Github Actions Update (#34)

gregt · GitHub Enterprise · commit 0a24788c588e · 2020-09-16T14:37:09.000-04:00
* Github Actions Update

* add GCP example, format input descriptions consistently in action.yml

* adjust findings threshold

Co-authored-by: felipecosta09 &lt;githubfelipecosta@outlook.com&gt;

* additional comments and documentation
diff --git a/README.md b/README.md
@@ -1,30 +1,41 @@
 # Deep Security Smart Check Scan Action
 
-For scanning your images as part of your CI pipeline using [Deep Security Smart
-Check][].
+<img src="Trend-Micro-Logo.png">
 
-[deep security smart check]: https://www.trendmicro.com/smartcheck
+## Scan your containers with [Deep Security Smart Check](https://www.trendmicro.com/smartcheck).
 
-This tool is used by the Deep Security Smart Check plugin for Jenkins and can
-also be used as a [GitHub Action](https://github.com/features/actions).
+This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline, you can use as a standalone Docker container published in the [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, that wraps the container published in Dockerhub.
+
+## Requirements
+
+* Have an [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up for free trial now](https://www.trendmicro.com/product_trials/download/index/us/168) if it's not already the case!
+* A container image to scan in any [supported Docker Registry](https://deep-security.github.io/smartcheck-docs/admin_docs/admin.html#supported-registries).
 
 ## Usage
 
-Add an Action in your `main.workflow` file to scan your image with Deep Security
+Add an Action in your `.github/workflow` yml file to scan your image with Deep Security
 Smart Check.
 
-```main.workflow
-action "Scan with Deep Security Smart Check" {
-  needs = "Push image to GCR"
-  uses = "docker://deepsecurity/smartcheck-scan-action"
-  secrets = [
-    "DSSC_SMARTCHECK_HOST",
-    "DSSC_SMARTCHECK_USER",
-    "DSSC_SMARTCHECK_PASSWORD",
-    "DSSC_IMAGE_PULL_AUTH"
-  ]
-  args = ["--image-name registry.example.com/my-project/my-image"]
-}
+```yml
+- name: Deep Security Smart Check
+  uses: deepsecurity/Deep-Security-Smart-Check@version*
+   with:
+      # Mandatory
+      DSSC_IMAGE_NAME: registryhost/myimage
+      DSSC_SMARTCHECK_HOST: smartcheck.example.com
+      DSSC_SMARTCHECK_USER: admin
+      DSSC_SMARTCHECK_PASSWORD: 12345
+      DSSC_IMAGE_PULL_AUTH: {"username":"<user>","password":"<password>"}
+
+      # Optional
+      DSSC_INSECURE_SKIP_TLS_VERIFY: true
+      DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true
+      DSSC_PREREGISTRY_SCAN: false
+      DSSC_PREREGISTRY_HOST: pre-registryhost.com
+      DSSC_PREREGISTRY_USER: admin
+      DSSC_PREREGISTRY_PASSWORD: 12345
+      DSSC_RESULTS_FILE: /results.json
+      DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'    
 ```
 
 ### Parameters
@@ -56,7 +67,13 @@ be given with `DSSC_IMAGE_NAME`.
       "username": "<user>",
       "password": "<password>"
     }
+    ``` 
+  - If you're using AWS, you can use this example below: 
+
+    ```json
+    '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}'
     ```
+  **PS.: ALWAYS use secrets to expose your credentials!**
 
     See [creating a scan][] in the [Deep Security Smart Check API Reference][]
     for additional registry credentials options.
@@ -146,47 +163,84 @@ be given with `DSSC_IMAGE_NAME`.
     }
     ```
 
-## Example Workflow
-
-```main.workflow
-workflow "Push image" {
-  on = "push"
-  resolves = "Scan with Deep Security Smart Check"
-}
-
-action "Build image" {
-  uses = "docker://docker:stable"
-  args = ["build", "-t", "registry.example.com/my-project/my-image", "."]
-}
-
-action "Docker Login" {
-  uses = "actions/docker/login@master"
-  env = {
-    DOCKER_REGISTRY_URL = "registry.example.com"
-  }
-  secrets = [
-    "DOCKER_USERNAME",
-    "DOCKER_PASSWORD"
-  ]
-}
-
-action "Push image" {
-  needs = ["Build image", "Docker Login"]
-  uses = "actions/docker/cli@master"
-  args = "push registry.example.com/my-project/my-image"
-}
-
-action "Scan with Deep Security Smart Check" {
-  needs = "Push image"
-  uses = "docker://deepsecurity/smartcheck-scan-action"
-  secrets = [
-    "DSSC_SMARTCHECK_HOST",
-    "DSSC_SMARTCHECK_USER",
-    "DSSC_SMARTCHECK_PASSWORD",
-    "DSSC_IMAGE_PULL_AUTH"
-  ]
-  args = ["--image-name registry.example.com/my-project/my-image"]
-}
+## Example Workflow Using Github Actions
+
+```yml
+name: Deep Security Smart Check
+
+on: 
+  push:
+    branches: 
+      - master
+      
+jobs:      
+    SmartCheck-Scan-Action:
+       runs-on: ubuntu-latest
+       steps:
+
+       # AWS Example:
+        - name: Deep Security Smart Check Scan ECR
+          uses: deepsecurity/Deep-Security-Smart-Check@version*
+          with:
+            DSSC_IMAGE_NAME: myECRrepo/myimage
+            DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }}
+            DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }}
+            DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }}
+            # You will need to generate an access key and secret for your AWS user
+            DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}'
+            DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'
+            DSSC_INSECURE_SKIP_TLS_VERIFY: true
+            DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true
+
+        # Azure Example:
+        - name: Deep Security Smart Check Scan ACR
+          uses: deepsecurity/Deep-Security-Smart-Check@version*
+          with:
+            DSSC_IMAGE_NAME: myrepo.azurecr.io/myimage
+            DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }}
+            DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }}
+            DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }}
+            DSSC_IMAGE_PULL_AUTH: '{"username": "${{ secrets.ACR_USER }}","password": "${{ secrets.ACR_PASSWORD }}"}'
+            DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'            DSSC_INSECURE_SKIP_TLS_VERIFY: true
+            DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true
+
+        - name: Cloud One Container Security Scan GCR
+          uses: felipecosta09/Deep-Security-Smart-Check-Scan-Action@version*
+          with:
+            DSSC_IMAGE_NAME: region.gcr.io/projectname/myimage
+            DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }}
+            DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }}
+            DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }}
+            # You will need to generate a JSON service account key in GCP and save it as a secret
+            DSSC_IMAGE_PULL_AUTH: '{"username": "_json_token", "password": "${{ secrets.GCP_JSON_KEY }}"}'
+            DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'            DSSC_INSECURE_SKIP_TLS_VERIFY: true
+            DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true
+```
+The example above demonstrates how to add a Smartcheck Scan action as a step in your Github Worflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry.
+
+For Google Container Registry and Microsoft Azure Container Registry, the `username` and `password` required for `DSSC_IMAGE_PULL_AUTH` are the same as the docker login credentials you would use to authenticate to a registry in the provided platform:
+- [Google Cloud Platform](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key)
+- [Microsoft Azure Web Services](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication)
+
+To authenticate to an Amazon Elastic Container Registry the `DSSC_IMAGE_PULL_AUTH` should be formatted to match the `credentials.aws` object specified in the [Smartcheck API Documentation to create a Scan](https://deep-security.github.io/smartcheck-docs/api/index.html#operation/createScan).
+
+## Example Workflow Running a Docker Container
+
+```yml
+name: Deep Security Smart Check Pipeline Example
+
+on: 
+  push:
+    branches: 
+      - master
+      
+jobs:      
+    SmartCheck-Scan-Action:
+       runs-on: ubuntu-latest
+       steps:
+        - name: Deep Security Smart Check
+          run: |
+          docker run deepsecurity/smartcheck-scan-action --image-name registryhost/myimage --smartcheck-host=smartcheck.example.com --smartcheck-user=admin --smartcheck-password=12345 --image-pull-auth='{"username":"<user>","password":"<password>"}'          
 ```
 
 ## Pre-registry scanning
@@ -219,4 +273,4 @@ save yourself some time!).
 ## Support
 
 Official support from Trend Micro is not available. Individual contributors may
-be Trend Micro employees, but are not official support.
+be Trend Micro employees, but are not official support.
diff --git a/Trend-Micro-Logo.png b/Trend-Micro-Logo.png
diff --git a/action.yml b/action.yml
@@ -0,0 +1,64 @@
+name: "Deep Security Smart Check"
+description: "Scan container images with Deep Security Smart Check."
+inputs:
+  DSSC_IMAGE_NAME:
+    description: "(MANDATORY) Container repository, eg registryhost/myimage."
+    required: true
+  DSSC_SMARTCHECK_HOST:
+    description: "(MANDATORY) Deep Security Smart Check url, eg smartcheck.example.com"
+    required: true
+  DSSC_SMARTCHECK_USER:
+    description: "(MANDATORY) Deep Security Smart Check username, eg admin."
+    required: true
+  DSSC_SMARTCHECK_PASSWORD:
+    description: (MANDATORY) Deep Security Smart Check password, eg 12345.
+    required: true
+  DSSC_IMAGE_PULL_AUTH:
+    description: (MANDATORY) Container registry credentials in a json format,  eg '{"username":"<user>","password":"<password>"}' or {"aws":{"region":"us-east-1","accessKeyID":"'AWS_ACCESS_KEY_ID'","secretAccessKey":"'AWS_SECRET_ACCESS_KEY'"}}'
+    required: true
+  DSSC_INSECURE_SKIP_TLS_VERIFY:
+    description: (OPTIONAL) If the client should ignore certificate errors when connecting to Deep Security Smart Check. You may want to set this if you've configured a self signed cert. eg true
+    required: false
+    default: "true"
+  DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY:
+    description: (OPTIONAL) If Deep Security Smart Check should ignore certificate errors from the image registry. eg true
+    required: false
+    default: "true"
+  DSSC_PREREGISTRY_SCAN:
+    description: (OPTIONAL) Specify this option to trigger a "pre-registry scan", which pushes the image to a temporary registry on the scan system.
+    required: false
+  DSSC_PREREGISTRY_HOST:
+    description: (OPTIONAL) The hostname of the temporary registry. Defaults to the smartcheck-host on port 5000.
+    required: false
+  DSSC_PREREGISTRY_USER:
+    description: (OPTIONAL) The username to authenticate with the temporary registry.
+    required: false
+  DSSC_PREREGISTRY_PASSWORD:
+    description: (OPTIONAL) The password to authenticate with the temporary registry.
+    required: false
+  DSSC_RESULTS_FILE:
+    description: (OPTIONAL) The path to write the scan results to. If not provided, the scan results will be written to stdout.
+    required: false
+  DSSC_FINDINGS_THRESHOLD:
+    description: (OPTIONAL) A JSON object that can be used to fail this step if an image contains findings that exceed the threshold.
+    required: false
+branding:
+  icon: "check"
+  color: "red"
+runs:
+  using: "docker"
+  image: "docker://deepsecurity/smartcheck-scan-action:latest"
+  env:
+    DSSC_IMAGE_NAME: ${{ inputs.DSSC_IMAGE_NAME }}
+    DSSC_SMARTCHECK_HOST: ${{ inputs.DSSC_SMARTCHECK_HOST }}
+    DSSC_SMARTCHECK_USER: ${{ inputs.DSSC_SMARTCHECK_USER }}
+    DSSC_SMARTCHECK_PASSWORD: ${{ inputs.DSSC_SMARTCHECK_PASSWORD }}
+    DSSC_IMAGE_PULL_AUTH: ${{ inputs.DSSC_IMAGE_PULL_AUTH }}
+    DSSC_INSECURE_SKIP_TLS_VERIFY: ${{ inputs.DSSC_INSECURE_SKIP_TLS_VERIFY }}
+    DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: ${{ inputs.DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY }}
+    DSSC_PREREGISTRY_SCAN: ${{ inputs.DSSC_PREREGISTRY_SCAN }}
+    DSSC_PREREGISTRY_HOST: ${{ inputs.DSSC_PREREGISTRY_HOST }}
+    DSSC_PREREGISTRY_USER: ${{ inputs.DSSC_PREREGISTRY_USER }}
+    DSSC_PREREGISTRY_PASSWORD: ${{ inputs.DSSC_PREREGISTRY_PASSWORD }}
+    DSSC_RESULTS_FILE: ${{ inputs.DSSC_RESULTS_FILE }}
+    DSSC_FINDINGS_THRESHOLD: ${{ inputs.DSSC_FINDINGS_THRESHOLD }}
