sysdiglabs
diff --git a/‎README.md
Lines changed: 20 additions & 1 deletion b/‎README.md
Lines changed: 20 additions & 1 deletion
diff --git a/‎action.yml
Lines changed: 10 additions & 0 deletions b/‎action.yml
Lines changed: 10 additions & 0 deletions
diff --git a/‎index.ts
Lines changed: 23 additions & 22 deletions b/‎index.ts
Lines changed: 23 additions & 22 deletions
diff --git a/‎src/action.ts
Lines changed: 34 additions & 0 deletions b/‎src/action.ts
Lines changed: 34 additions & 0 deletions
diff --git a/‎src/report.ts
Lines changed: 39 additions & 2 deletions b/‎src/report.ts
Lines changed: 39 additions & 2 deletions
diff --git a/‎src/sarif.ts
Lines changed: 30 additions & 7 deletions b/‎src/sarif.ts
Lines changed: 30 additions & 7 deletions
diff --git a/‎src/scanner.ts
Lines changed: 0 additions & 17 deletions b/‎src/scanner.ts
Lines changed: 0 additions & 17 deletions
@@ -1,4 +1,3 @@
-
 # Sysdig Secure Inline Scan Action
 
 > 🚧 **Warning**: To use the Legacy Scanning Engine Action, please use version v3.* and visit the [previous README](./README.v3.md).
@@ -17,6 +16,9 @@ This action performs analysis on a specific container image and posts the result
 | `stop-on-failed-policy-eval` | Fail the job if the Policy Evaluation is Failed.                                                                                                                                                                                                                                                                         |                           |
 | `stop-on-processing-error`   | Fail the job if the Scanner terminates execution with errors.                                                                                                                                                                                                                                                            |                           |
 | `severity-at-least`          | Filtering option to only report vulnerabilities with at least the specified severity. Can take `critical`, `high`, `medium`, `low`, `negligible` or `any`. Default value "any" for no filtering. For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported. | `any`                     |
+| `package-types`              | Comma-separated list of package types to include in the report (e.g. `java,javascript`). Only vulnerabilities found in these types of packages will be included. If empty, no inclusion filter is applied.                                                                                                               |                           |
+| `not-package-types`          | Comma-separated list of package types to exclude from the report (e.g. `os`). Vulnerabilities found in these types of packages will be excluded. If empty, no exclusion filter is applied.                                                                                                                               |                           |
+| `exclude-accepted`           | Set to `true` to exclude vulnerabilities that have accepted risks (`acceptedRisks`). Useful to focus only on unresolved findings.                                                                                                                                                                                        |                           |
 | `group-by-package`           | Enable grouping the vulnerabilities in the SARIF report by package. Useful if you want to manage security per package or condense the number of findings.                                                                                                                                                                |                           |
 | `standalone`                 | Enable standalone mode. Do not depend on Sysdig backend for execution, avoiding the need of specifying 'sysdig-secure-token' and 'sysdig-secure-url'. Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`.                                      |                           |
 | `db-path`                    | Specify the directory for the vulnerabilities database to use while scanning. Useful when running in standalone mode.                                                                                                                                                                                                    |                           |
@@ -33,6 +35,23 @@ This action performs analysis on a specific container image and posts the result
 | `minimum-severity`           | Minimum severity to fail when scanning in IaC mode.                                                                                                                                                                                                                                                                      |                           |
 | `iac-scan-path`              | Path to the IaC files to scan.                                                                                                                                                                                                                                                                                           |                           |
 
+### Filtering Examples
+
+- **severity-at-least:**  
+  `medium` → Only Medium, High, and Critical findings will be reported.
+
+- **package-types:**  
+  `java,javascript` → Only vulnerabilities in Java or JavaScript packages will be included.
+
+- **not-package-types:**  
+  `os` → Excludes vulnerabilities found in OS packages.
+
+- **exclude-accepted:**  
+  `true` → Vulnerabilities that are marked as "accepted" (i.e., with risk acceptances) are excluded from the report.
+
+> ℹ️ You can combine these filters to focus the report on just what you care about!
+
+---
 
 ## SARIF Report
 
 
@@ -47,6 +47,16 @@ inputs:
     description: Filtering option to only report vulnerabilities with at least the specified severity. Can take [critical|high|medium|low|negligible|any]. Default value "any" for no filtering.
     default: any
     required: false
+  package-types:
+    description: Comma-separated list of package types to include in the SARIF/summary report. Example: "java,javascript"
+    required: false
+  not-package-types:
+    description: Comma-separated list of package types to exclude from the SARIF/summary report. Example: "os,alpine"
+    required: false
+  exclude-accepted:
+    description: Exclude vulnerabilities that have accepted risks from SARIF/summary report. true/false
+    default: "false"
+    required: false
   group-by-package:
     description: Enable grouping the vulnerabilities in the SARIF report by package.
     default: "false"
 
@@ -1,10 +1,15 @@
 import * as core from '@actions/core';
 import fs from 'fs';
 import { generateSARIFReport } from './src/sarif';
-import { cliScannerName, cliScannerResult, cliScannerURL, executeScan, numericPriorityForSeverity, pullScanner, ScanExecutionResult, ScanMode } from './src/scanner';
+import { cliScannerName, cliScannerResult, cliScannerURL, executeScan, pullScanner, ScanExecutionResult, ScanMode } from './src/scanner';
 import { ActionInputs, defaultSecureEndpoint } from './src/action';
 import { generateSummary } from './src/summary';
-import { Report } from './src/report';
+import { Report, FilterOptions, Severity } from './src/report';
+
+function parseCsvList(str?: string): string[] {
+  if (!str) return [];
+  return str.split(",").map(s => s.trim()).filter(s => !!s);
+}
 
 export class ExecutionError extends Error {
   constructor(stdout: string, stderr: string) {
@@ -34,7 +39,6 @@ export async function run() {
       retCode = scanResult.ReturnCode;
       if (retCode == 0 || retCode == 1) {
         // Transform Scan Results to other formats such as SARIF
-
         if (opts.mode == ScanMode.vm) {
           await processScanResult(scanResult, opts);
         }
@@ -57,22 +61,12 @@ export async function run() {
 
   } catch (error) {
     if (core.getInput('stop-on-processing-error') == 'true') {
-      core.setFailed("Unexpected error");
+      core.setFailed(`Unexpected error: ${error instanceof Error ? error.stack : String(error)}`);
     }
-    core.error(error as string);
+    core.error(`Unexpected error: ${error instanceof Error ? error.stack : String(error)}`);
   }
 }
 
-
-export function filterResult(report: Report, severity: string) {
-  let filter_num: number = numericPriorityForSeverity(severity) ?? 5;
-
-  report.result.packages.forEach(pkg => {
-    if (pkg.vulns) pkg.vulns = pkg.vulns.filter((vuln) => (numericPriorityForSeverity(vuln.severity.value) ?? 5) <= filter_num);
-  });
-  return report;
-}
-
 export async function processScanResult(result: ScanExecutionResult, opts: ActionInputs) {
   writeReport(result.Output);
 
@@ -85,23 +79,29 @@ export async function processScanResult(result: ScanExecutionResult, opts: Actio
   }
 
   if (report) {
-    if (opts.severityAtLeast) {
-      report = filterResult(report, opts.severityAtLeast);
-    }
 
-    generateSARIFReport(report, opts.groupByPackage);
+    // Prepara los filtros desde opts:
+    const filters: FilterOptions = {
+      minSeverity: (opts.severityAtLeast && opts.severityAtLeast.toLowerCase() !== "any")
+        ? opts.severityAtLeast.toLowerCase() as Severity
+        : undefined,
+      packageTypes: parseCsvList(opts.packageTypes),
+      notPackageTypes: parseCsvList(opts.notPackageTypes),
+      excludeAccepted: opts.excludeAccepted,
+    };
+
+    generateSARIFReport(report, opts.groupByPackage, filters);
 
     if (!opts.skipSummary) {
       core.info("Generating Summary...")
-
-      await generateSummary(opts, report);
-
+      await generateSummary(opts, report, filters);
     } else {
       core.info("Skipping Summary...")
     }
   }
 }
 
+
 export {
   cliScannerURL,
   defaultSecureEndpoint,
@@ -111,6 +111,7 @@ export {
   cliScannerResult,
 };
 
+
 if (require.main === module) {
   run();
 }
@@ -1,5 +1,6 @@
 import * as core from '@actions/core';
 import { cliScannerResult, cliScannerURL, ComposeFlags, ScanMode, scannerURLForVersion } from './scanner';
+import { Severity, SeverityNames } from './report';
 
 export const defaultSecureEndpoint = "https://secure.sysdig.com/"
 
@@ -21,6 +22,9 @@ interface ActionInputParameters {
   sysdigSecureURL: string;
   sysdigSkipTLS: boolean;
   severityAtLeast?: string;
+  packageTypes?: string;
+  notPackageTypes?: string;
+  excludeAccepted?: boolean;
   groupByPackage: boolean;
   extraParameters: string;
   mode: ScanMode;
@@ -71,6 +75,9 @@ export class ActionInputs {
       sysdigSecureURL: core.getInput('sysdig-secure-url') || defaultSecureEndpoint,
       sysdigSkipTLS: core.getInput('sysdig-skip-tls') == 'true',
       severityAtLeast: core.getInput('severity-at-least') || undefined,
+      packageTypes: core.getInput('package-types') || undefined,
+      notPackageTypes: core.getInput('not-package-types') || undefined,
+      excludeAccepted: core.getInput('exclude-accepted') === 'true',
       groupByPackage: core.getInput('group-by-package') == 'true',
       extraParameters: core.getInput('extra-parameters'),
       mode: ScanMode.fromString(core.getInput('mode')) || ScanMode.vm,
@@ -120,6 +127,16 @@ export class ActionInputs {
     return this.params.severityAtLeast
   }
 
+  get packageTypes() {
+    return this.params.packageTypes;
+  }
+  get notPackageTypes() {
+    return this.params.notPackageTypes;
+  }
+  get excludeAccepted() {
+    return this.params.excludeAccepted;
+  }
+
   get imageTag() {
     return this.params.imageTag
   }
@@ -143,6 +160,11 @@ export class ActionInputs {
       core.setFailed("iac-scan-path can't be empty, please specify the path you want to scan your manifest resources.");
       throw new Error("iac-scan-path can't be empty, please specify the path you want to scan your manifest resources.");
     }
+
+    if (params.severityAtLeast && params.severityAtLeast != "any" && !SeverityNames.includes(params.severityAtLeast.toLowerCase() as Severity)) {
+      core.setFailed(`Invalid severity-at-least value "${params.severityAtLeast}". Allowed values: any, critical, high, medium, low, negligible.`);
+      throw new Error(`Invalid severity-at-least value "${params.severityAtLeast}". Allowed values: any, critical, high, medium, low, negligible.`);
+    }
   }
 
   // FIXME(fede) this also modifies the opts.cliScannerURL, which is something we don't want
@@ -251,6 +273,18 @@ export class ActionInputs {
       core.info(`Severity level: ${this.params.severityAtLeast}`);
     }
 
+    if (this.params.packageTypes) {
+      core.info(`Package types included: ${this.params.packageTypes}`);
+    }
+
+    if (this.params.notPackageTypes) {
+      core.info(`Package types excluded: ${this.params.notPackageTypes}`);
+    }
+
+    if (this.params.excludeAccepted !== undefined) {
+      core.info(`Exclude vulnerabilities with accepted risks: ${this.params.excludeAccepted}`);
+    }
+
     core.info('Analyzing image: ' + this.params.imageTag);
 
     if (this.params.overridePullString) {
 
@@ -70,7 +70,7 @@ export interface Package {
 
 export interface Vuln {
   name: string
-  severity: Severity
+  severity: SarifSeverity
   cvssScore: CvssScore
   disclosureDate: string
   solutionDate?: string
@@ -81,11 +81,22 @@ export interface Vuln {
   acceptedRisks?: AcceptedRisk[]
 }
 
-export interface Severity {
+export interface FilterOptions {
+  minSeverity?: Severity;
+  packageTypes?: string[];
+  notPackageTypes?: string[];
+  excludeAccepted?: boolean;
+}
+
+
+export interface SarifSeverity {
   value: string
   sourceName: string
 }
 
+export const SeverityNames = ["critical", "high", "medium", "low", "negligible"] as const;
+export type Severity = typeof SeverityNames[number];
+
 export interface CvssScore {
   value: Value
   sourceName: string
@@ -199,3 +210,29 @@ export interface RiskAcceptanceDefinition {
   updatedAt: string
 }
 
+const severityOrder = ["negligible", "low", "medium", "high", "critical"];
+
+function isSeverityGte(a: string, b: string): boolean {
+  return severityOrder.indexOf(a.toLocaleLowerCase()) >= severityOrder.indexOf(b.toLocaleLowerCase());
+}
+
+export function filterPackages(pkgs: Package[], filters: FilterOptions): Package[] {
+  return pkgs
+    .filter(pkg => {
+      const pkgType = pkg.type?.toLowerCase();
+      if (filters.packageTypes && filters.packageTypes.length > 0 &&
+        !filters.packageTypes.map(t => t.toLowerCase()).includes(pkgType)) return false;
+      if (filters.notPackageTypes && filters.notPackageTypes.length > 0 &&
+        filters.notPackageTypes.map(t => t.toLowerCase()).includes(pkgType)) return false;
+      return true;
+    })
+    .map(pkg => {
+      let vulns = pkg.vulns?.filter(vuln => {
+        if (filters.minSeverity && !isSeverityGte(vuln.severity.value, filters.minSeverity)) return false;
+        if (filters.excludeAccepted && Array.isArray(vuln.acceptedRisks) && vuln.acceptedRisks.length > 0) return false;
+        return true;
+      }) || [];
+      return { ...pkg, vulns };
+    })
+    .filter(pkg => pkg.vulns && pkg.vulns.length > 0);
+}
@@ -1,9 +1,8 @@
 import * as core from '@actions/core';
 import fs from 'fs';
-import { Package, Report, Vuln } from './report';
+import { Package, Report, FilterOptions, Vuln, filterPackages } from './report';
 
 import { version } from '../package.json';
-import { numericPriorityForSeverity } from './scanner';
 const toolVersion = `${version}`;
 const dottedQuadToolVersion = `${version}.0`;
 
@@ -47,20 +46,28 @@ interface SARIFRule {
   };
 }
 
-export function generateSARIFReport(data: Report, groupByPackage: boolean) {
-  let sarifOutput = vulnerabilities2SARIF(data, groupByPackage);
+export function generateSARIFReport(data: Report, groupByPackage: boolean, filters?: FilterOptions) {
+  let sarifOutput = vulnerabilities2SARIF(data, groupByPackage, filters);
   core.setOutput("sarifReport", "./sarif.json");
   fs.writeFileSync("./sarif.json", JSON.stringify(sarifOutput, null, 2));
 }
 
-export function vulnerabilities2SARIF(data: Report, groupByPackage: boolean) {
+export function vulnerabilities2SARIF(
+  data: Report,
+  groupByPackage: boolean,
+  filters?: FilterOptions
+) {
+
+  const filteredPackages = filterPackages(data.result.packages, filters ?? {});
+  const filteredData = { ...data, result: { ...data.result, packages: filteredPackages } };
+
   let rules: SARIFRule[] = [];
   let results: SARIFResult[] = [];
 
   if (groupByPackage) {
-    [rules, results] = vulnerabilities2SARIFResByPackage(data)
+    [rules, results] = vulnerabilities2SARIFResByPackage(filteredData)
   } else {
-    [rules, results] = vulnerabilities2SARIFRes(data)
+    [rules, results] = vulnerabilities2SARIFRes(filteredData)
   }
 
   const runs = [{
@@ -108,6 +115,22 @@ export function vulnerabilities2SARIF(data: Report, groupByPackage: boolean) {
   return (sarifOutput);
 }
 
+function numericPriorityForSeverity(severity: string): number | undefined {
+  switch (severity.toLowerCase()) {
+    case 'critical':
+      return 0
+    case 'high':
+      return 1
+    case 'medium':
+      return 2
+    case 'low':
+      return 3
+    case 'negligible':
+      return 4
+    case 'any':
+      return 5
+  }
+}
 
 function vulnerabilities2SARIFResByPackage(data: Report): [SARIFRule[], SARIFResult[]] {
   let rules: SARIFRule[] = [];
 
@@ -116,23 +116,6 @@ export function scannerURLForVersion(version: string): string {
   return `${cliScannerURLBase}/${version}/${cliScannerOS}/${cliScannerArch}/${cliScannerName}`;
 
 }
-export function numericPriorityForSeverity(severity: string): number | undefined {
-  switch (severity.toLowerCase()) {
-    case 'critical':
-      return 0
-    case 'high':
-      return 1
-    case 'medium':
-      return 2
-    case 'low':
-      return 3
-    case 'negligible':
-      return 4
-    case 'any':
-      return 5
-  }
-}
-
 
 function getRunArch() {
   let arch = "unknown";