|
1 | | -name: Debricked scan |
| 1 | +name: Debricked SCA |
2 | 2 |
|
3 | 3 | on: [push] |
4 | 4 |
|
5 | 5 | jobs: |
6 | | - vulnerabilities-scan: |
| 6 | + debricked: |
7 | 7 | runs-on: ubuntu-latest |
| 8 | + |
8 | 9 | container: |
9 | 10 | image: debricked/cli:latest-resolution-debian |
| 11 | + # Choosing the right container image for your scan can be important. |
| 12 | + # All Debricked images are here: https://hub.docker.com/r/debricked/cli |
| 13 | + |
| 14 | + # Resolution images (contains "resolution" in tag) are bigger, but comes with a lot of pre-installed package managers: |
| 15 | + # Here are the dockerfiles: https://github.com/debricked/cli/tree/main/build/docker |
| 16 | + # This is the easiest way to integrate, but it may be better |
| 17 | + # to run debricked scans in you build images. |
| 18 | + |
| 19 | + # You can choose between debian and alpine images, where we do alpine by default. |
| 20 | + # We recommend to use debian images for scanning Python projects, as the scanner will not |
| 21 | + # need to compile some common c-based dependencies like pandas. |
10 | 22 |
|
11 | 23 | steps: |
12 | | - - name: Run Debricked Scan |
| 24 | + - name: Checkout repository |
| 25 | + uses: actions/checkout@v3 |
| 26 | + |
| 27 | + - name: Install Debricked CLI |
13 | 28 | run: | |
14 | | - debricked files find |
15 | | - debricked scan |
| 29 | + curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked |
| 30 | + ./debricked --version |
| 31 | + |
| 32 | + # Here we run the Debricked CLI, where you have multiple options to configure your scan. |
| 33 | + # The CLI repo can be found here: https://github.com/debricked/cli |
| 34 | + # Docs to CLI: https://portal.debricked.com/debricked-cli-63/debricked-cli-documentation-298 |
| 35 | + # I recommend you to download the CLI and explore the commands (./debricked -h) |
| 36 | + # You can for instanice configure the CLI to: |
| 37 | + # - Not resolve manifest-files |
| 38 | + # - Generate callgraphs |
| 39 | + # - Filter out different paths to be scanned or not scanned with glob patterns |
| 40 | + # - Run resolution, callgraph generation, etc, in separate steps in more complex builds. |
| 41 | + |
| 42 | + # The base "debricked scan" does all this with sane default values. |
| 43 | + - name: Run Scan |
| 44 | + run: | |
| 45 | + ./debricked scan |
16 | 46 | env: |
17 | 47 | DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} |
18 | | - |
19 | | - |
20 | | - |
|
0 commit comments