-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathaction.yml
More file actions
155 lines (140 loc) · 6.95 KB
/
action.yml
File metadata and controls
155 lines (140 loc) · 6.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# Copyright (C) 2025 Trend Micro Inc. All rights reserved.
name: tmas-scan
description: Scan an artifact for open source vulnerabilities, secrets, and malware using the TMAS (TrendAI Artifact Scanner) CLI.
branding:
icon: "package"
color: "red"
inputs:
version:
description: Version of the TMAS CLI you would like to use (eg. 2.100.0, '2' for latest v2.x.x, or 'latest'). Specifying the 'latest' TMAS version might cause the action to fail if there is a new major TMAS version released with a breaking change.
required: false
default: latest
path:
description: TMAS will be installed in the "<path>/tmas-bin" directory, and then added to $GITHUB_PATH.
required: false
default: "$GITHUB_WORKSPACE/.local/bin"
cache:
description: Used to specify whether you would like to cache the TMAS CLI binary. Set to false, if you would like to disable caching.
required: false
default: "true"
vulnerabilitiesScan:
description: Enable scanning for open source vulnerabilities. At least one of the scanners must be enabled.
required: false
default: "false"
malwareScan:
description: Enable scanning for malware. The supported artifact types are [registry docker docker-archive oci-archive oci-dir artifacts]. At least one of the scanners must be enabled.
required: false
default: "false"
secretsScan:
description: Enable scanning for secrets. At least one of the scanners must be enabled.
required: false
default: "false"
artifact:
description: Artifact to scan, refer to the list of [supported artifacts](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-artifactscannerclire#GUID-09957805-70E7-401F-A691-F587FCE2CB8B-u88cv4__supportedArtifacts)
required: true
additionalArgs:
description: Any additional arguments for the TMAS cli can be specified here (ie. --saveSBOM). Available optional scan arguments can be found [here](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-artifactscannerclire#GUID-09957805-70E7-401F-A691-F587FCE2CB8B-u88cv4__scanCommandFlags).
required: false
default: ""
tmasApiKey:
description: TrendAI Vision One API Key that is associated with your TrendAI Vision One account, it is recommended to use a github secret for this parameter. For steps on how to obtain a TrendAI Vision One API Key, checkout the [setup documentation](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-artifactsannerapikey#GUID-09957805-70E7-401F-A691-F587FCE2CB8B-chuby2).
required: true
githubToken:
description: GitHub token for authentication Github API. May use standard github actions token (secrets.GITHUB_TOKEN) or custom personal access token with repo scope.
required: true
skipInstall:
description: "Skip the download and installation of TMAS. This assumes that the `tmas` command is already installed and added to the `PATH`."
required: false
default: "false"
runs:
using: "composite"
steps:
- name: Get TMAS version based on user input
if: ${{ inputs.cache == 'true' && inputs.skipInstall == 'false' }}
shell: bash
id: get_tmas_version
run: |
tmasVersion=$(${GITHUB_ACTION_PATH}/tmas-scripts/setup_tmas.sh --metadata-lookup --version ${{ inputs.version }} --debug)
echo "tmasVersion=$tmasVersion" >> $GITHUB_OUTPUT
- name: Path to TMAS CLI
id: tmas-binary-dir
if: ${{ inputs.skipInstall == 'false' }}
shell: bash
run: echo "tmasPath=${{ inputs.path }}/tmas-bin" >> $GITHUB_OUTPUT
- name: Restore and/or Save TMAS CLI in the cache # A built-in post step will cache the tmas cli when there is a cache miss in this step
id: cache-tmas
if: ${{ inputs.cache == 'true' && inputs.skipInstall == 'false' }}
uses: actions/cache@v5
with:
path: ${{ steps.tmas-binary-dir.outputs.tmasPath }}
key: tmas-cli-v${{ steps.get_tmas_version.outputs.tmasVersion }}-${{ runner.os }}-${{ runner.arch }}
- name: Install TMAS on cache miss
if: ${{ steps.cache-tmas.outputs.cache-hit != 'true' && inputs.skipInstall == 'false' }}
shell: bash
run: ${GITHUB_ACTION_PATH}/tmas-scripts/setup_tmas.sh --install --install-dir ${{ steps.tmas-binary-dir.outputs.tmasPath }} --version ${{ inputs.version }} --debug
# Add the TMAS CLI, retrieved from cache or installed by a script, to $GITHUB_PATH
- name: Add TMAS CLI to $GITHUB_PATH
if: ${{ inputs.skipInstall == 'false' }}
shell: bash
run: echo ${{ steps.tmas-binary-dir.outputs.tmasPath }} >> $GITHUB_PATH
- name: Test TMAS Installation
if: ${{ inputs.skipInstall == 'false' }}
shell: bash
run: tmas version
- name: Run TMAS
shell: bash
id: tmas_scan
run: |
# Run TMAS Scan
set +e
echo "::group::Running TMAS Scan"
# Create a temporary file to capture stderr
stderr_file=$(mktemp)
${GITHUB_ACTION_PATH}/tmas-scripts/run_tmas_scan_cli.sh 2> "$stderr_file"
tmas_exit_code=$?
# Print warnings from the temp file
while IFS= read -r line; do
echo "::warning title=TMAS Scan Warning::${line}"
done < "$stderr_file"
# Clean up the temporary file
rm "$stderr_file"
echo "::endgroup::"
set -e
# display the TMAS scan report as a collapsible log
echo "::group::TMAS Scan Report"
cat tmas_scan_report.json 2>/dev/null || echo "Report file tmas_scan_report.json not found."
echo "::endgroup::"
exit $tmas_exit_code
env:
TMAS_VULNERABILITY_SCAN: ${{ inputs.vulnerabilitiesScan }}
TMAS_MALWARE_SCAN: ${{ inputs.malwareScan }}
TMAS_SECRETS_SCAN: ${{ inputs.secretsScan }}
TMAS_ARTIFACT: ${{ inputs.artifact }}
TMAS_ADDITIONAL_ARGS: ${{ inputs.additionalArgs }}
TMAS_API_KEY: ${{ inputs.tmasApiKey }}
TMAS_DEFAULT_ARGS: "--redacted --output=markdown=scan-report.md"
- name: Report results
if: "!cancelled()"
continue-on-error: true
id: report_results
uses: actions/github-script@v8
with:
github-token: ${{ inputs.githubToken }}
script: |
const GITHUB_ACTION_PATH = process.env.GITHUB_ACTION_PATH
const script = require(`${GITHUB_ACTION_PATH}/tmas-scripts/notify_github.js`)
const fs = require('fs');
const inputs = {
artifact: process.env.TMAS_ARTIFACT,
markdownFile: process.env.TMAS_MARKDOWN_FILE,
vulnerabilitiesScan: process.env.TMAS_VULNERABILITY_SCAN,
malwareScan: process.env.TMAS_MALWARE_SCAN,
secretsScan: process.env.TMAS_SECRETS_SCAN
};
await script({github, context, core, fs, inputs})
env:
TMAS_VULNERABILITY_SCAN: ${{ inputs.vulnerabilitiesScan }}
TMAS_MALWARE_SCAN: ${{ inputs.malwareScan }}
TMAS_SECRETS_SCAN: ${{ inputs.secretsScan }}
TMAS_ARTIFACT: ${{ inputs.artifact }}
TMAS_MARKDOWN_FILE: "scan-report.md"