and IP Ranges for more details on endpoints and regions.
`sysdig-skip-tls`	Skip TLS verification when calling Sysdig Secure endpoints.
`recursive`	Recursively scan all folders within the folder specified in the `iacScanPath`.
`minimum-severity`	The minimum severity to fail when scanning in IaC mode
`iac-scan-path`	The path to the IaC files to scan.

Use Cases

Generate SARIF Report

To generate a SARIF report that you can later use to upload by using the codeql-action/upload-sarif action:

Assign an ID to the Sysdig scan Action operation, as follows:

...

    - name: Scan image
      id: scan
      uses: sysdiglabs/scan-action@v5
      with:
        ...

Add an option to upload the SARIF report by providing the path in the sarif_file parameter:

...
      - name: Upload SARIF file
        if: success() || failure()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/sarif.json

The if: success() || failure() option makes sure that the SARIF report is uploaded even if the scan fails and interrupts the workflow.

Build and Scan an Image Locally and Upload the SARIF Report

    ...

    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag sysdiglabs/dummy-vuln-app:latest

    - name: Scan image
      id: scan
      uses: sysdiglabs/scan-action@v5
      with:
          image-tag: sysdiglabs/dummy-vuln-app:latest
          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}

      - name: Upload SARIF file
        if: success() || failure()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/sarif.json

Pull and Scan an Image from a Registry

    ...

    - name: Scan image
      uses: sysdiglabs/scan-action@v5
      with:
        image-tag: "sysdiglabs/dummy-vuln-app:latest"
        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}

Run an IaC Scanning Operation

    ...

    - name: Scan infrastructure
      uses: sysdiglabs/scan-action@v5
      with:
        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
        cli-scanner-version: 1.9.0
        mode: iac
        iac-scan-path: ./terraform

Terminate a Scanning Operation

To terminate a scanning operation when policy evaluation fails or the scanner fails to run:

    ...

    - name: Scan image
      uses: sysdiglabs/scan-action@v3
      with:
        image-tag: "sysdiglabs/dummy-vuln-app:latest"
        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
        stop-on-failed-policy-eval: true
        stop-on-processing-error: true

Example Workflow

name: Scan Image

on:
  workflow_dispatch:

jobs:
  remote-scan-from-registry:
    runs-on: ubuntu-latest

    steps:
      # This step checks out a copy of your repository.
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Scan dummy-vuln-app from registry
        id: scan
        uses: sysdiglabs/scan-action@v4
        with:
          # Tag of the image to analyse
          image-tag: sysdiglabs/dummy-vuln-app:latest
          # API token for Sysdig Scanning auth
          sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
          stop-on-failed-policy-eval: true
          stop-on-processing-error: true

      - name: Upload SARIF file
        if: success() || failure() # Upload results regardless previous step fails
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/sarif.json


  scan-from-registry:
    runs-on: ubuntu-latest

    steps:
      # This step checks out a copy of your repository.
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Scan dummy-vuln-app from registry
        id: scan
        uses: ./
        with:
          # Tag of the image to analyse
          image-tag: sysdiglabs/dummy-vuln-app:latest
          # API token for Sysdig Scanning auth
          sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
          stop-on-failed-policy-eval: true
          stop-on-processing-error: true

      - name: Upload SARIF file
        if: success() || failure() # Upload results regardless previous step fails
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/sarif.json

  filtered-scan-from-registry:
    runs-on: ubuntu-latest

    steps:
      # This step checks out a copy of your repository.
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Scan dummy-vuln-app from registry
        id: scan
        uses: ./
        with:
          # Tag of the image to analyse
          image-tag: sysdiglabs/dummy-vuln-app:latest
          # API token for Sysdig Scanning auth
          sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
          stop-on-failed-policy-eval: true
          stop-on-processing-error: true
          severity-at-least: high
          group-by-package: true

      - name: Upload SARIF file
        if: success() || failure() # Upload results regardless previous step fails
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/sarif.json

  standalone-scan-from-registry:
    runs-on: ubuntu-latest

    steps:
      # This step checks out a copy of your repository.
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Donate MainDB from scan
        id: donnor-scan
        uses: ./
        with:
          # Tag of the image to analyse
          image-tag: sysdiglabs/dummy-vuln-app:latest
          # API token for Sysdig Scanning auth
          sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
          stop-on-failed-policy-eval: false
          stop-on-processing-error: true
          skip-summary: true

      - name: Scan dummy-vuln-app from registry
        id: scan
        uses: ./
        with:
          # Tag of the image to analyse
          image-tag: sysdiglabs/dummy-vuln-app:latest
          # API token for Sysdig Scanning auth
          #sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
          stop-on-failed-policy-eval: true
          stop-on-processing-error: true
          standalone: true

      - name: Upload SARIF file
        if: success() || failure() # Upload results regardless previous step fails
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/sarif.json

The All workflow section on the Actions tab shows the result of the scan job as follows:

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.