You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+20-1Lines changed: 20 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,3 @@
1
-
2
1
# Sysdig Secure Inline Scan Action
3
2
4
3
> 🚧 **Warning**: To use the Legacy Scanning Engine Action, please use version v3.* and visit the [previous README](./README.v3.md).
@@ -17,6 +16,9 @@ This action performs analysis on a specific container image and posts the result
17
16
|`stop-on-failed-policy-eval`| Fail the job if the Policy Evaluation is Failed. ||
18
17
|`stop-on-processing-error`| Fail the job if the Scanner terminates execution with errors. ||
19
18
|`severity-at-least`| Filtering option to only report vulnerabilities with at least the specified severity. Can take `critical`, `high`, `medium`, `low`, `negligible` or `any`. Default value "any" for no filtering. For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported. |`any`|
19
+
|`package-types`| Comma-separated list of package types to include in the report (e.g. `java,javascript`). Only vulnerabilities found in these types of packages will be included. If empty, no inclusion filter is applied. ||
20
+
|`not-package-types`| Comma-separated list of package types to exclude from the report (e.g. `os`). Vulnerabilities found in these types of packages will be excluded. If empty, no exclusion filter is applied. ||
21
+
|`exclude-accepted`| Set to `true` to exclude vulnerabilities that have accepted risks (`acceptedRisks`). Useful to focus only on unresolved findings. |`false`|
20
22
|`group-by-package`| Enable grouping the vulnerabilities in the SARIF report by package. Useful if you want to manage security per package or condense the number of findings. ||
21
23
|`standalone`| Enable standalone mode. Do not depend on Sysdig backend for execution, avoiding the need of specifying 'sysdig-secure-token' and 'sysdig-secure-url'. Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`. ||
22
24
|`db-path`| Specify the directory for the vulnerabilities database to use while scanning. Useful when running in standalone mode. ||
@@ -33,6 +35,23 @@ This action performs analysis on a specific container image and posts the result
33
35
|`minimum-severity`| Minimum severity to fail when scanning in IaC mode. ||
34
36
|`iac-scan-path`| Path to the IaC files to scan. ||
35
37
38
+
### Filtering Examples
39
+
40
+
-**severity-at-least:**
41
+
`medium` → Only Medium, High, and Critical findings will be reported.
42
+
43
+
-**package-types:**
44
+
`java,javascript` → Only vulnerabilities in Java or JavaScript packages will be included.
45
+
46
+
-**not-package-types:**
47
+
`os` → Excludes vulnerabilities found in OS packages.
48
+
49
+
-**exclude-accepted:**
50
+
`true` → Vulnerabilities that are marked as "accepted" (i.e., with risk acceptances) are excluded from the report.
51
+
52
+
> ℹ️ You can combine these filters to focus the report on just what you care about!
Copy file name to clipboardExpand all lines: action.yml
+10Lines changed: 10 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -47,6 +47,16 @@ inputs:
47
47
description: Filtering option to only report vulnerabilities with at least the specified severity. Can take [critical|high|medium|low|negligible|any]. Default value "any" for no filtering.
48
48
default: any
49
49
required: false
50
+
package-types:
51
+
description: "Comma-separated list of package types to include in the SARIF/summary report. Example: \"java,javascript\""
52
+
required: false
53
+
not-package-types:
54
+
description: "Comma-separated list of package types to exclude from the SARIF/summary report. Example: \"os,alpine\""
55
+
required: false
56
+
exclude-accepted:
57
+
description: "Exclude vulnerabilities that have accepted risks from SARIF/summary report. true/false"
58
+
default: "false"
59
+
required: false
50
60
group-by-package:
51
61
description: Enable grouping the vulnerabilities in the SARIF report by package.
0 commit comments