Fix: use --standalone --input-file with CLI latest

higakikeita · higakikeita · commit 0f65abeb7275 · 2025-07-21T06:29:02.000+09:00
diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml
@@ -27,10 +27,15 @@ jobs:
           docker build -t vote-image ./vote
           docker save vote-image -o vote-image.tar
 
-      - name: Scan Docker image with Sysdig (latest + amd64)
+      - name: Download Sysdig CLI Scanner
         run: |
-          docker run --rm             --platform linux/amd64             -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }}             -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar             quay.io/sysdig/sysdig-cli-scanner:latest             --standalone             --input-file /tmp/vote-image.tar             vote-image:ci
+          curl -LO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner
+          chmod +x sysdig-cli-scanner
+
+      - name: Scan Docker image from archive with Sysdig (binary)
+        run: |
+          ./sysdig-cli-scanner             --standalone             --input-file vote-image.tar             vote-image:ci             --console-log             --detailed-policies-eval             --full-vulns-table             -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }}
 
       - name: Scan IaC (k8s-specifications)
         run: |
-          docker run --rm             --platform linux/amd64             -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }}             -v ${{ github.workspace }}:/iac             quay.io/sysdig/sysdig-cli-scanner:latest             --apiurl ${{ secrets.SYSDIG_API_URL }}             --iac scan /iac/k8s-specifications
+          ./sysdig-cli-scanner             --apiurl ${{ secrets.SYSDIG_API_URL }}             --iac scan ./k8s-specifications             -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }}
