Github Action for using the Lacework Inline image scanner in workflows
To add the scanner to your workflow:
- uses: lacework/lw-scanner-action@v1.3.0
name: Scan container image for vulnerabilities using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: techallylw/vulnerable-container
IMAGE_TAG: v0.0.1Options:
| Option | Description | Default |
|---|---|---|
LW_ACCOUNT_NAME |
Your Lacework account name (see docs) | |
LW_ACCESS_TOKEN |
Authorization token (see docs) | |
IMAGE_NAME |
Name of the container to be scanned, for example node |
|
IMAGE_TAG |
Tag of the container image you want to scan, for example 12.18.2-alpine |
|
SCAN_LIBRARY_PACKAGES |
Also scan software packages | true |
SAVE_RESULTS_IN_LACEWORK |
Save results to your Lacework account | false |
SAVE_BUILD_REPORT |
Saves the evaluation report as a local HTML file. | false |
BUILD_REPORT_FILE_NAME |
Specify custom file name for the HTML evalutation report | <OS_TYPE>-<IMAGE_DIGEST_SHA256>.html |
DEBUGGING |
Enables debug logging from scanner | false |
PRETTY_OUTPUT |
Renders table borders and adds color to Severity column in the output of the evaluation results | true |
SIMPLE_OUTPUT |
Displays evaluation results without Introduced in Layer and File Path columns. |
true |
COLOR_OUTPUT |
Colors are rendered in evaluation results when the PRETTY_OUTPUT option is enabled. |
true |
ADDITIONAL_PARAMETERS |
Additional parameters/flags. Only global and image evalute flags are supported. |
|
RESULTS_IN_GITHUB_SUMMARY |
Display results in Github Summary. Further information here | false |
The Lacework Integrate Inline Scanner uses environment variables for additional configuration parameters. By default this action uses the following environment variables and default values.
| Environment variable name | Default value |
|---|---|
| LW_ACCOUNT_NAME | GitHub actions input variable LW_ACCOUNT_NAME |
| LW_ACCESS_TOKEN | GitHub actions input variable LW_ACCESS_TOKEN |
| LW_SCANNER_DISABLE_UPDATES | true |
Additional enviroment variables can be set within the GitHub Action step itself ( see docs). This way, for example, you can enable offline scanning of Java images, see Scan Java Images Offline.
jobs:
build:
steps:
- uses: lacework/lw-scanner-action@v1.2.0
name: Scan container images for vulnerabilities using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: techallylw/vulnerable-container
IMAGE_TAG: v0.0.1
SAVE_RESULTS_IN_LACEWORK: true
SAVE_BUILD_REPORT: true
BUILD_REPORT_FILE_NAME: myreport.html
env:
JAVA_OFFLINE_MODE: trueFor guidelines on how to contribute to the project see the CONTRIBUTING.md
Copyright 2022, Lacework Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.