|
1 | | -name: Sysdig Scan (Official Action) |
| 1 | +name: Sysdig Secure Scanning |
2 | 2 |
|
3 | 3 | on: |
4 | 4 | push: |
5 | | - branches: |
6 | | - - main |
7 | | - - ci/sysdig-integration |
| 5 | + branches: [main, ci/sysdig-integration] |
8 | 6 | pull_request: |
9 | | - branches: |
10 | | - - main |
11 | | - - ci/sysdig-integration |
| 7 | + branches: [main, ci/sysdig-integration] |
12 | 8 |
|
13 | 9 | jobs: |
14 | 10 | scan: |
15 | | - name: Docker + IaC Scan via Sysdig Action |
16 | 11 | runs-on: ubuntu-latest |
| 12 | + name: Scan vote / worker / result + IaC |
17 | 13 |
|
18 | 14 | steps: |
19 | 15 | - name: Checkout source |
20 | 16 | uses: actions/checkout@v3 |
21 | 17 |
|
22 | | - - name: Build vote Docker image |
23 | | - run: | |
24 | | - docker build ./vote -t vote-app:${{ github.sha }} |
| 18 | + # Build Docker images |
| 19 | + - name: Build vote image |
| 20 | + run: docker build ./vote -t vote-app:${{ github.sha }} |
25 | 21 |
|
| 22 | + - name: Build worker image |
| 23 | + run: docker build ./worker -t worker-app:${{ github.sha }} |
| 24 | + |
| 25 | + - name: Build result image |
| 26 | + run: docker build ./result -t result-app:${{ github.sha }} |
| 27 | + |
| 28 | + # Scan vote |
26 | 29 | - name: Scan vote image with Sysdig |
27 | 30 | uses: sysdiglabs/scan-action@v6 |
28 | 31 | with: |
29 | 32 | image-tag: vote-app:${{ github.sha }} |
30 | 33 | sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} |
31 | 34 | sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} |
32 | 35 | stop-on-processing-error: true |
| 36 | + cli-scanner-version: 1.22.3 |
| 37 | + |
| 38 | + # Scan worker |
| 39 | + - name: Scan worker image with Sysdig |
| 40 | + uses: sysdiglabs/scan-action@v6 |
| 41 | + with: |
| 42 | + image-tag: worker-app:${{ github.sha }} |
| 43 | + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} |
| 44 | + sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} |
| 45 | + stop-on-processing-error: true |
| 46 | + cli-scanner-version: 1.22.3 |
33 | 47 |
|
| 48 | + # Scan result |
| 49 | + - name: Scan result image with Sysdig |
| 50 | + uses: sysdiglabs/scan-action@v6 |
| 51 | + with: |
| 52 | + image-tag: result-app:${{ github.sha }} |
| 53 | + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} |
| 54 | + sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} |
| 55 | + stop-on-processing-error: true |
| 56 | + cli-scanner-version: 1.22.3 |
| 57 | + |
| 58 | + # Scan IaC |
34 | 59 | - name: Scan Kubernetes IaC manifests |
35 | 60 | uses: sysdiglabs/scan-action@v6 |
| 61 | + continue-on-error: true # IaC scan failure should not block main scan |
36 | 62 | with: |
37 | 63 | mode: iac |
38 | | - cli-scanner-version: 1.24.2 |
39 | 64 | iac-scan-path: k8s-specifications |
40 | 65 | sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} |
41 | 66 | sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} |
42 | 67 | stop-on-processing-error: true |
| 68 | + cli-scanner-version: 1.23.3 |
| 69 | + |
0 commit comments