GitHub Action
TMAS Scan Action
Scan your containers with Vision One Container Security
This tool is meant to be used as a GitHub Action.
- Have an Vision One Account. Sign up for free trial now if it's not already the case!
- A Vision One API Key with a custom role that contains the permission
Run artifact scan
. - A Vision One Region of choice (ap-southeast-2, eu-central-1, ap-south-1, ap-northeast-1, ap-southeast-1, us-east-1)
- A container image to be scan.
Add an Action in your .github/workflow
yml file to scan your image with Vision One Container Security.
- name: Vision One Container Security Scan Action
uses: trendmicro/tmas-scan-action@version*
with:
# Mandatory
TMAS_API_KEY: ${{ secrets.TMAS_API_KEY }}
REGION: us-east-1
VULNERABILITY_SCAN: true
# Optional
SBOM: true # Saves SBOM to SBOM.json so you can export it as an artifact later.
MALWARE_SCAN: true # Enable malware scan.
SECRETS_SCAN: true # Enable secrets scan.
IMAGE: alpine # The image need to be public or the pipeline need to have access to the private image of choice.
LOCAL_IMAGE_TARBALL: image.tar
# For each threshold below, select the maximum number of vulnerabilities that are acceptable.
MAX_TOTAL: 0
MAX_CRITICAL: 0
MAX_HIGH: 0
MAX_MEDIUM: 0
MAX_LOW: 0
MAX_NEGLIGIBLE: 0
MAX_UNKNOWN: 0
SCAN_RESULT_ARTIFACT: result.json # Save as an artifact in GitHub to be able to keep the result of the scan.
Artifacts allow you to share data between jobs in a workflow and store data once that workflow has completed, in this case saving the scan result and the container image SBOM as an artifact allow you to have proof on what happened on past scans. In the example below, you can add an extra action after the scan to keep the result the scan as an artifact for 30 days:
- name: 'Upload Scan Result Artifact'
uses: actions/upload-artifact@v3
with:
name: scan-result
path: result.json
retention-days: 30
- name: 'Upload SBOM Artifact'
uses: actions/upload-artifact@v3
with:
name: sbom
path: SBOM.json
retention-days: 30
Note: By default, GitHub stores build logs and artifacts for 90 days, and this retention period can be customized. For more information, check the GitHub Documentation.
If you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!
We ❤️ pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.
If you're thinking of adding a new feature, consider opening an issue first to discuss it to ensure it aligns to the direction of the project (and potentially save yourself some time!).
Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.