sysdiglabs
diff --git a/‎.envrc
Lines changed: 5 additions & 0 deletions b/‎.envrc
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/ci-scan.yaml
Lines changed: 155 additions & 0 deletions b/‎.github/workflows/ci-scan.yaml
Lines changed: 155 additions & 0 deletions
diff --git a/‎.github/workflows/scan.yaml
Lines changed: 1 addition & 27 deletions b/‎.github/workflows/scan.yaml
Lines changed: 1 addition & 27 deletions
@@ -0,0 +1,5 @@
+has nix && use flake
+dotenv_if_exists .env # You can create a .env file with your env vars for this project. You can also use .secrets if you are using act. See the line below.
+dotenv_if_exists .secrets # Used by [act](https://nektosact.com/) to load secrets into the pipelines
+
+export GITHUB_STEP_SUMMARY=/tmp/github_summary.html
@@ -0,0 +1,155 @@
+name: Scan Image on PR
+
+on:
+  pull_request:
+
+jobs:
+  scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  filtered-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+          group-by-package: true
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  scan-with-old-scanner-version:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Old scanner version
+          cli-scanner-version: 1.8.1
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  standalone-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Donate MainDB from scan
+        id: donnor-scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: false
+          stop-on-processing-error: true
+          skip-summary: true
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          #sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          standalone: true
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
@@ -57,32 +57,6 @@ jobs:
         with:
           sarif_file: ${{ github.workspace }}/sarif.json
 
-  macos-scan-from-registry:
-    runs-on: macos-latest
-
-    steps:
-      # This step checks out a copy of your repository.
-      - name: Check out repository
-        uses: actions/checkout@v4
-
-      - name: Scan dummy-vuln-app from registry
-        id: scan
-        uses: ./
-        with:
-          # Tag of the image to analyse
-          image-tag: sysdiglabs/dummy-vuln-app:latest
-          # API token for Sysdig Scanning auth
-          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
-          stop-on-failed-policy-eval: true
-          stop-on-processing-error: true
-
-      - name: Upload SARIF file
-        if: success() || failure() # Upload results regardless previous step fails
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif.json
-
-
   standalone-scan-from-registry:
     runs-on: ubuntu-latest
 
@@ -119,4 +93,4 @@ jobs:
         if: success() || failure() # Upload results regardless previous step fails
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ github.workspace }}/sarif.json
+          sarif_file: ${{ github.workspace }}/sarif.json