From eba2addf1f4acdfe2ec52e855adce3df9080b526 Mon Sep 17 00:00:00 2001 From: Michael Long <31821088+bluesentinelsec@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:33:26 -0400 Subject: [PATCH 1/4] (v1.4.1 hotfix) Fix multi-arch container image scanning (#138) * added multi-arch image workflow * disable scan validator * debugging multi arch CICD * added 'platform' argument to action.yml * set action version to investigation branch * test amd64 images * test multi-arch matrix * verify workaround * Add multi-platform validation to prevent regression of platform argument - Add validate_multi_platform_image_support.py script to validate SBOM architecture matches expected platform - Update test_multi_arch_images.yml workflow to validate platform argument is correctly passed through to inspector-sbomgen * re-enable inspector scan validation * remove inspector-scan validator, not applicable * remove boilerplate * test action against multi-arch fix * revert test workflows to v1.4.0 * remove emoji characters from console logs --- .github/workflows/test_multi_arch_images.yml | 63 ++++++++++++++++ action.yml | 1 + .../validate_multi_platform_image_support.py | 74 +++++++++++++++++++ 3 files changed, 138 insertions(+) create mode 100644 .github/workflows/test_multi_arch_images.yml create mode 100644 validator/validate_multi_platform_image_support.py diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml new file mode 100644 index 0000000..888cbf4 --- /dev/null +++ b/.github/workflows/test_multi_arch_images.yml @@ -0,0 +1,63 @@ +name: Test Multi-arch images + +on: + schedule: + - cron: '0 */6 * * *' # runs every 6 hours + push: + branches: # + - '*' + +permissions: + contents: read + id-token: write + +jobs: + test_multi_arch: + runs-on: ubuntu-latest + environment: + name: plugin-development + strategy: + matrix: + platform: + - "linux/386" + - "linux/amd64" + - "linux/arm/v5" + - "linux/arm/v7" + - "linux/arm64/v8" + - "linux/ppc64le" + - "linux/riscv64" + - "linux/s390x" + + steps: + + - name: Checkout this repository + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + + - name: Test multi-arch image - ${{ matrix.platform }} + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + with: + artifact_type: 'container' + artifact_path: 'debian:trixie' + platform: ${{ matrix.platform }} + display_vulnerability_findings: "enabled" + sbomgen_version: "latest" + + - name: Demonstrate SBOM Output (JSON) + run: cat ${{ steps.inspector.outputs.artifact_sbom }} + + - name: Display scan results + run: cat ${{ steps.inspector.outputs.inspector_scan_results }} + + - name: Validate multi-arch - ${{ matrix.platform }} + run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}" + + diff --git a/action.yml b/action.yml index cc9a20f..af79fd8 100644 --- a/action.yml +++ b/action.yml @@ -162,6 +162,7 @@ runs: - --thresholds - ${{ inputs.threshold_fixable_only == 'true' && '--threshold-fixable-only' || '--no-op' }} - ${{ inputs.show_only_fixable_vulns == 'true' && '--show-only-fixable-vulns'|| '--no-op' }} + - --platform=${{ inputs.platform || '' }} - --critical=${{ inputs.critical_threshold }} - --high=${{ inputs.high_threshold }} - --medium=${{ inputs.medium_threshold }} diff --git a/validator/validate_multi_platform_image_support.py b/validator/validate_multi_platform_image_support.py new file mode 100644 index 0000000..0b933bb --- /dev/null +++ b/validator/validate_multi_platform_image_support.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 + +import argparse +import json +import sys + + +def get_expected_arch(platform): + """Map platform string to expected architecture value in SBOM""" + platform_to_arch = { + "linux/386": "386", + "linux/amd64": "amd64", + "linux/arm/v5": "arm", + "linux/arm/v7": "arm", + "linux/arm64/v8": "arm64", + "linux/ppc64le": "ppc64le", + "linux/riscv64": "riscv64", + "linux/s390x": "s390x" + } + + if platform not in platform_to_arch: + raise ValueError(f"Unknown platform: {platform}") + + return platform_to_arch[platform] + + +def extract_arch_from_sbom(sbom_file): + """Extract architecture from SBOM metadata""" + try: + with open(sbom_file, 'r') as f: + sbom = json.load(f) + + properties = sbom.get('metadata', {}).get('component', {}).get('properties', []) + + for prop in properties: + if prop.get('name') == 'amazon:inspector:sbom_generator:image_arch': + return prop.get('value') + + raise ValueError("Architecture property not found in SBOM") + + except Exception as e: + raise ValueError(f"Failed to parse SBOM: {e}") + + +def main(): + parser = argparse.ArgumentParser(description='Validate SBOM architecture matches expected platform') + parser.add_argument('--platform', required=True, help='Expected platform (e.g., linux/amd64)') + parser.add_argument('--sbom', required=True, help='Path to SBOM file') + + args = parser.parse_args() + + try: + expected_arch = get_expected_arch(args.platform) + actual_arch = extract_arch_from_sbom(args.sbom) + + print(f"Platform: {args.platform}") + print(f"Expected arch: {expected_arch}") + print(f"Actual arch: {actual_arch}") + + if actual_arch != expected_arch: + print(f" Architecture mismatch for platform {args.platform}") + print(f" Expected: {expected_arch}") + print(f" Found: {actual_arch}") + sys.exit(1) + + print(f"Architecture validation passed: {actual_arch} matches expected {expected_arch}") + + except Exception as e: + print(f"Validation failed: {e}") + sys.exit(1) + + +if __name__ == '__main__': + main() From 03f1ebe5700d72967ace1d3da7bbb45057cf7ce3 Mon Sep 17 00:00:00 2001 From: Michael Long <31821088+bluesentinelsec@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:36:13 -0400 Subject: [PATCH 2/4] update workflows to v1.4.1 (#139) --- .github/workflows/build_scan_container.yml | 2 +- .github/workflows/example_display_findings.yml | 2 +- .github/workflows/example_vulnerability_threshold_exceeded.yml | 2 +- .github/workflows/test_archive.yml | 2 +- .github/workflows/test_binary.yml | 2 +- .github/workflows/test_containers.yml | 2 +- .github/workflows/test_dockerfile_vulns.yml | 2 +- .github/workflows/test_installation.yml | 2 +- .github/workflows/test_no_vulns.yml | 2 +- .github/workflows/test_reports_no_vulns.yml | 2 +- .github/workflows/test_repository.yml | 2 +- .github/workflows/test_vuln_thresholds.yml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml index 6b5bf92..ebb539b 100644 --- a/.github/workflows/build_scan_container.yml +++ b/.github/workflows/build_scan_container.yml @@ -52,7 +52,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan built image with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 id: inspector with: artifact_type: 'container' diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml index 8ad4b4e..dbb800f 100644 --- a/.github/workflows/example_display_findings.yml +++ b/.github/workflows/example_display_findings.yml @@ -33,7 +33,7 @@ jobs: # modify this block to scan your intended artifact - name: Inspector Scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: # change artifact_type to either 'repository', 'container', 'binary', or 'archive'. # this example scans a container image diff --git a/.github/workflows/example_vulnerability_threshold_exceeded.yml b/.github/workflows/example_vulnerability_threshold_exceeded.yml index 248ecca..f2e2a68 100644 --- a/.github/workflows/example_vulnerability_threshold_exceeded.yml +++ b/.github/workflows/example_vulnerability_threshold_exceeded.yml @@ -48,7 +48,7 @@ jobs: # Inspector scan - name: Scan container with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 id: inspector with: artifact_type: 'container' # configure Inspector for scanning a container diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml index c4afb81..296b6ea 100644 --- a/.github/workflows/test_archive.yml +++ b/.github/workflows/test_archive.yml @@ -36,7 +36,7 @@ jobs: - name: Test archive scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'archive' artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml index 3f86f61..399e94d 100644 --- a/.github/workflows/test_binary.yml +++ b/.github/workflows/test_binary.yml @@ -36,7 +36,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen' diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml index d49bb1b..3d2e158 100644 --- a/.github/workflows/test_containers.yml +++ b/.github/workflows/test_containers.yml @@ -36,7 +36,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'ubuntu:14.04' diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml index 4cd1c1c..14e1233 100644 --- a/.github/workflows/test_dockerfile_vulns.yml +++ b/.github/workflows/test_dockerfile_vulns.yml @@ -35,7 +35,7 @@ jobs: - name: Scan Dockerfiles id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml index c4459c2..d5625aa 100644 --- a/.github/workflows/test_installation.yml +++ b/.github/workflows/test_installation.yml @@ -32,7 +32,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Test Amazon Inspector GitHub Actions plugin - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml index c5bbb79..91600fc 100644 --- a/.github/workflows/test_no_vulns.yml +++ b/.github/workflows/test_no_vulns.yml @@ -32,7 +32,7 @@ jobs: - name: Test binary scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary' diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml index 68be31c..2712a3f 100644 --- a/.github/workflows/test_reports_no_vulns.yml +++ b/.github/workflows/test_reports_no_vulns.yml @@ -31,7 +31,7 @@ jobs: - name: Test container scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'alpine:latest' diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml index 3091846..6cafffb 100644 --- a/.github/workflows/test_repository.yml +++ b/.github/workflows/test_repository.yml @@ -35,7 +35,7 @@ jobs: - name: Test repository scan id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'repository' artifact_path: './' diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml index 31503cd..d3fa83e 100644 --- a/.github/workflows/test_vuln_thresholds.yml +++ b/.github/workflows/test_vuln_thresholds.yml @@ -34,7 +34,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan artifact with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 id: inspector with: artifact_type: 'archive' From 16a89cec53746f5df94b8bb11dd7fdf986c07ece Mon Sep 17 00:00:00 2001 From: Michael Long <31821088+bluesentinelsec@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:42:05 -0400 Subject: [PATCH 3/4] update multi arch test to v1.4.1 (#140) --- .github/workflows/test_multi_arch_images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_multi_arch_images.yml b/.github/workflows/test_multi_arch_images.yml index 888cbf4..956c5a1 100644 --- a/.github/workflows/test_multi_arch_images.yml +++ b/.github/workflows/test_multi_arch_images.yml @@ -43,7 +43,7 @@ jobs: - name: Test multi-arch image - ${{ matrix.platform }} id: inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@investigate_multi_arch + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1 with: artifact_type: 'container' artifact_path: 'debian:trixie' From 47e8686a3b2158018648eab3851ac6d06894db7c Mon Sep 17 00:00:00 2001 From: bluesentinelsec Date: Tue, 23 Sep 2025 14:45:46 -0400 Subject: [PATCH 4/4] update version.txt to v1.4.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 3eefcb9..347f583 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -1.0.0 +1.4.1