diff --git a/README.md b/README.md index 71582ec..b32f6fe 100644 --- a/README.md +++ b/README.md @@ -7,116 +7,32 @@ This action performs analysis on a specific container image and posts the result ## Inputs -### `cli-scanner-url` +| Input | Description | Default | +|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------| +| `cli-scanner-url` | URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. The version of the CLI Scanner is set to `1.8.1` by default (to specify another version see `cli-scanner-version`). For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/). | | +| `mode` | Mode of operation. Can be "vm" or "iac". | vm | +| `cli-scanner-version` | Custom sysdig-cli-scanner version to download. It is set to `1.8.1` by default. If using iac mode, minimum required version is 1.9.0. Please note that for VM mode the Action has only been tested with `1.8.x` versions and it is not guaranteed that it will work as expected with other versions. | 1.13.0 | +| `registry-user` | Registry username to authenticate to while pulling the image to scan. | | +| `registry-password` | Registry password to authenticate to while pulling the image to scan. | | +| `stop-on-failed-policy-eval` | Fail the job if the Policy Evaluation is Failed. | | +| `stop-on-processing-error` | Fail the job if the Scanner terminates execution with errors. | | +| `severity-at-least` | Filtering option to only report vulnerabilities with at least the specified severity. Can take [`critical`|`high`|`medium`|`low`|`negligible`|`any`]. Default value "any" for no filtering. For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported. | any | +| `group-by-package` | Enable grouping the vulnerabilities in the SARIF report by package. Useful if you want to manage security per package or condense the number of findings. | | +| `standalone` | Enable standalone mode. Do not depend on Sysdig backend for execution, avoiding the need of specifying 'sysdig-secure-token' and 'sysdig-secure-url'. Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`. | | +| `db-path` | Specify the directory for the vulnerabilities database to use while scanning. Useful when running in standalone mode. | | +| `skip-upload` | Skip uploading scanning results to Sysdig Secure. | | +| `skip-summary` | Skip generating Summary. | | +| `use-policies` | Specify Sysdig Secure VM Policies to evaluate the image. | | +| `override-pullstring` | Custom PullString to give the image when scanning and uploading. Useful when building images in a pipeline with temporary names. The custom PullString will be used to identify the scanned image in Sysdig Secure. | | +| `image-tag` | Tag of the image to analyse. | | +| `sysdig-secure-token` | API token for Sysdig Scanning authentication. (Required if not in Standalone mode.) | | +| `sysdig-secure-url` | Sysdig Secure Endpoint URL. Defaults to `https://secure.sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions. | https://secure.sysdig.com | +| `sysdig-skip-tls` | Skip TLS verification when calling Sysdig Secure endpoints. | | +| `extra-parameters` | Additional parameters to be added to the CLI Scanner. Note that these may not be supported with the current Action. | | +| `recursive` | Recursively scan all folders within the folder specified in the iacScanPath. | | +| `minimum-severity` | Minimum severity to fail when scanning in IaC mode. | | +| `iac-scan-path` | Path to the IaC files to scan. | | -URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. The version of the CLI Scanner is set to `1.8.1` by default (to specify another version see `cli-scanner-version`). - -For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/). - -### `mode` - -Mode of operation. Can be "vm" or "iac". Default is **vm**. - -### `cli-scanner-version` - -Custom sysdig-cli-scanner version to download. It is set to `1.8.1` by default. - -> If using iac mode, minimum required version is 1.9.0. -> Please note that for VM mode the Action has only been tested with `1.8.x` versions and it is not guaranteed that it will work as expected with other versions. - -### `registry-user` - -Registry username to authenticate to while pulling the image to scan. - -### `registry-password` - -Registry password to authenticate to while pulling the image to scan. - -### `stop-on-failed-policy-eval` - -Fail the job if the Policy Evaluation is Failed. - -### `stop-on-processing-error` - -Fail the job if the Scanner terminates execution with errors. - -### `severity-at-least` - -Filtering option to only report vulnerabilities with at least the specified severity. Can take [`critical`|`high`|`medium`|`low`|`negligible`|`any`]. Default value "any" for no filtering. - -For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported. - -### `group-by-package` - -Enable grouping the vulnerabilities in the SARIF report by package. - -Useful if you want to manage security per package or condense the number of findings. - -### `standalone` - -Enable standalone mode. Do not depend on Sysdig backend for -execution, avoiding the need of specifying -'sysdig-secure-token' and 'sysdig-secure-url'. - -Recommended when using runners with no access to the internet. May require to specify custom `cli-scanner-url` and `db-path`. - -### `db-path` - -Specify the directory for the vulnerabilities database to use while scanning. - -Useful when running in standalone mode. - -### `skip-upload` - -Skip uploading scanning results to Sysdig Secure. - -### `skip-summary` - -Skip generating Summary. - -### `use-policies` - -Specify Sysdig Secure VM Policies to evaluate the image. - -### `override-pullstring` - -Custom PullString to give the image when scanning and -uploading. - -Useful when building images in a pipeline with temporary names. The custom PullString will be used to identify the scanned image in Sysdig Secure. - -### `image-tag` - -Tag of the image to analyse. - -### `sysdig-secure-token` - -API token for Sysdig Scanning authentication. (Required if not in -Standalone mode.) - -### `sysdig-secure-url` - -Sysdig Secure Endpoint URL. Defaults to `https://secure.sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions. - -### `sysdig-skip-tls` - -Skip TLS verification when calling Sysdig Secure endpoints. - -### `extra-parameters` - -Additional parameters to be added to the CLI Scanner. Note that these may not be supported with the current Action. - -### `recursive` - -Recursively scan all folders within the folder specified in the iacScanPath - -### `minimum-severity` - -Minimum severity to fail when scanning in IaC mode - -### `iac-scan-path` - -Path to the IaC files to scan ## SARIF Report