Sync v1.4.0 to 1.x (#135)

bluesentinelsec · clueleaf · Michael Long · web-flow · commit 42390466369d · 2025-09-16T10:54:26.000-04:00
* replace scanner example (#84) * Write CSV with no vulns (#86) * reproducing issue - test 1 * resolve issue 85 - test 2 * test 3 * test fix --------- Co-authored-by: Michael Long <mlongii@amazon.com> * testing CSV with no vulns * test against main branch * Write Dockerfile CSV and Markdown on no vulns (#88) Co-authored-by: Michael Long <mlongii@amazon.com> * Set example workflows to main branch for testing * Display 'no vulns found' for Dockerfiles (#92) Co-authored-by: Michael Long <mlongii@amazon.com> * Tweak dockerfile report (#93) Co-authored-by: Michael Long <mlongii@amazon.com> * Omit Dockerfile table on no vulns (#94) Co-authored-by: Michael Long <mlongii@amazon.com> * Updated workflows to v1.x - testing auto-updates (#96) Co-authored-by: Michael Long <mlongii@amazon.com> * update README (#97) Co-authored-by: Michael Long <mlongii@amazon.com> * Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Add platform argument for container image scans (#102) * add --platform support for multi-arch containers * test multi-arch images on current branch * test actions against sbomgen 1.5.1-beta * fix --platform parsing error * fix platform parsing bug * test workflows on sbomgen latest (1.5.2) * Validate --platform input * Add more test cases, and revert workflow definitions * fix typo in platform arg --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Improve severity rating consistency (#112) * fix severity rating mismatch * temporarily add a test workflow * Fix type issue: float provided, expected string * Rename workflow / job name * Add severity comparison logic * Revise severity sorting and selection logic * return default values on error * skip EPSS ratings for severity column * debugging unknown ratings * fix ratings with unknown name * Verify AMAZON_INSPECTOR renders correctly * fix failing test * temporarily disable failing tests * pass unit test: test_parse_inspector_scan_result * pass unit tests * change '-f' to '--failfast' for clarity * Remove unused type cast * refactor csv test * severity is rendered as 'other' not 'unknown' * test build on all actions * normalize dockerfile findings severity rating * debugging dockerfile severity * debugging * Normalize Dockerfile severity 'info' to 'other' * restore test actions * minor comment update * Remove develop workflow * Address PR feedback * test workflows against refactor * handle edge case CVE-2025-22871 * fix missing severity edge case * debugging epss * debugging * fix flawed test * added test case for absent severity rating * revert workflows to v1 --------- Co-authored-by: Michael Long <mlongii@amazon.com> * v1.3.0 (#123) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com> * Sync main to v1.3.0 (#126) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com> * Verify v1 tag works * Verify action against 1.x * v1.4.0 (#133) * Use aws-cli instead of amazonlinux to speed up container build time (#128) * Change Dockerfile source image to aws-cli * Set WORKDIR back to default value --------- Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com> * set workflows to develop for aws-cli runtime tests * add explicit permissions to GitHub Actions workflows (#130) * Measuring installation time (#131) (#132) * measuring installation time * Change workflows to point to v1.4.0 branch --------- Co-authored-by: Joshua Grisham <josh@joshuagrisham.com> Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com> --------- Co-authored-by: clueleaf <10379303+clueleaf@users.noreply.github.com> Co-authored-by: Michael Long <mlongii@amazon.com> Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Joshua Grisham <josh@joshuagrisham.com> Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com>
diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml
@@ -12,6 +12,11 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write  # For uploading artifacts
+
 jobs:
   build:
     name: Build docker image
@@ -47,7 +52,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'container'
diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml
@@ -8,6 +8,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -29,7 +33,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image
diff --git a/.github/workflows/example_vulnerability_threshold_exceeded.yml b/.github/workflows/example_vulnerability_threshold_exceeded.yml
@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container
diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml
@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/scan_repo_with_semgrep.yml b/.github/workflows/scan_repo_with_semgrep.yml
@@ -2,6 +2,9 @@ name: Semgrep Scan
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'
diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'
diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -32,7 +36,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'
diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -31,7 +35,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'repository'
           artifact_path: './'
diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml
@@ -11,6 +11,10 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -28,7 +32,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'
@@ -40,7 +44,4 @@ jobs:
         if: ${{ failure() }}
         run: echo "this feature is not implemented"
 
-# TODO: update this to point to public v1.0.0 release
-# TODO: add steps to send notification to a Lambda to cut a ticket on job failure
-# TODO: delete on push condition when finished with development
-# TODO: use an IAM role
+
diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml
@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -28,7 +32,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'
diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml
@@ -5,6 +5,11 @@ on:
     branches: #
       - '*'
 
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -26,7 +31,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'
diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
@@ -31,7 +35,7 @@ jobs:
 
       - name: Test repository scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         with:
           artifact_type: 'repository'
           artifact_path: './'
diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml
@@ -10,6 +10,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     name: Build docker image
@@ -30,7 +34,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan artifact with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
         id: inspector
         with:
           artifact_type: 'archive'
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,7 @@
-FROM public.ecr.aws/amazonlinux/amazonlinux:latest
- 
-RUN dnf install python3 aws-cli -y
+FROM public.ecr.aws/aws-cli/aws-cli:latest
 
-COPY ./entrypoint . 
+WORKDIR /
+COPY ./entrypoint .
 RUN chmod 0500 /main.py
 
 ENTRYPOINT ["/main.py"]
-
-# note: don't set a WORKDIR in this image, it conflicts with github actions:
-# https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#workdir
