Bonus

higakikeita · higakikeita · commit 29ff245f6ddc · 2025-07-21T06:29:03.000+09:00
diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml
@@ -1,4 +1,4 @@
-name: Sysdig Tech Assessment CI
+name: Sysdig Tech Assessment CI (CLI Scanner)
 
 on:
   push:
@@ -12,7 +12,7 @@ on:
 
 jobs:
   scan:
-    name: Build & Scan Docker Images + IaC
+    name: Scan vote/worker/result with CLI Scanner + IaC
     runs-on: ubuntu-latest
 
     steps:
@@ -22,24 +22,40 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
-      - name: Build Docker images
+      - name: Build and save Docker images
         run: |
           docker build -t vote-image ./vote
           docker build -t worker-image ./worker
           docker build -t result-image ./result
+          docker save vote-image -o vote-image.tar
+          docker save worker-image -o worker-image.tar
+          docker save result-image -o result-image.tar
 
-      - name: Scan vote image
+      - name: Download Sysdig CLI Scanner (latest Linux amd64)
         run: |
-          docker run --rm             quay.io/sysdig/secure-inline-scan:2             vote-image             --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }}             --sysdig-url ${{ secrets.SYSDIG_API_URL }}
+          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+          chmod +x sysdig-cli-scanner
 
-      - name: Scan worker image
+      - name: Scan vote image (.tar) with CLI Scanner
         run: |
-          docker run --rm             quay.io/sysdig/secure-inline-scan:2             worker-image             --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }}             --sysdig-url ${{ secrets.SYSDIG_API_URL }}
+          ./sysdig-cli-scanner             --standalone             --input-file vote-image.tar             vote-image:ci
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
-      - name: Scan result image
+      - name: Scan worker image (.tar) with CLI Scanner
         run: |
-          docker run --rm             quay.io/sysdig/secure-inline-scan:2             result-image             --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }}             --sysdig-url ${{ secrets.SYSDIG_API_URL }}
+          ./sysdig-cli-scanner             --standalone             --input-file worker-image.tar             worker-image:ci
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+
+      - name: Scan result image (.tar) with CLI Scanner
+        run: |
+          ./sysdig-cli-scanner             --standalone             --input-file result-image.tar             result-image:ci
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
       - name: Scan IaC (k8s-specifications)
         run: |
-          docker run --rm             -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }}             -v ${{ github.workspace }}:/iac             quay.io/sysdig/sysdig-cli-scanner:latest             --apiurl ${{ secrets.SYSDIG_API_URL }}             --iac scan /iac/k8s-specifications
+          ./sysdig-cli-scanner             --apiurl ${{ secrets.SYSDIG_API_URL }}             --iac scan ./k8s-specifications
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
