v1.4.1

.github/workflows/build_scan_container.yml

@@ -52,7 +52,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         id: inspector
         with:
           artifact_type: 'container'

.github/workflows/example_display_findings.yml

@@ -33,7 +33,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container

.github/workflows/test_archive.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'

.github/workflows/test_binary.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'

.github/workflows/test_containers.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'

.github/workflows/test_dockerfile_vulns.yml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_installation.yml

@@ -32,7 +32,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_multi_arch_images.yml

@@ -0,0 +1,63 @@
+name: Test Multi-arch images
+
+on:
+  schedule:
+    - cron: '0 */6 * * *' # runs every 6 hours
+  push:
+    branches: #
+      - '*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  test_multi_arch:
+    runs-on: ubuntu-latest
+    environment:
+      name: plugin-development
+    strategy:
+      matrix:
+        platform:
+          - "linux/386"
+          - "linux/amd64"
+          - "linux/arm/v5"
+          - "linux/arm/v7"
+          - "linux/arm64/v8"
+          - "linux/ppc64le"
+          - "linux/riscv64"
+          - "linux/s390x"
+
+    steps:
+
+      - name: Checkout this repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+
+      - name: Test multi-arch image - ${{ matrix.platform }}
+        id: inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
+        with:
+          artifact_type: 'container'
+          artifact_path: 'debian:trixie'
+          platform: ${{ matrix.platform }}
+          display_vulnerability_findings: "enabled"
+          sbomgen_version: "latest"
+
+      - name: Demonstrate SBOM Output (JSON)
+        run: cat ${{ steps.inspector.outputs.artifact_sbom }}
+
+      - name: Display scan results
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
+
+      - name: Validate multi-arch - ${{ matrix.platform }}
+        run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}"
+
+

.github/workflows/test_no_vulns.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'

.github/workflows/test_reports_no_vulns.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_repository.yml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Test repository scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_vuln_thresholds.yml

@@ -34,7 +34,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan artifact with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.4.1
         id: inspector
         with:
           artifact_type: 'archive'

action.yml

@@ -162,6 +162,7 @@ runs:
     - --thresholds
     - ${{ inputs.threshold_fixable_only == 'true' && '--threshold-fixable-only' || '--no-op' }}
     - ${{ inputs.show_only_fixable_vulns == 'true' && '--show-only-fixable-vulns'|| '--no-op' }}
+    - --platform=${{ inputs.platform || '' }}
     - --critical=${{ inputs.critical_threshold }}
     - --high=${{ inputs.high_threshold }}
     - --medium=${{ inputs.medium_threshold }}

validator/validate_multi_platform_image_support.py

@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+
+import argparse
+import json
+import sys
+
+
+def get_expected_arch(platform):
+    """Map platform string to expected architecture value in SBOM"""
+    platform_to_arch = {
+        "linux/386": "386",
+        "linux/amd64": "amd64", 
+        "linux/arm/v5": "arm",
+        "linux/arm/v7": "arm",
+        "linux/arm64/v8": "arm64",
+        "linux/ppc64le": "ppc64le",
+        "linux/riscv64": "riscv64",
+        "linux/s390x": "s390x"
+    }
+
+    if platform not in platform_to_arch:
+        raise ValueError(f"Unknown platform: {platform}")
+
+    return platform_to_arch[platform]
+
+
+def extract_arch_from_sbom(sbom_file):
+    """Extract architecture from SBOM metadata"""
+    try:
+        with open(sbom_file, 'r') as f:
+            sbom = json.load(f)
+
+        properties = sbom.get('metadata', {}).get('component', {}).get('properties', [])
+
+        for prop in properties:
+            if prop.get('name') == 'amazon:inspector:sbom_generator:image_arch':
+                return prop.get('value')
+
+        raise ValueError("Architecture property not found in SBOM")
+
+    except Exception as e:
+        raise ValueError(f"Failed to parse SBOM: {e}")
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Validate SBOM architecture matches expected platform')
+    parser.add_argument('--platform', required=True, help='Expected platform (e.g., linux/amd64)')
+    parser.add_argument('--sbom', required=True, help='Path to SBOM file')
+
+    args = parser.parse_args()
+
+    try:
+        expected_arch = get_expected_arch(args.platform)
+        actual_arch = extract_arch_from_sbom(args.sbom)
+
+        print(f"Platform: {args.platform}")
+        print(f"Expected arch: {expected_arch}")
+        print(f"Actual arch: {actual_arch}")
+
+        if actual_arch != expected_arch:
+            print(f"   Architecture mismatch for platform {args.platform}")
+            print(f"   Expected: {expected_arch}")
+            print(f"   Found: {actual_arch}")
+            sys.exit(1)
+
+        print(f"Architecture validation passed: {actual_arch} matches expected {expected_arch}")
+
+    except Exception as e:
+        print(f"Validation failed: {e}")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()

version.txt

@@ -1 +1 @@
-1.0.0
+1.4.1