v1.4.0 (#133)

* Use aws-cli instead of amazonlinux to speed up container build time (#128)

* Change Dockerfile source image to aws-cli

* Set WORKDIR back to default value

---------

Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com>

* set workflows to develop for aws-cli runtime tests

* add explicit permissions to GitHub Actions workflows (#130)

* Measuring installation time (#131) (#132)

* measuring installation time

* Change workflows to point to v1.4.0 branch

---------

Co-authored-by: Joshua Grisham <josh@joshuagrisham.com>
Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com>

Author: 3 people

.github/workflows/build_scan_container.yml

@@ -12,6 +12,11 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write  # For uploading artifacts
+
 jobs:
   build:
     name: Build docker image
@@ -47,7 +52,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'container'

.github/workflows/example_display_findings.yml

@@ -8,6 +8,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -29,7 +33,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container

.github/workflows/run_unit_tests.yml

@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/scan_repo_with_semgrep.yml

@@ -2,6 +2,9 @@ name: Semgrep Scan
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     runs-on: ubuntu-latest

.github/workflows/test_archive.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'

.github/workflows/test_binary.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'

.github/workflows/test_containers.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'

.github/workflows/test_dockerfile_vulns.yml

@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -31,7 +35,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_installation.yml

@@ -11,6 +11,10 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -28,7 +32,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@1.x
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'