Skip to content

Commit

Permalink
docs: change the inputs in the README with a table
Browse files Browse the repository at this point in the history
  • Loading branch information
@tembleking
tembleking committed Jul 26, 2024
1 parent fe9ba1e commit 9713270
Showing 1 changed file with 25 additions and 109 deletions.
134 changes: 25 additions & 109 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,116 +7,32 @@ This action performs analysis on a specific container image and posts the result

## Inputs

### `cli-scanner-url`
| Input | Description | Default |
|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| `cli-scanner-url` | URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. The version of the CLI Scanner is set to `1.8.1` by default (to specify another version see `cli-scanner-version`). For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/). | |
| `mode` | Mode of operation. Can be "vm" or "iac". | vm |
| `cli-scanner-version` | Custom sysdig-cli-scanner version to download. It is set to `1.8.1` by default. If using iac mode, minimum required version is 1.9.0. Please note that for VM mode the Action has only been tested with `1.8.x` versions and it is not guaranteed that it will work as expected with other versions. | 1.13.0 |
| `registry-user` | Registry username to authenticate to while pulling the image to scan. | |
| `registry-password` | Registry password to authenticate to while pulling the image to scan. | |
| `stop-on-failed-policy-eval` | Fail the job if the Policy Evaluation is Failed. | |
| `stop-on-processing-error` | Fail the job if the Scanner terminates execution with errors. | |
| `severity-at-least` | Filtering option to only report vulnerabilities with at least the specified severity. Can take [`critical`|`high`|`medium`|`low`|`negligible`|`any`]. Default value "any" for no filtering. For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported. | any |
| `group-by-package` | Enable grouping the vulnerabilities in the SARIF report by package. Useful if you want to manage security per package or condense the number of findings. | |
| `standalone` | Enable standalone mode. Do not depend on Sysdig backend for execution, avoiding the need of specifying 'sysdig-secure-token' and 'sysdig-secure-url'. Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`. | |
| `db-path` | Specify the directory for the vulnerabilities database to use while scanning. Useful when running in standalone mode. | |
| `skip-upload` | Skip uploading scanning results to Sysdig Secure. | |
| `skip-summary` | Skip generating Summary. | |
| `use-policies` | Specify Sysdig Secure VM Policies to evaluate the image. | |
| `override-pullstring` | Custom PullString to give the image when scanning and uploading. Useful when building images in a pipeline with temporary names. The custom PullString will be used to identify the scanned image in Sysdig Secure. | |
| `image-tag` | Tag of the image to analyse. | |
| `sysdig-secure-token` | API token for Sysdig Scanning authentication. (Required if not in Standalone mode.) | |
| `sysdig-secure-url` | Sysdig Secure Endpoint URL. Defaults to `https://secure.sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions. | https://secure.sysdig.com |
| `sysdig-skip-tls` | Skip TLS verification when calling Sysdig Secure endpoints. | |
| `extra-parameters` | Additional parameters to be added to the CLI Scanner. Note that these may not be supported with the current Action. | |
| `recursive` | Recursively scan all folders within the folder specified in the iacScanPath. | |
| `minimum-severity` | Minimum severity to fail when scanning in IaC mode. | |
| `iac-scan-path` | Path to the IaC files to scan. | |

URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. The version of the CLI Scanner is set to `1.8.1` by default (to specify another version see `cli-scanner-version`).

For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/).

### `mode`

Mode of operation. Can be "vm" or "iac". Default is **vm**.

### `cli-scanner-version`

Custom sysdig-cli-scanner version to download. It is set to `1.8.1` by default.

> If using iac mode, minimum required version is 1.9.0.
> Please note that for VM mode the Action has only been tested with `1.8.x` versions and it is not guaranteed that it will work as expected with other versions.
### `registry-user`

Registry username to authenticate to while pulling the image to scan.

### `registry-password`

Registry password to authenticate to while pulling the image to scan.

### `stop-on-failed-policy-eval`

Fail the job if the Policy Evaluation is Failed.

### `stop-on-processing-error`

Fail the job if the Scanner terminates execution with errors.

### `severity-at-least`

Filtering option to only report vulnerabilities with at least the specified severity. Can take [`critical`|`high`|`medium`|`low`|`negligible`|`any`]. Default value "any" for no filtering.

For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported.

### `group-by-package`

Enable grouping the vulnerabilities in the SARIF report by package.

Useful if you want to manage security per package or condense the number of findings.

### `standalone`

Enable standalone mode. Do not depend on Sysdig backend for
execution, avoiding the need of specifying
'sysdig-secure-token' and 'sysdig-secure-url'.

Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`.

### `db-path`

Specify the directory for the vulnerabilities database to use while scanning.

Useful when running in standalone mode.

### `skip-upload`

Skip uploading scanning results to Sysdig Secure.

### `skip-summary`

Skip generating Summary.

### `use-policies`

Specify Sysdig Secure VM Policies to evaluate the image.

### `override-pullstring`

Custom PullString to give the image when scanning and
uploading.

Useful when building images in a pipeline with temporary names. The custom PullString will be used to identify the scanned image in Sysdig Secure.

### `image-tag`

Tag of the image to analyse.

### `sysdig-secure-token`

API token for Sysdig Scanning authentication. (Required if not in
Standalone mode.)

### `sysdig-secure-url`

Sysdig Secure Endpoint URL. Defaults to `https://secure.sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions.

### `sysdig-skip-tls`

Skip TLS verification when calling Sysdig Secure endpoints.

### `extra-parameters`

Additional parameters to be added to the CLI Scanner. Note that these may not be supported with the current Action.

### `recursive`

Recursively scan all folders within the folder specified in the iacScanPath

### `minimum-severity`

Minimum severity to fail when scanning in IaC mode

### `iac-scan-path`

Path to the IaC files to scan

## SARIF Report

Expand Down

0 comments on commit 9713270

Please sign in to comment.