From 369ebc29958dcccac2671c80d85ad13953cdeaf7 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 18:25:15 -0500 Subject: [PATCH 01/18] Add GitHub Action to build and scan vote, worker, and result containers --- .github/workflows/build-scan.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .github/workflows/build-scan.yaml diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml new file mode 100644 index 0000000000..e69de29bb2 From d44dc8e20a6afc3092cdc19bfe05f31ba7e2e51f Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 18:26:56 -0500 Subject: [PATCH 02/18] Add GitHub Action to build and scan vote, worker, and result containers --- .github/workflows/build-scan.yaml | 111 ++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index e69de29bb2..55e9974b10 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -0,0 +1,111 @@ +name: Build & Scan Containers + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + security-events: write # if need to upload SARIF or similar + +jobs: + build-and-scan: + runs-on: ubuntu-latest + env: + REGISTRY_HOST: ghcr.io + REGISTRY_NAMESPACE: myorg # change to your org/user + VOTE_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/vote:latest + WORKER_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/worker:latest + RESULT_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/result:latest + + steps: + - name: Checkout code + uses: actions/checkout@v5 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + # Build vote + - name: Build vote image + uses: docker/build-push-action@v4 + with: + context: ./vote + file: ./vote/Dockerfile + tags: ${{ env.VOTE_IMAGE }} + push: false + load: true + + # Build worker + - name: Build worker image + uses: docker/build-push-action@v4 + with: + context: ./worker + file: ./worker/Dockerfile + tags: ${{ env.WORKER_IMAGE }} + push: false + load: true + + # Build result + - name: Build result image + uses: docker/build-push-action@v4 + with: + context: ./result + file: ./result/Dockerfile + tags: ${{ env.RESULT_IMAGE }} + push: false + load: true + + # Run scan for vote + - name: Scan vote image + run: | + ./your-cli-scanner image ${{ env.VOTE_IMAGE }} --fail-on-findings + # optionally env vars, secrets, etc + + # Run scan for worker + - name: Scan worker image + run: | + ./your-cli-scanner image ${{ env.WORKER_IMAGE }} --fail-on-findings + + # Run scan for result + - name: Scan result image + run: | + ./your-cli-scanner image ${{ env.RESULT_IMAGE }} --fail-on-findings + + # (Optional) push images if scans passed + - name: Login to registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY_HOST }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Push vote image + uses: docker/build-push-action@v4 + with: + context: ./vote + file: ./vote/Dockerfile + tags: ${{ env.VOTE_IMAGE }} + push: true + load: false + + - name: Push worker image + uses: docker/build-push-action@v4 + with: + context: ./worker + file: ./worker/Dockerfile + tags: ${{ env.WORKER_IMAGE }} + push: true + load: false + + - name: Push result image + uses: docker/build-push-action@v4 + with: + context: ./result + file: ./result/Dockerfile + tags: ${{ env.RESULT_IMAGE }} + push: true + load: false From fe88622feddb6cbfc5945708628d9abceac86e32 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 18:51:07 -0500 Subject: [PATCH 03/18] Add GitHub Action to build and scan vote, worker, and result containers --- .github/workflows/build-scan.yaml | 111 ++++++++++-------------------- 1 file changed, 37 insertions(+), 74 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 55e9974b10..4e18b74334 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -1,111 +1,74 @@ -name: Build & Scan Containers +name: Build & Scan with Sysdig (Docker Hub) on: push: - branches: - - main + branches: [ main ] pull_request: - branches: - - main + branches: [ main ] permissions: contents: read - security-events: write # if need to upload SARIF or similar jobs: build-and-scan: runs-on: ubuntu-latest + env: - REGISTRY_HOST: ghcr.io - REGISTRY_NAMESPACE: myorg # change to your org/user - VOTE_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/vote:latest - WORKER_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/worker:latest - RESULT_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/result:latest + REGISTRY: docker.io + REPO: ${{ secrets.REGISTRY_USER }} + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} steps: - - name: Checkout code - uses: actions/checkout@v5 + - name: Checkout source + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - # Build vote - - name: Build vote image - uses: docker/build-push-action@v4 + - name: Log in to Docker Hub + uses: docker/login-action@v3 with: - context: ./vote - file: ./vote/Dockerfile - tags: ${{ env.VOTE_IMAGE }} - push: false - load: true + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + # --- Build Containers --- + - name: Build vote image + run: docker build -t $REGISTRY/$REPO/vote:latest ./vote - # Build worker - name: Build worker image - uses: docker/build-push-action@v4 - with: - context: ./worker - file: ./worker/Dockerfile - tags: ${{ env.WORKER_IMAGE }} - push: false - load: true + run: docker build -t $REGISTRY/$REPO/worker:latest ./worker - # Build result - name: Build result image - uses: docker/build-push-action@v4 - with: - context: ./result - file: ./result/Dockerfile - tags: ${{ env.RESULT_IMAGE }} - push: false - load: true + run: docker build -t $REGISTRY/$REPO/result:latest ./result - # Run scan for vote + # --- Install Sysdig Scanner --- + - name: Install Sysdig CLI Scanner + run: | + curl -LO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 + chmod +x sysdig-cli-scanner-linux-amd64 + sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner + sysdig-cli-scanner --version + + # --- Scan images --- - name: Scan vote image run: | - ./your-cli-scanner image ${{ env.VOTE_IMAGE }} --fail-on-findings - # optionally env vars, secrets, etc + sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/vote:latest - # Run scan for worker - name: Scan worker image run: | - ./your-cli-scanner image ${{ env.WORKER_IMAGE }} --fail-on-findings + sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/worker:latest - # Run scan for result - name: Scan result image run: | - ./your-cli-scanner image ${{ env.RESULT_IMAGE }} --fail-on-findings - - # (Optional) push images if scans passed - - name: Login to registry - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY_HOST }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/result:latest + # --- Optional: Push images to Docker Hub (only if scans passed) --- - name: Push vote image - uses: docker/build-push-action@v4 - with: - context: ./vote - file: ./vote/Dockerfile - tags: ${{ env.VOTE_IMAGE }} - push: true - load: false + run: docker push $REGISTRY/$REPO/vote:latest - name: Push worker image - uses: docker/build-push-action@v4 - with: - context: ./worker - file: ./worker/Dockerfile - tags: ${{ env.WORKER_IMAGE }} - push: true - load: false + run: docker push $REGISTRY/$REPO/worker:latest - name: Push result image - uses: docker/build-push-action@v4 - with: - context: ./result - file: ./result/Dockerfile - tags: ${{ env.RESULT_IMAGE }} - push: true - load: false + run: docker push $REGISTRY/$REPO/result:latest From 972f90ee76269fa8cfe54038ca6dda82f8d90ceb Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 18:56:21 -0500 Subject: [PATCH 04/18] updated the cli-scanner-url --- .github/workflows/build-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 4e18b74334..ff797a97f2 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -45,7 +45,7 @@ jobs: # --- Install Sysdig Scanner --- - name: Install Sysdig CLI Scanner run: | - curl -LO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 + curl -LO curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/arm64/sysdig-cli-scanner" chmod +x sysdig-cli-scanner-linux-amd64 sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner sysdig-cli-scanner --version From 60db6817541e1e037872542a9d84467d3360d490 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 18:59:52 -0500 Subject: [PATCH 05/18] cli scanner version issue --- .github/workflows/build-scan.yaml | 17 +++- scan-logs | 10 +++ votingapp_scan.logs | 129 ++++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+), 4 deletions(-) create mode 100644 scan-logs create mode 100644 votingapp_scan.logs diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index ff797a97f2..587e56b388 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -42,14 +42,23 @@ jobs: - name: Build result image run: docker build -t $REGISTRY/$REPO/result:latest ./result - # --- Install Sysdig Scanner --- + - name: Install Sysdig CLI Scanner run: | - curl -LO curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/arm64/sysdig-cli-scanner" - chmod +x sysdig-cli-scanner-linux-amd64 - sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner + LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" + chmod +x sysdig-cli-scanner + sudo mv sysdig-cli-scanner /usr/local/bin/ sysdig-cli-scanner --version + # # --- Install Sysdig Scanner --- + # - name: Install Sysdig CLI Scanner + # run: | + # curl -LO curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/arm64/sysdig-cli-scanner" + # chmod +x sysdig-cli-scanner-linux-amd64 + # sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner + # sysdig-cli-scanner --version + # --- Scan images --- - name: Scan vote image run: | diff --git a/scan-logs b/scan-logs new file mode 100644 index 0000000000..86d55274c2 --- /dev/null +++ b/scan-logs @@ -0,0 +1,10 @@ +{"level":"info","version":"1.23.0","commit":"92edf73","time":"2025-11-04T18:07:45-05:00","message":"Starting analysis with Sysdig scanner"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Using path for the cache: /Users/owner/Library/Caches/inlineScannerCache.db"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Using local MainDB (skipping DB update)"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Using cached DB file on path /usr/local/bin/main.db/sysdig-db-data"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Offline mode enabled for file analyzers"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"standalone mode, we won't perform calls to backend"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Loading MainDB V3 from: /usr/local/bin/main.db/sysdig-db-data"} +{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Done: MainDB V3 loaded"} +{"level":"info","imgName":"scan","time":"2025-11-04T18:07:45-05:00","message":"Retrieving image"} +{"level":"error","error":"Unable to get image: image not found from loader","time":"2025-11-04T18:07:57-05:00","message":"Exiting now"} diff --git a/votingapp_scan.logs b/votingapp_scan.logs new file mode 100644 index 0000000000..2a914b556f --- /dev/null +++ b/votingapp_scan.logs @@ -0,0 +1,129 @@ +{"level":"info","version":"1.23.0","commit":"92edf73","time":"2025-11-04T17:47:03-05:00","message":"Starting analysis with Sysdig scanner"} +{"level":"info","time":"2025-11-04T17:47:03-05:00","message":"Using path for the cache: /Users/owner/Library/Caches/inlineScannerCache.db"} +{"level":"info","dbVersion":"V3","time":"2025-11-04T17:47:04-05:00","message":"Vuln DB version detected"} +{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Retrieving MainDB"} +{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Using local MainDB located at /usr/local/bin/main.db/sysdig-db-data since it is already up to date"} +{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Using cached DB file on path /usr/local/bin/main.db/sysdig-db-data"} +{"level":"info","error":"failed parsing OnPrem version : Malformed version: ","time":"2025-11-04T17:47:04-05:00","message":"unable to get onPrem version, will assume SaaS environment"} +{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Loading MainDB V3 from: /usr/local/bin/main.db/sysdig-db-data"} +{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Done: MainDB V3 loaded"} +{"level":"info","imgName":"pull://nginx:latest","time":"2025-11-04T17:47:04-05:00","message":"Retrieving image"} +{"level":"info","time":"2025-11-04T17:47:05-05:00","message":"first platform available in manifest is (linux/amd64), will use it"} +{"level":"info","imgName":"pull://nginx:latest","time":"2025-11-04T17:47:06-05:00","message":"Done: image retrieved"} +{"level":"info","time":"2025-11-04T17:47:06-05:00","message":"Start analyzing image"} +{"level":"info","url":"https://app.us4.sysdig.com/api/scanning/sbom/v2/base-images/search","layersDigest":["sha256:36d06fe0cbc654e5f67d58c960ed33e53127e4a3288d8ce6f6a60a9c311794d4","sha256:6e19587ac5416790488e2e259fbb4e14ea409908bff5a4aab5e01760fc63c15a","sha256:8feb164cd673e978e6287e249339b5fa20d7aa46ebd09923092ae74dec88419a","sha256:2ced4cd78a7bdbb622141c41c9e83772f7f81dedd43527ec2df07c8fa6632f08","sha256:99cd1b1b6a4397c3835be9a48d6c04fdd8997bb15f29d0cb2cfcbaf3844b0d24","sha256:d81df94f8d07136711ea4ff25d1f14b8a9aad1e6816ab46ce25c840ddc8f326e","sha256:d7217c60dca400c2c3e6367dd67b30cf429e1d21a0f258ec37c0abb7a446ffbe"],"time":"2025-11-04T17:47:09-05:00","message":"base images resolved"} +{"level":"info","assetID":"sha256:d261fd19cb63238535ab80d4e1be1d9e7f6c8b5a28a820188968dd3e6f06072d","pullstring":"nginx:latest","analyzerInfo":{"version":"v0.0.0-20251013122706-5c1e12a97f07"},"time":"2025-11-04T17:47:09-05:00","message":"{\"shouldExtract\":true}\n"} +{"level":"info","time":"2025-11-04T17:47:09-05:00","message":"Start matching vulnerabilities"} +{"level":"info","time":"2025-11-04T17:47:09-05:00","message":"Matched 150 packages"} +{"level":"info","time":"2025-11-04T17:47:09-05:00","message":"attempting to use the latest policy model"} +{"level":"warn","rep":"failed evaluating policies: failed to retrieve policies: failed to get policies: failed to unmarshal response body: proto: syntax error (line 1:1): invalid value <","time":"2025-11-04T17:47:10-05:00","message":"failed to evaluate with the new policy model, using the older version"} +{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"using the legacy policy model"} +{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"Start policies evaluation"} +{"level":"info","result":"passed","time":"2025-11-04T17:47:10-05:00","message":"End policies evaluation"} +{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"Start risks acceptance evaluation"} +{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"Scan Result upload in progress"} +{"level":"info","scan-result-id":"1874ef443ac59748faee8c01a82e2360","scan-result-url":"https://app.us4.sysdig.com/secure/#/vulnerabilities/results/1874ef443ac59748faee8c01a82e2360/overview","time":"2025-11-04T17:47:11-05:00","message":"Scan Result uploaded"} +{"level":"info","duration":"7.103251714s","time":"2025-11-04T17:47:11-05:00","message":"Done"} + + + +sysdig-cli-scanner scan /tmp/examplevotingapp_vote.tar --standalone + +2025-11-04T17:43:33-05:00 Starting analysis with Sysdig scanner version 1.23.0 +2025-11-04T17:43:33-05:00 Using local MainDB (skipping DB update)... +2025-11-04T17:43:33-05:00 Done, using cached DB +2025-11-04T17:43:33-05:00 Loading MainDB V3... +2025-11-04T17:43:33-05:00 Done +2025-11-04T17:43:33-05:00 Retrieving image... +2025-11-04T17:43:44-05:00 Unable to get image, for additional information see the logs here: /Users/owner/Documents/Sysdig/example-voting-app/scan-logs. Exiting now +owner@Owners-MacBook-Pro example-voting-app % +owner@Owners-MacBook-Pro example-voting-app % +owner@Owners-MacBook-Pro example-voting-app % ./sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://nginx:latest +zsh: no such file or directory: ./sysdig-cli-scanner +owner@Owners-MacBook-Pro example-voting-app % sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://nginx:latest +Environment variable `SECURE_API_TOKEN` is required when standalone mode is not active. For usage help, please run with `--help` +Cannot parse command line options +owner@Owners-MacBook-Pro example-voting-app % +owner@Owners-MacBook-Pro example-voting-app % +owner@Owners-MacBook-Pro example-voting-app % export SECURE_API_TOKEN=b7de0bae-8dfd-4bfc-b372-2fb2bdf05918 +owner@Owners-MacBook-Pro example-voting-app % sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://nginx:latest +2025-11-04T17:47:03-05:00 Starting analysis with Sysdig scanner version 1.23.0 +2025-11-04T17:47:04-05:00 Retrieving MainDB... +2025-11-04T17:47:04-05:00 Done, using cached DB +2025-11-04T17:47:04-05:00 Loading MainDB V3... +2025-11-04T17:47:04-05:00 Done +2025-11-04T17:47:04-05:00 Retrieving image... +2025-11-04T17:47:06-05:00 Done +2025-11-04T17:47:06-05:00 Scan started... +2025-11-04T17:47:10-05:00 Uploading image sbom to backend... +2025-11-04T17:47:10-05:00 Uploading scanresult with sbom to backend... +2025-11-04T17:47:11-05:00 Done +2025-11-04T17:47:11-05:00 Total execution time 7.103295234s + +Type: dockerImage +ImageID: sha256:d261fd19cb63238535ab80d4e1be1d9e7f6c8b5a28a820188968dd3e6f06072d +Digest: sha256:1beed3ca46acebe9d3fb62e9067f03d05d5bfa97a00f30938a0a3580563272ad +BaseOS: debian 13.1 +PullString: nginx:latest + +92 vulnerabilities found +2 Critical (0 fixable) +12 High (0 fixable) +3 Medium (0 fixable) +5 Low (0 fixable) +70 Negligible (0 fixable) + + POLICIES EVALUATION + Policy: Sysdig Best Practices PASSED (0 failures - 0 risks accepted) + +Policies evaluation PASSED at 2025-11-04T17:47:11-05:00 +Full image results here: https://app.us4.sysdig.com/secure/#/vulnerabilities/results/1874ef443ac59748faee8c01a82e2360/overview (id 1874ef443ac59748faee8c01a82e2360) +Execution logs written to: /Users/owner/Documents/Sysdig/example-voting-app/scan-logs + + +sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:latest +2025-11-04T17:49:47-05:00 Starting analysis with Sysdig scanner version 1.23.0 +2025-11-04T17:49:47-05:00 Retrieving MainDB... +2025-11-04T17:49:47-05:00 Done, using cached DB +2025-11-04T17:49:48-05:00 Loading MainDB V3... +2025-11-04T17:49:48-05:00 Done +2025-11-04T17:49:48-05:00 Retrieving image... +2025-11-04T17:49:49-05:00 Done +2025-11-04T17:49:49-05:00 Scan started... +2025-11-04T17:49:52-05:00 Uploading image sbom to backend... +2025-11-04T17:49:52-05:00 Uploading scanresult with sbom to backend... +2025-11-04T17:49:53-05:00 Done +2025-11-04T17:49:53-05:00 Total execution time 5.795543946s + +Type: dockerImage +ImageID: sha256:50482f268ba1f32ac1d4ff623cf76ad4d44a946d3d106db2a1fedbe8467abf7a +Digest: sha256:7102d3b952ec84e3541ee12e7217e320c52aed60b13501c3158f46376a907466 +BaseOS: debian 12.7 +PullString: docker.io/dockersamples/examplevotingapp_vote:latest + +181 vulnerabilities found +8 Critical (5 fixable) +41 High (27 fixable) +49 Medium (33 fixable) +10 Low (5 fixable) +73 Negligible (0 fixable) + + + PACKAGE TYPE VERSION SUGGESTED FIX CRITICAL HIGH MEDIUM LOW NEGLIGIBLE EXPLOIT + libsqlite3-0 os 3.40.1-2 3.40.1-2+deb12u2 3 1 0 0 3 0 + libssl3 os 3.0.14-1~deb12u2 3.0.17-1~deb12u3 1 3 1 0 1 0 + openssl os 3.0.14-1~deb12u2 3.0.17-1~deb12u3 1 3 1 0 1 0 + perl-base os 5.36.0-7+deb12u1 5.36.0-7+deb12u2 1 2 0 0 2 0 + setuptools python 65.5.1 70.0.0 1 1 0 0 0 0 + libgnutls30 os 3.7.9-2+deb12u3 3.7.9-2+deb12u5 0 4 1 0 1 0 + libexpat1 os 2.5.0-1+deb12u1 2.5.0-1+deb12u2 0 4 0 0 2 0 + Jinja2 python 3.1.4 3.1.5 0 3 0 0 0 0 + libc-bin os 2.36-9+deb12u8 2.36-9+deb12u10 0 2 1 0 7 0 + libc6 os 2.36-9+deb12u8 2.36-9+deb12u10 0 2 1 0 7 0 + + POLICIES EVALUATION + Policy: Sysdig Best Practices FAILED (55 failures - 0 risks accepted) + +Policies evaluation FAILED at 2025-11-04T17:49:53-05:00 +Full image results here: https://app.us4.sysdig.com/secure/#/vulnerabilities/results/1874ef69f37af240c36eb62e30f4a0d0/overview (id 1874ef69f37af240c36eb62e30f4a0d0) +Execution logs written to: /Users/owner/Documents/Sysdig/example-voting-app/scan-logs \ No newline at end of file From aa0980dfbd9b7f0d7093dd69d7f5586b8ddc5963 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:05:14 -0500 Subject: [PATCH 06/18] cli scanner version issue --- .github/workflows/build-scan.yaml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 587e56b388..00453797f3 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -59,18 +59,30 @@ jobs: # sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner # sysdig-cli-scanner --version + + # --- Scan images --- + - name: Scan vote image + env: + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/vote:latest + sysdig-cli-scanner docker.io/$REPO/vote:latest - name: Scan worker image + env: + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/worker:latest + sysdig-cli-scanner docker.io/$REPO/worker:latest - name: Scan result image + env: + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/result:latest + sysdig-cli-scanner docker.io/$REPO/result:latest # --- Optional: Push images to Docker Hub (only if scans passed) --- - name: Push vote image From d499c96a5bab9d08fcdbfdef1c54b9dc1838912e Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:11:15 -0500 Subject: [PATCH 07/18] updated the run commands for cli scanner --- .github/workflows/build-scan.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 00453797f3..816232648c 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -68,28 +68,28 @@ jobs: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner docker.io/$REPO/vote:latest + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_vote:latest - name: Scan worker image env: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner docker.io/$REPO/worker:latest + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_worker:latest - name: Scan result image env: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner docker.io/$REPO/result:latest + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest # --- Optional: Push images to Docker Hub (only if scans passed) --- - name: Push vote image - run: docker push $REGISTRY/$REPO/vote:latest + run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest - name: Push worker image - run: docker push $REGISTRY/$REPO/worker:latest + run: docker push $REGISTRY/$REPO/examplevotingapp_worker:latest - name: Push result image - run: docker push $REGISTRY/$REPO/result:latest + run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest From 67d3f73acd74ea09bd69576f1c1b1749a259517a Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:17:38 -0500 Subject: [PATCH 08/18] added variables --- .github/workflows/build-scan.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 816232648c..fbad3b2eb8 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -62,7 +62,13 @@ jobs: # --- Scan images --- - + - name: Debug environment variables + run: | + echo "REGISTRY_USER = $REGISTRY_USER" + echo "REPO = $REPO" + echo "SYSDIG_SECURE_URL = $SYSDIG_SECURE_URL" + echo "SYSDIG_SECURE_TOKEN = $SYSDIG_SECURE_TOKEN" + - name: Scan vote image env: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} From b2227acf1f47320b8b6e92dc4f48079fe2e235c8 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:22:36 -0500 Subject: [PATCH 09/18] added Env variables --- .github/workflows/build-scan.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index fbad3b2eb8..079a741e81 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -63,8 +63,15 @@ jobs: # --- Scan images --- - name: Debug environment variables + env: + REGISTRY_USER: ${{ secrets.REGISTRY_USER }} + REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} + REPO: ${{ secrets.REGISTRY_USER }} + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | echo "REGISTRY_USER = $REGISTRY_USER" + echo "REGISTRY_TOKEN (masked) = $REGISTRY_TOKEN" echo "REPO = $REPO" echo "SYSDIG_SECURE_URL = $SYSDIG_SECURE_URL" echo "SYSDIG_SECURE_TOKEN = $SYSDIG_SECURE_TOKEN" From 0f9610edde3f137aee3455b386eae9bded5f18cf Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:27:03 -0500 Subject: [PATCH 10/18] testing variables --- .github/workflows/build-scan.yaml | 37 +++++++++++++++++++------------ 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 079a741e81..bba1d60997 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -32,24 +32,24 @@ jobs: username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - # --- Build Containers --- - - name: Build vote image - run: docker build -t $REGISTRY/$REPO/vote:latest ./vote + # # --- Build Containers --- + # - name: Build vote image + # run: docker build -t $REGISTRY/$REPO/vote:latest ./vote - - name: Build worker image - run: docker build -t $REGISTRY/$REPO/worker:latest ./worker + # - name: Build worker image + # run: docker build -t $REGISTRY/$REPO/worker:latest ./worker - - name: Build result image - run: docker build -t $REGISTRY/$REPO/result:latest ./result + # - name: Build result image + # run: docker build -t $REGISTRY/$REPO/result:latest ./result - - name: Install Sysdig CLI Scanner - run: | - LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) - curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" - chmod +x sysdig-cli-scanner - sudo mv sysdig-cli-scanner /usr/local/bin/ - sysdig-cli-scanner --version + # - name: Install Sysdig CLI Scanner + # run: | + # LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + # curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" + # chmod +x sysdig-cli-scanner + # sudo mv sysdig-cli-scanner /usr/local/bin/ + # sysdig-cli-scanner --version # # --- Install Sysdig Scanner --- # - name: Install Sysdig CLI Scanner @@ -76,6 +76,15 @@ jobs: echo "SYSDIG_SECURE_URL = $SYSDIG_SECURE_URL" echo "SYSDIG_SECURE_TOKEN = $SYSDIG_SECURE_TOKEN" + - name: Scan vote image + # env: + # SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + # SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + export SECURE_API_TOKEN=b7de0bae-8dfd-4bfc-b372-2fb2bdf05918 + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:latest + + - name: Scan vote image env: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} From 2e072887218bac917b8827b12467a3e86fe5fe7a Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:28:33 -0500 Subject: [PATCH 11/18] testing variables --- .github/workflows/build-scan.yaml | 37 ++++++++++++------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index bba1d60997..139404a0a1 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -32,33 +32,24 @@ jobs: username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - # # --- Build Containers --- - # - name: Build vote image - # run: docker build -t $REGISTRY/$REPO/vote:latest ./vote + # --- Build Containers --- + - name: Build vote image + run: docker build -t $REGISTRY/$REPO/vote:latest ./vote - # - name: Build worker image - # run: docker build -t $REGISTRY/$REPO/worker:latest ./worker + - name: Build worker image + run: docker build -t $REGISTRY/$REPO/worker:latest ./worker - # - name: Build result image - # run: docker build -t $REGISTRY/$REPO/result:latest ./result + - name: Build result image + run: docker build -t $REGISTRY/$REPO/result:latest ./result - # - name: Install Sysdig CLI Scanner - # run: | - # LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) - # curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" - # chmod +x sysdig-cli-scanner - # sudo mv sysdig-cli-scanner /usr/local/bin/ - # sysdig-cli-scanner --version - - # # --- Install Sysdig Scanner --- - # - name: Install Sysdig CLI Scanner - # run: | - # curl -LO curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/arm64/sysdig-cli-scanner" - # chmod +x sysdig-cli-scanner-linux-amd64 - # sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner - # sysdig-cli-scanner --version - + - name: Install Sysdig CLI Scanner + run: | + LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" + chmod +x sysdig-cli-scanner + sudo mv sysdig-cli-scanner /usr/local/bin/ + sysdig-cli-scanner --version # --- Scan images --- From b8223849bf7baf4e2f1d3054fa55ede3a7cf249e Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:33:16 -0500 Subject: [PATCH 12/18] Vote app --- .github/workflows/build-scan.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 139404a0a1..e0606826dc 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -73,15 +73,15 @@ jobs: # SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | export SECURE_API_TOKEN=b7de0bae-8dfd-4bfc-b372-2fb2bdf05918 - sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:latest + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:before - - name: Scan vote image - env: - SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} - SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - run: | - sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_vote:latest + # - name: Scan vote image + # env: + # SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} + # SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + # run: | + # sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_vote:before - name: Scan worker image env: From ae48d22ee03753334764f89071fd317143769382 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:41:47 -0500 Subject: [PATCH 13/18] Pass and Push the results --- .github/workflows/build-scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index e0606826dc..6cfff1c6c8 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -73,7 +73,7 @@ jobs: # SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | export SECURE_API_TOKEN=b7de0bae-8dfd-4bfc-b372-2fb2bdf05918 - sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:before + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:before || true # - name: Scan vote image @@ -88,14 +88,14 @@ jobs: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_worker:latest + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_worker:latest || true - name: Scan result image env: SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest + sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest || true # --- Optional: Push images to Docker Hub (only if scans passed) --- - name: Push vote image From f79aaa99cb5f7eede8be5564d173675a3f3cb41e Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:47:31 -0500 Subject: [PATCH 14/18] Pass and Push the results_V1 --- .github/workflows/build-scan.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 6cfff1c6c8..99953fb1bf 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -97,12 +97,12 @@ jobs: run: | sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest || true - # --- Optional: Push images to Docker Hub (only if scans passed) --- - - name: Push vote image - run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest + # # --- Optional: Push images to Docker Hub (only if scans passed) --- + # - name: Push vote image + # run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest - - name: Push worker image - run: docker push $REGISTRY/$REPO/examplevotingapp_worker:latest + # - name: Push worker image + # run: docker push $REGISTRY/$REPO/examplevotingapp_worker:latest - - name: Push result image - run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest + # - name: Push result image + # run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest From 5dc53a7b66ab7487b3269ad9d6e58bbd5b8b6fab Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 19:58:33 -0500 Subject: [PATCH 15/18] updated the docker Push --- .github/workflows/build-scan.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 99953fb1bf..2d2066d598 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -98,11 +98,15 @@ jobs: sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest || true # # --- Optional: Push images to Docker Hub (only if scans passed) --- - # - name: Push vote image + - name: Push vote image + run: docker push docker.io/cloudcode510/examplevotingapp_vote:latest # run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest - # - name: Push worker image - # run: docker push $REGISTRY/$REPO/examplevotingapp_worker:latest + - name: Push worker image + run: docker push docker.io/cloudcode510/examplevotingapp_worker:latest + + - name: Push result image + run: docker push docker.io/cloudcode510/examplevotingapp_result:latest # - name: Push result image # run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest From 7d660929411156362809e961c367c9aafaa0d02c Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 20:01:17 -0500 Subject: [PATCH 16/18] Build and Scan --- .github/workflows/build-scan.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 2d2066d598..0ce6961257 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -97,16 +97,16 @@ jobs: run: | sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest || true - # # --- Optional: Push images to Docker Hub (only if scans passed) --- - - name: Push vote image - run: docker push docker.io/cloudcode510/examplevotingapp_vote:latest - # run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest + # # # --- Optional: Push images to Docker Hub (only if scans passed) --- + # - name: Push vote image + # run: docker push docker.io/cloudcode510/examplevotingapp_vote:latest + # # run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest - - name: Push worker image - run: docker push docker.io/cloudcode510/examplevotingapp_worker:latest - - - name: Push result image - run: docker push docker.io/cloudcode510/examplevotingapp_result:latest + # - name: Push worker image + # run: docker push docker.io/cloudcode510/examplevotingapp_worker:latest # - name: Push result image - # run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest + # run: docker push docker.io/cloudcode510/examplevotingapp_result:latest + + # # - name: Push result image + # # run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest From 2b32b6dc58ac93558de0aa0cd6bc3b28f7e2f324 Mon Sep 17 00:00:00 2001 From: Owner Date: Tue, 4 Nov 2025 20:21:42 -0500 Subject: [PATCH 17/18] added iac scanner as gitactions --- .github/workflows/iac-scan.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/iac-scan.yaml diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml new file mode 100644 index 0000000000..b534b627e6 --- /dev/null +++ b/.github/workflows/iac-scan.yaml @@ -0,0 +1,26 @@ +name: IaC Scan + +on: + pull_request: + branches: [ main ] + +jobs: + iac-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Sysdig CLI Scanner + run: | + LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" + chmod +x sysdig-cli-scanner + sudo mv sysdig-cli-scanner /usr/local/bin/ + sysdig-cli-scanner --version + + - name: IaC scan + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + sysdig-cli-scanner --iac -r -f H --apiurl ${{ secrets.SYSDIG_SECURE_URL }} . From 4213b4258232f388cb6d733f212d4854f268bda0 Mon Sep 17 00:00:00 2001 From: Owner Date: Wed, 5 Nov 2025 11:13:19 -0500 Subject: [PATCH 18/18] updated comment --- .github/workflows/build-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-scan.yaml b/.github/workflows/build-scan.yaml index 0ce6961257..e3896e2d49 100644 --- a/.github/workflows/build-scan.yaml +++ b/.github/workflows/build-scan.yaml @@ -52,7 +52,7 @@ jobs: sysdig-cli-scanner --version - # --- Scan images --- + # --- Environment images --- - name: Debug environment variables env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }}