Test Vulnerability Thresholds #1161
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Vulnerability Thresholds | |
| # This workflow tests that the action successfully | |
| # sets the vulnerability threshold exceeded flag. | |
| on: | |
| schedule: | |
| - cron: '0 */6 * * *' # runs every 6 hours | |
| push: | |
| branches: # | |
| - '*' | |
| jobs: | |
| build: | |
| name: Build docker image | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: plugin-development | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| role-to-assume: ${{ secrets.AWS_IAM_ROLE }} | |
| - name: Scan artifact with Inspector | |
| uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1 | |
| id: inspector | |
| with: | |
| artifact_type: 'archive' | |
| artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' | |
| display_vulnerability_findings: "enabled" | |
| output_sbom_path: 'sbom.json' | |
| output_inspector_scan_path: 'inspector_scan.json' | |
| output_inspector_scan_path_csv: 'inspector_scan.csv' | |
| critical_threshold: 1 | |
| high_threshold: 1 | |
| medium_threshold: 1 | |
| low_threshold: 1 | |
| other_threshold: 1 | |
| sbomgen_version: "latest" | |
| - name: Fail if vulnerability threshold is exceeded | |
| run: if [[ ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} != "1" ]]; then echo "test failed"; else echo "test passed"; fi | |
| # TODO: handle failure case |