├── VERSION ├── Dockerfile ├── RELEASE_NOTES.md ├── .gitignore ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── pull_request_template.md └── workflows │ ├── test-action.yaml │ ├── test-action-summary.yaml │ ├── test-action-blocked.yaml │ ├── verify-release.yml │ ├── trigger-release.yml │ ├── prepare-release.yml │ ├── update-scanner-version.yml │ └── release.yml ├── scripts ├── version-bump.sh └── release.sh ├── CONTRIBUTING.md ├── docker-entrypoint.sh ├── action.yaml ├── DEVELOPER_GUIDELINES.MD ├── README.md ├── LICENSE.md └── CHANGELOG.md /VERSION: -------------------------------------------------------------------------------- 1 | 1.4.5 -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM lacework/lacework-inline-scanner:0.27.2 2 | COPY ./docker-entrypoint.sh / 3 | ENTRYPOINT ["/docker-entrypoint.sh"] 4 | -------------------------------------------------------------------------------- /RELEASE_NOTES.md: -------------------------------------------------------------------------------- 1 | # Release Notes 2 | Another day, another release. These are the release notes for the version `v1.4.5`. 3 | 4 | 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # General 2 | .DS_Store 3 | .AppleDouble 4 | .LSOverride 5 | 6 | # Icon must end with two \r 7 | Icon 8 | 9 | 10 | # Thumbnails 11 | ._* 12 | 13 | # Files that might appear in the root of a volume 14 | .DocumentRevisions-V100 15 | .fseventsd 16 | .Spotlight-V100 17 | .TemporaryItems 18 | .Trashes 19 | .VolumeIcon.icns 20 | .com.apple.timemachine.donotpresent 21 | 22 | # Directories potentially created on remote AFP share 23 | .AppleDB 24 | .AppleDesktop 25 | Network Trash Folder 26 | Temporary Items 27 | .apdisk 28 | 29 | # Ignore evaluations folder 30 | evaluations 31 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: 'bug:' 5 | labels: bug 6 | --- 7 | 8 | **Describe the bug** 9 | A clear and concise description of what the bug is. 10 | 11 | **To Reproduce** 12 | Steps to reproduce the behavior: 13 | 1. Run cmd '...' 14 | 2. See error 15 | 16 | **Expected behavior** 17 | A clear and concise description of what you expected to happen. 18 | 19 | **Screenshots** 20 | If applicable, add screenshots to help explain your problem. 21 | 22 | **Additional context** 23 | Add any other context about the problem here. -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 6 | 7 | ## Summary 8 | 9 | 12 | 13 | ## How did you test this change? 14 | 15 | 19 | 20 | ## Issue 21 | 22 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: 'feat: ' 5 | labels: 'feat' 6 | --- 7 | 8 | # Feature Request 9 | 10 | **Describe the Feature Request** 11 | A clear and concise description of what the feature request is. Please include if your feature request is related to a problem 12 | 13 | **Is your feature request related to a problem? Please describe** 14 | Problems related that made you consider this feature request 15 | 16 | **Describe Preferred Solution** 17 | A clear and concise description of what you want to happen and alternatives 18 | 19 | **Additional Context** 20 | List any other information that is relevant to your issue. Stack traces, related issues, suggestions on how to add, use case, Stack Overflow links, forum links, screenshots, OS if applicable, etc. -------------------------------------------------------------------------------- /.github/workflows/test-action.yaml: -------------------------------------------------------------------------------- 1 | name: test-action 2 | on: 3 | push: 4 | pull_request: 5 | workflow_dispatch: 6 | schedule: 7 | - cron: "30 8 * * *" 8 | 9 | jobs: 10 | test-action: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Check out the repo 14 | uses: actions/checkout@v4 15 | 16 | - name: Pull Docker image 17 | run: docker image pull techallylw/vulnerable-container:v0.0.1 18 | 19 | - name: Build lw-scanner action container image 20 | uses: docker/build-push-action@v5 21 | with: 22 | context: . 23 | load: true 24 | push: false 25 | tags: ${{ github.repository }}:latest 26 | 27 | - name: lw-scanner 28 | id: lw-scanner 29 | uses: ./ 30 | with: 31 | LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} 32 | LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} 33 | IMAGE_NAME: techallylw/vulnerable-container 34 | IMAGE_TAG: v0.0.1 35 | -------------------------------------------------------------------------------- /.github/workflows/test-action-summary.yaml: -------------------------------------------------------------------------------- 1 | name: test-action-summary 2 | on: 3 | push: 4 | pull_request: 5 | workflow_dispatch: 6 | schedule: 7 | - cron: "30 8 * * *" 8 | 9 | jobs: 10 | test-action-summary: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Check out the repo 14 | uses: actions/checkout@v4 15 | 16 | - name: Pull Docker image 17 | run: docker image pull techallylw/vulnerable-container:v0.0.1 18 | 19 | - name: lw-scanner with summury 20 | id: lw-scanner-with-summary 21 | continue-on-error: true 22 | uses: ./ 23 | with: 24 | LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} 25 | LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN_POLICY }} 26 | IMAGE_NAME: techallylw/vulnerable-container 27 | IMAGE_TAG: v0.0.1 28 | RESULTS_IN_GITHUB_SUMMARY: "true" 29 | 30 | - name: Check if step with summary did fail as expected based on policy. 31 | if: steps.lw-scanner-with-summary.outcome != 'failure' 32 | run: exit 1 33 | -------------------------------------------------------------------------------- /.github/workflows/test-action-blocked.yaml: -------------------------------------------------------------------------------- 1 | name: test-action-blocked 2 | on: 3 | push: 4 | pull_request: 5 | workflow_dispatch: 6 | schedule: 7 | - cron: "30 8 * * *" 8 | 9 | jobs: 10 | test-action-blocked: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Check out the repo 14 | uses: actions/checkout@v4 15 | 16 | - name: Pull Docker image 17 | run: docker image pull techallylw/vulnerable-container:v0.0.1 18 | 19 | - name: Build lw-scanner action container image 20 | uses: docker/build-push-action@v5 21 | with: 22 | context: . 23 | load: true 24 | push: false 25 | tags: ${{ github.repository }}:latest 26 | 27 | - name: lw-scanner 28 | id: lw-scanner 29 | uses: ./ 30 | continue-on-error: true 31 | with: 32 | LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} 33 | LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN_POLICY }} 34 | IMAGE_NAME: techallylw/vulnerable-container 35 | IMAGE_TAG: v0.0.1 36 | 37 | - name: Check if step did fail as expected based on policy. 38 | if: steps.lw-scanner.outcome != 'failure' 39 | run: exit 1 40 | -------------------------------------------------------------------------------- /.github/workflows/verify-release.yml: -------------------------------------------------------------------------------- 1 | name: Verify Release 2 | 3 | on: 4 | push: 5 | branches: 6 | - release 7 | 8 | jobs: 9 | verify-release: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout repository 13 | uses: actions/checkout@v4 14 | with: 15 | ref: ${{ github.ref }} 16 | 17 | - name: Setup Go 18 | uses: actions/setup-go@v4 19 | with: 20 | go-version: 1.21.x 21 | 22 | - name: Verify release 23 | run: | 24 | scripts/release.sh verify 25 | 26 | - name: Notify Slack on Failure 27 | uses: slackapi/slack-github-action@v1.25.0 28 | if: failure() 29 | with: 30 | payload: | 31 | { 32 | "attachments": [ 33 | { 34 | "color": "#E92020", 35 | "blocks": [ 36 | { 37 | "type": "section", 38 | "text": { 39 | "type": "mrkdwn", 40 | "text": "@oncall-growth-eng! There has been a failure that needs your attention. :rotating_light:\n*GitHub Workflow Failure*\nlw-scanner-action/verify-release\n*Workflow Run*\n https://github.com/lacework/lw-scanner-action/actions/runs/${{ github.run_id }}" 41 | } 42 | } 43 | ] 44 | } 45 | ] 46 | } 47 | env: 48 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GROWTH_ENG_ALERTS }} 49 | SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK 50 | -------------------------------------------------------------------------------- /.github/workflows/trigger-release.yml: -------------------------------------------------------------------------------- 1 | name: Trigger Release 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | trigger-release: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout repository 13 | uses: actions/checkout@v4 14 | 15 | - name: Trigger release 16 | env: 17 | GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }} 18 | GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} 19 | CI: true 20 | run: | 21 | echo "$GPG_SECRET_KEY" | base64 --decode | gpg --import --no-tty --batch --yes 22 | scripts/release.sh trigger 23 | 24 | - name: Notify Slack on Failure 25 | uses: slackapi/slack-github-action@v1.25.0 26 | if: failure() 27 | with: 28 | payload: | 29 | { 30 | "attachments": [ 31 | { 32 | "color": "#E92020", 33 | "blocks": [ 34 | { 35 | "type": "section", 36 | "text": { 37 | "type": "mrkdwn", 38 | "text": "@oncall-growth-eng! There has been a failure that needs your attention. :rotating_light:\n*GitHub Workflow Failure*\nlw-scanner-action/trigger-release\n*Workflow Run*\n https://github.com/lacework/lw-scanner-action/actions/runs/${{ github.run_id }}" 39 | } 40 | } 41 | ] 42 | } 43 | ] 44 | } 45 | env: 46 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GROWTH_ENG_ALERTS }} 47 | SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK 48 | -------------------------------------------------------------------------------- /.github/workflows/prepare-release.yml: -------------------------------------------------------------------------------- 1 | name: Prepare Release 2 | 3 | on: 4 | workflow_dispatch: 5 | 6 | jobs: 7 | prepare-release: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Checkout repository 11 | uses: actions/checkout@v4 12 | with: 13 | ref: main 14 | fetch-depth: 0 15 | 16 | - name: Prepare release 17 | env: 18 | GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }} 19 | GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} 20 | GITHUB_TOKEN: ${{ secrets.TOKEN }} 21 | CI: true 22 | run: | 23 | echo "$GPG_SECRET_KEY" | base64 --decode | gpg --import --no-tty --batch --yes 24 | scripts/release.sh prepare 25 | 26 | - name: Notify Slack on Failure 27 | uses: slackapi/slack-github-action@v1.25.0 28 | if: failure() 29 | with: 30 | payload: | 31 | { 32 | "attachments": [ 33 | { 34 | "color": "#E92020", 35 | "blocks": [ 36 | { 37 | "type": "section", 38 | "text": { 39 | "type": "mrkdwn", 40 | "text": "@oncall-growth-eng! There has been a failure that needs your attention. :rotating_light:\n*GitHub Workflow Failure*\nlw-scanner-action/prepare-release\n*Workflow Run*\n https://github.com/lacework/lw-scanner-action/actions/runs/${{ github.run_id }}" 41 | } 42 | } 43 | ] 44 | } 45 | ] 46 | } 47 | env: 48 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GROWTH_ENG_ALERTS }} 49 | SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK 50 | -------------------------------------------------------------------------------- /scripts/version-bump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Name:: version-bump.sh 4 | # Description:: Use this script to bump the version of the lw-scanner 5 | # after a new release of the docker image 6 | # Author:: Salim Afiune Maya () 7 | # 8 | set -eou pipefail 9 | 10 | readonly project_name=lw-scanner-action 11 | readonly org_name=lacework 12 | readonly git_user="Lacework Inc." 13 | readonly git_email="tech-ally@lacework.net" 14 | 15 | if [[ "${1:-}" == "" ]]; then 16 | echo "ERROR: Unable to update version. Please provide the new version to update." 17 | elif [[ "${1:-}" == "undefined" ]]; then 18 | echo "ERROR: SCANNER_VERSION variable not passed to codefresh job. Please check the pipeline." 19 | exit 1 20 | fi 21 | 22 | _scanner_version=$1 23 | 24 | # Update Dockerfile 25 | echo "--> Updating lw-scanner version to ${_scanner_version}" 26 | sed -i 's/:.*$/:'${_scanner_version}'/' Dockerfile 27 | 28 | # Configure Git if running in CI 29 | if [ "${CI:-}" != "" ]; then 30 | git config --global user.email $git_email 31 | git config --global user.name $git_user 32 | git config --global user.signingkey $GPG_SIGNING_KEY 33 | fi 34 | 35 | # Create a branch and commit changes 36 | git checkout -B version-bump 37 | git commit -sS -am "chore(deps): lw-scanner to version ${_scanner_version}" 38 | git push origin version-bump -f 39 | 40 | # Open Pull Request 41 | _body="/tmp/pr.json" 42 | _pr="/tmp/pr.out" 43 | cat < $_body 44 | { 45 | "base": "main", 46 | "head": "version-bump", 47 | "title": "chore(deps): lw-scanner to version ${_scanner_version}", 48 | "body": "Automated update, merge if pipeline is green." 49 | } 50 | EOF 51 | curl -XPOST -H "Authorization: token $GITHUB_TOKEN" --data "@$_body" \ 52 | https://api.github.com/repos/${org_name}/${project_name}/pulls > $_pr 53 | _pr_url=$(jq .html_url $_pr) 54 | echo "" 55 | echo "--> It is time to for review!" 56 | echo " $_pr_url" 57 | -------------------------------------------------------------------------------- /.github/workflows/update-scanner-version.yml: -------------------------------------------------------------------------------- 1 | name: Update Docker Container Version 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | scanner_version: 7 | description: New lw-scanner version 8 | required: true 9 | type: string 10 | 11 | jobs: 12 | release: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Checkout repository 16 | uses: actions/checkout@v4 17 | with: 18 | ref: ${{ github.ref }} 19 | 20 | - name: Update Scanner Version 21 | env: 22 | GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }} 23 | GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} 24 | GITHUB_TOKEN: ${{ secrets.TOKEN }} 25 | run: | 26 | echo "$GPG_SECRET_KEY" | base64 --decode | gpg --import --no-tty --batch --yes 27 | export SCANNER_VERSION=${{inputs.scanner_version}} 28 | echo Version passed to script= $SCANNER_VERSION 29 | scripts/version-bump.sh $SCANNER_VERSION 30 | 31 | - name: Notify Slack on Failure 32 | uses: slackapi/slack-github-action@v1.25.0 33 | if: failure() 34 | with: 35 | payload: | 36 | { 37 | "attachments": [ 38 | { 39 | "color": "#E92020", 40 | "blocks": [ 41 | { 42 | "type": "section", 43 | "text": { 44 | "type": "mrkdwn", 45 | "text": "@oncall-growth-eng! There has been a failure that needs your attention. :rotating_light:\n*GitHub Workflow Failure*\nlw-scanner-action/release\n*Workflow Run*\n https://github.com/lacework/lw-scanner-action/actions/runs/${{ github.run_id }}" 46 | } 47 | } 48 | ] 49 | } 50 | ] 51 | } 52 | env: 53 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GROWTH_ENG_ALERTS }} 54 | SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK 55 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to the Lacework Inline Scanner GitHub Action 2 | 3 | ### Table Of Contents 4 | 5 | * [Before getting started?](#before-getting-started) 6 | 7 | * [How to contribute](#how-to-contribute) 8 | * [Reporting Bugs](#reporting-bugs) 9 | * [Feature Requests](#feature-requests) 10 | * [Pull Requests](#pull-requests) 11 | 12 | * [Developer Guidelines](/DEVELOPER_GUIDELINES.md) 13 | 14 | 15 | ## How to contribute 16 | There are 3 ways that community members can help contribute to the Lacework CLI. 17 | Reporting any issues you may find either in functionality of the CLI or documentation. Or if you believe some functionality should exist 18 | within the Lacework CLI you can make a feature request. Finally, if you've gone one step further and made the changes to submit for a pull request. 19 | 20 | ### Reporting Bugs 21 | 22 | Ensure the issue you are raising has not already been created under [issues](https://github.com/lacework/lw-scanner-action/issues). 23 | 24 | If no current issue addresses the problem, open a new [issue](https://github.com/lacework/lw-scanner-action/issues/new). 25 | Include as much relevant information as possible. See the [bug template](https://github.com/lacework/lw-scanner-action/blob/main/.github/ISSUE_TEMPLATE/bug_report.md) for help on creating a new issue. 26 | 27 | ### Feature Requests 28 | 29 | If you wish to submit a request to add new functionality or an improvement to the lw-scanner-action then use the the [feature request](https://github.com/lacework/lw-scanner-action/blob/main/.github/ISSUE_TEMPLATE/feature_request.md) template to 30 | open a new [issue](https://github.com/lacework/lw-scanner-action/issues/new) 31 | 32 | ### Pull Requests 33 | 34 | When submitting a pull request follow the [commit message standard](DEVELOPER_GUIDELINES.MD#commit-message-standard). 35 | Reduce the likelihood of pushing breaking changes by running the lw-scanner-action unit and integration tests, 36 | see [development documentation](https://github.com/lacework/lw-scanner-action/tree/main/cli#development). 37 | 38 | Thanks, 39 | 40 | Project Maintainers 41 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v*' 7 | 8 | jobs: 9 | release: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Notify Slack on Release 13 | uses: slackapi/slack-github-action@v1.25.0 14 | with: 15 | payload: | 16 | { 17 | "attachments": [ 18 | { 19 | "color": "#E92020", 20 | "blocks": [ 21 | { 22 | "type": "section", 23 | "text": { 24 | "type": "mrkdwn", 25 | "text": "Releasing the lw-scanner Github Action" 26 | } 27 | } 28 | ] 29 | } 30 | ] 31 | } 32 | env: 33 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GROWTH_ENG_ALERTS }} 34 | SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK 35 | 36 | - name: Checkout repository 37 | uses: actions/checkout@v4 38 | with: 39 | ref: ${{ github.ref }} 40 | 41 | - name: Create Release 42 | env: 43 | GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }} 44 | GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} 45 | GITHUB_TOKEN: ${{ secrets.TOKEN }} 46 | run: | 47 | echo "$GPG_SECRET_KEY" | base64 --decode | gpg --import --no-tty --batch --yes 48 | scripts/release.sh publish 49 | 50 | - name: Notify Slack on Failure 51 | uses: slackapi/slack-github-action@v1.25.0 52 | if: failure() 53 | with: 54 | payload: | 55 | { 56 | "attachments": [ 57 | { 58 | "color": "#E92020", 59 | "blocks": [ 60 | { 61 | "type": "section", 62 | "text": { 63 | "type": "mrkdwn", 64 | "text": "@oncall-growth-eng! There has been a failure that needs your attention. :rotating_light:\n*GitHub Workflow Failure*\nlw-scanner-action/release\n*Workflow Run*\n https://github.com/lacework/lw-scanner-action/actions/runs/${{ github.run_id }}" 65 | } 66 | } 67 | ] 68 | } 69 | ] 70 | } 71 | env: 72 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GROWTH_ENG_ALERTS }} 73 | SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK 74 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -o pipefail 3 | 4 | # Set Lacework credentials as inline scanner environment variable 5 | export LW_ACCOUNT_NAME=${INPUT_LW_ACCOUNT_NAME} 6 | export LW_ACCESS_TOKEN=${INPUT_LW_ACCESS_TOKEN} 7 | 8 | # Disable update prompt for lw-scanner if newer version is available unless explicitly set 9 | export LW_SCANNER_DISABLE_UPDATES=${LW_SCANNER_DISABLE_UPDATES:-true} 10 | 11 | # Add parameters based on arguments 12 | export SCANNER_PARAMETERS="" 13 | if [ ${INPUT_SCAN_LIBRARY_PACKAGES} = "false" ]; then 14 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --disable-library-package-scanning" 15 | fi 16 | if [ ${INPUT_SAVE_RESULTS_IN_LACEWORK} = "true" ]; then 17 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --save" 18 | fi 19 | if [ ${INPUT_SAVE_BUILD_REPORT} = "true" ]; then 20 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --html" 21 | fi 22 | if [ ! -z "${INPUT_BUILD_REPORT_FILE_NAME}" ]; then 23 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --html-file ${INPUT_BUILD_REPORT_FILE_NAME}" 24 | fi 25 | if [ ${INPUT_DEBUGGING} = "true" ]; then 26 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --debug" 27 | fi 28 | if [ ${INPUT_PRETTY_OUTPUT} = "true" ]; then 29 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --pretty" 30 | fi 31 | if [ ${INPUT_SIMPLE_OUTPUT} = "true" ]; then 32 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --simple" 33 | fi 34 | if [ ${INPUT_COLOR_OUTPUT} = "false" ] || [ "${INPUT_RESULTS_IN_GITHUB_SUMMARY}" = "true" ]; then 35 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} --no-color" 36 | fi 37 | if [ ! -z "${INPUT_ADDITIONAL_PARAMETERS}" ]; then 38 | export SCANNER_PARAMETERS="${SCANNER_PARAMETERS} ${INPUT_ADDITIONAL_PARAMETERS}" 39 | fi 40 | 41 | # Remove old scanner evaluation, if cached somehow 42 | rm ${GITHUB_WORKSPACE}/evaluations/${INPUT_IMAGE_NAME}/${INPUT_IMAGE_TAG}/evaluation_*.json &>/dev/null || true 43 | 44 | /app/vulnerability/scanner/lacework/local-scanner/main/local-scanner.binary image evaluate ${INPUT_IMAGE_NAME} ${INPUT_IMAGE_TAG} \ 45 | --build-plan ${GITHUB_REPOSITORY} \ 46 | --build-id ${GITHUB_RUN_ID} \ 47 | --data-directory ${GITHUB_WORKSPACE} \ 48 | --policy \ 49 | --fail-on-violation-exit-code 1 ${SCANNER_PARAMETERS} > results.stdout 50 | 51 | export SCANNER_EXIT_CODE=$? 52 | 53 | if [ "${INPUT_RESULTS_IN_GITHUB_SUMMARY}" = "true" ]; then 54 | echo "### Security Scan" >> $GITHUB_STEP_SUMMARY 55 | echo "
" >> $GITHUB_STEP_SUMMARY
56 |     printf '%s' "$(> $GITHUB_STEP_SUMMARY
57 |     echo "
" >> $GITHUB_STEP_SUMMARY 58 | fi 59 | 60 | exit ${SCANNER_EXIT_CODE} 61 | -------------------------------------------------------------------------------- /action.yaml: -------------------------------------------------------------------------------- 1 | name: "lw-scanner" 2 | description: "Scan container images for vulnerabilities with Lacework's Inline Scanner" 3 | author: "Lacework" 4 | inputs: 5 | LW_ACCOUNT_NAME: 6 | description: "Your Lacework account name. For example, if your login URL is mycompany.lacework.net, the account name is mycompany." 7 | required: true 8 | LW_ACCESS_TOKEN: 9 | description: "Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework console." 10 | required: true 11 | IMAGE_NAME: 12 | description: "Name of the container image you want to scan, for example, `node`." 13 | required: true 14 | IMAGE_TAG: 15 | description: "Tag of the container image you want to scan, for example, `12.18.2-alpine`." 16 | required: true 17 | SCAN_LIBRARY_PACKAGES: 18 | description: "Also scan software packages. (Default: true)" 19 | required: false 20 | default: "true" 21 | SAVE_RESULTS_IN_LACEWORK: 22 | description: "Save results to Lacework. (Default: false)" 23 | required: false 24 | default: "false" 25 | SAVE_BUILD_REPORT: 26 | description: "Saves the evaluation report as a local HTML file. (Default: false)" 27 | required: false 28 | default: "false" 29 | BUILD_REPORT_FILE_NAME: 30 | description: "Specify custom file name for the HTML evalutation report, by default the name is OS_TYPE-IMAGE_DIGEST_SHA256.html." 31 | required: false 32 | DEBUGGING: 33 | description: "Enable debug logging for scanner" 34 | required: false 35 | default: "false" 36 | PRETTY_OUTPUT: 37 | description: "Renders table borders and adds color to Severity column in the output of the evaluation results. (Default: true)" 38 | required: false 39 | default: "true" 40 | SIMPLE_OUTPUT: 41 | description: "Displays evaluation results without Introduced in `Layer` and `File Path` columns. (Default: true)" 42 | required: false 43 | default: "true" 44 | COLOR_OUTPUT: 45 | description: "Colors are rendered in evaluation results when the `PRETTY_OUTPUT` option is enabled. (Default: true)" 46 | required: false 47 | default: "true" 48 | ADDITIONAL_PARAMETERS: 49 | description: "Additional parameters/flags. Only global and `image evalute` flags are supported." 50 | required: false 51 | RESULTS_IN_GITHUB_SUMMARY: 52 | description: "Display results in github summary. (Default: true)" 53 | required: false 54 | default: "true" 55 | runs: 56 | using: "docker" 57 | image: "Dockerfile" 58 | args: 59 | - ${{ inputs.LW_ACCOUNT_NAME }} 60 | - ${{ inputs.LW_ACCESS_TOKEN }} 61 | - ${{ inputs.IMAGE_NAME }} 62 | - ${{ inputs.IMAGE_TAG }} 63 | - ${{ inputs.SCAN_LIBRARY_PACKAGES }} 64 | - ${{ inputs.SAVE_RESULTS_IN_LACEWORK }} 65 | - ${{ inputs.SAVE_BUILD_REPORT }} 66 | - ${{ inputs.BUILD_REPORT_FILE_NAME }} 67 | - ${{ inputs.DEBUGGING }} 68 | - ${{ inputs.PRETTY_OUTPUT }} 69 | - ${{ inputs.SIMPLE_OUTPUT }} 70 | - ${{ inputs.COLOR_OUTPUT }} 71 | - ${{ inputs.ADDITIONAL_PARAMETERS }} 72 | branding: 73 | icon: "alert-triangle" 74 | color: "blue" 75 | -------------------------------------------------------------------------------- /DEVELOPER_GUIDELINES.MD: -------------------------------------------------------------------------------- 1 | ## Developer Guidelines 2 | 3 | ## Signed Commits 4 | Signed commits are required for any contribution to this project. Please see Github's documentation on configuring signed commits, [tell git about your signing key](https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/telling-git-about-your-signing-key) and [signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) 5 | 6 | ## Commit message standard 7 | 8 | The format is: 9 | ``` 10 | type(scope): subject 11 | 12 | BODY 13 | 14 | FOOTER 15 | ``` 16 | 17 | Example commit message: 18 | ``` 19 | feat(cli): add XYZ option 20 | 21 | This new option will enable example functionality so that users can run the inline scanner action only with an access token and their account: 22 | 23 | Closes https://github.com/lacework/lw-scanner-action/issues/99 24 | ``` 25 | 26 | Each commit message consists of a header, body, and footer. The header with the type and subject are mandatory, the scope is optional. 27 | When writing a commit message try and limit each line of the commit to a max of 80 characters, so it can be read easily. 28 | 29 | ### Type 30 | 31 | Allowed `type` valued. 32 | 33 | | Type | Description | 34 | | ----- | ----------- | 35 | | feat: | A new feature you're adding | 36 | | fix: | A bug fix | 37 | | style: | Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc) | 38 | | refactor: | A code change that neither fixes a bug nor adds a feature | 39 | | test: | Everything related to testing | 40 | | docs: | Everything related to documentation | 41 | | chore: | Regular code maintenance | 42 | | build: | Changes that affect the build | 43 | | ci: | Changes to our CI configuration files and scripts | 44 | | perf: | A code change that improves performance | 45 | | metric: | A change that provides better insights about the adoption of features and code statistics | 46 | 47 | ### Scope 48 | The optional scope refers to the section that this commit belongs to, for example, changing a specific component or service, a directive, pipes, etc. 49 | Think about it as an indicator that will let the developers know at first glance what section of your code you are changing. 50 | 51 | A few good examples are: 52 | 53 | * feat(client): 54 | * docs(cli): 55 | * chore(tests): 56 | * ci(directive): 57 | 58 | ### Subject 59 | The subject should contain a short description of the change, and written in present-tense, for example, use "add" and not "added", or "change" and not "changed". 60 | I like to fill this sentence below to understand what should I put as my description of my change: 61 | 62 | If applied, this commit will ________________________________________. 63 | 64 | ### Body 65 | The body should contain a longer description of the change, try not to repeat the subject and keep it in the present tense as above. 66 | Put as much context as you think it is needed, don’t be shy and explain your thought process, limitations, ideas for new features or fixes, etc. 67 | 68 | ### Footer 69 | The footer is used to reference issues, pull requests or breaking changes, for example, "Fixes ticket #123". 70 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Lacework Inline Scanner GitHub Action 4 | 5 | [![test-action](https://github.com/lacework/lw-scanner-action/actions/workflows/test-action.yaml/badge.svg?branch=main)](https://github.com/lacework/lw-scanner-action/actions/workflows/test-action.yaml) 6 | 7 | Github Action for using the Lacework Inline image scanner in workflows 8 | 9 | ## Usage 10 | 11 | To add the scanner to your workflow: 12 | 13 | ```yaml 14 | - uses: lacework/lw-scanner-action@v1.3.0 15 | name: Scan container image for vulnerabilities using Lacework 16 | with: 17 | LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} 18 | LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} 19 | IMAGE_NAME: techallylw/vulnerable-container 20 | IMAGE_TAG: v0.0.1 21 | ``` 22 | 23 | Options: 24 | 25 | | Option | Description | Default | 26 | |-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------| 27 | | `LW_ACCOUNT_NAME` | Your Lacework account name (see [docs](https://docs.lacework.com/integrate-inline-scanner#configure-authentication-using-environment-variables)) | | 28 | | `LW_ACCESS_TOKEN` | Authorization token (see [docs](https://docs.lacework.com/integrate-inline-scanner#obtain-the-inline-scanner-and-authorization-token)) | | 29 | | `IMAGE_NAME` | Name of the container to be scanned, for example `node` | | 30 | | `IMAGE_TAG` | Tag of the container image you want to scan, for example `12.18.2-alpine` | | 31 | | `SCAN_LIBRARY_PACKAGES` | Also scan software packages | `true` | 32 | | `SAVE_RESULTS_IN_LACEWORK` | Save results to your Lacework account | `false` | 33 | | `SAVE_BUILD_REPORT` | Saves the evaluation report as a local HTML file. | `false` | 34 | | `BUILD_REPORT_FILE_NAME` | Specify custom file name for the HTML evalutation report | `-.html` | 35 | | `DEBUGGING` | Enables debug logging from scanner | `false` | 36 | | `PRETTY_OUTPUT` | Renders table borders and adds color to Severity column in the output of the evaluation results | `true` | 37 | | `SIMPLE_OUTPUT` | Displays evaluation results without Introduced in `Layer` and `File Path` columns. | `true` | 38 | | `COLOR_OUTPUT` | Colors are rendered in evaluation results when the `PRETTY_OUTPUT` option is enabled. | `true` | 39 | | `ADDITIONAL_PARAMETERS` | Additional parameters/flags. Only [global](https://docs.lacework.com/onboarding/integrate-inline-scanner#global-flags) and [`image evalute`](https://docs.lacework.com/onboarding/integrate-inline-scanner#flags-for-image-evaluate) flags are supported. | | 40 | | `RESULTS_IN_GITHUB_SUMMARY` | Display results in Github Summary. Further information [here](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/) | `true` | 41 | 42 | # Environment variables 43 | 44 | The Lacework Integrate Inline Scanner uses environment variables for additional configuration parameters. By default 45 | this action uses the following environment variables and default values. 46 | 47 | | Environment variable name | Default value | 48 | |----------------------------|-------------------------------------------------| 49 | | LW_ACCOUNT_NAME | GitHub actions input variable `LW_ACCOUNT_NAME` | 50 | | LW_ACCESS_TOKEN | GitHub actions input variable `LW_ACCESS_TOKEN` | 51 | | LW_SCANNER_DISABLE_UPDATES | `true` | 52 | 53 | Additional enviroment variables can be set within the GitHub Action step itself ( 54 | see [docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)). 55 | This way, for example, you can enable offline scanning of Java images, 56 | see [Scan Java Images Offline](https://docs.lacework.com/onboarding/integrate-inline-scanner#scan-java-images-offline). 57 | 58 | ## Example 59 | 60 | ```yaml 61 | jobs: 62 | build: 63 | steps: 64 | - uses: lacework/lw-scanner-action@v1.2.0 65 | name: Scan container images for vulnerabilities using Lacework 66 | with: 67 | LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} 68 | LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} 69 | IMAGE_NAME: techallylw/vulnerable-container 70 | IMAGE_TAG: v0.0.1 71 | SAVE_RESULTS_IN_LACEWORK: true 72 | SAVE_BUILD_REPORT: true 73 | BUILD_REPORT_FILE_NAME: myreport.html 74 | env: 75 | JAVA_OFFLINE_MODE: true 76 | ``` 77 | 78 | ## Contributing 79 | 80 | For guidelines on how to contribute to the project see the [CONTRIBUTING.md](CONTRIBUTING.md) 81 | 82 | ## License and Copyright 83 | 84 | Copyright 2022, Lacework Inc. 85 | 86 | ```text 87 | Licensed under the Apache License, Version 2.0 (the "License"); 88 | you may not use this file except in compliance with the License. 89 | You may obtain a copy of the License at 90 | 91 | http://www.apache.org/licenses/LICENSE-2.0 92 | 93 | Unless required by applicable law or agreed to in writing, software 94 | distributed under the License is distributed on an "AS IS" BASIS, 95 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 96 | See the License for the specific language governing permissions and 97 | limitations under the License. 98 | ``` 99 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /scripts/release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Name:: release.sh 4 | # Description:: Use this script to prepare a new release on Github, 5 | # the automation will build cross-platform binaries, 6 | # compress all generated targets, generate shasum 7 | # hashes, and create a GH tag like 'v0.1.0' 8 | # (using the VERSION file) 9 | # Author:: Salim Afiune Maya () 10 | # 11 | set -eou pipefail 12 | 13 | readonly project_name=lw-scanner-action 14 | readonly org_name=lacework 15 | readonly git_user="Lacework Inc." 16 | readonly git_email="tech-ally@lacework.net" 17 | VERSION=$(cat VERSION) 18 | 19 | usage() { 20 | local _cmd 21 | _cmd="$(basename "${0}")" 22 | cat < CHANGELOG.md 122 | echo "" >> CHANGELOG.md 123 | echo "$(cat CHANGES.md)" >> CHANGELOG.md 124 | echo "---" >> CHANGELOG.md 125 | echo "$_changelog" >> CHANGELOG.md 126 | # clean changes file since we don't need it anymore 127 | rm CHANGES.md 128 | } 129 | 130 | release_contains_features() { 131 | latest_version=$(find_latest_version) 132 | git log --no-merges --pretty="%s" ${latest_version}..main | grep "feat[:(]" >/dev/null 133 | return $? 134 | } 135 | 136 | load_list_of_changes() { 137 | latest_version=$(find_latest_version) 138 | local _list_of_changes=$(git log --no-merges --pretty="* %s (%an)([%h](https://github.com/${org_name}/${project_name}/commit/%H))" ${latest_version}..main) 139 | 140 | # init changes file 141 | true > CHANGES.md 142 | 143 | _feat=$(echo "$_list_of_changes" | grep "\* feat[:(]") 144 | _refactor=$(echo "$_list_of_changes" | grep "\* refactor[:(]") 145 | _perf=$(echo "$_list_of_changes" | grep "\* perf[:(]") 146 | _fix=$(echo "$_list_of_changes" | grep "\* fix[:(]") 147 | _doc=$(echo "$_list_of_changes" | grep "\* doc[:(]") 148 | _docs=$(echo "$_list_of_changes" | grep "\* docs[:(]") 149 | _metric=$(echo "$_list_of_changes" | grep "\* metric[:(]") 150 | _style=$(echo "$_list_of_changes" | grep "\* style[:(]") 151 | _chore=$(echo "$_list_of_changes" | grep "\* chore[:(]") 152 | _build=$(echo "$_list_of_changes" | grep "\* build[:(]") 153 | _ci=$(echo "$_list_of_changes" | grep "\* ci[:(]") 154 | _test=$(echo "$_list_of_changes" | grep "\* test[:(]") 155 | 156 | if [ "$_feat" != "" ]; then 157 | echo "## Features" >> CHANGES.md 158 | echo "$_feat" >> CHANGES.md 159 | fi 160 | 161 | if [ "$_refactor" != "" ]; then 162 | echo "## Refactor" >> CHANGES.md 163 | echo "$_refactor" >> CHANGES.md 164 | fi 165 | 166 | if [ "$_perf" != "" ]; then 167 | echo "## Performance Improvements" >> CHANGES.md 168 | echo "$_perf" >> CHANGES.md 169 | fi 170 | 171 | if [ "$_fix" != "" ]; then 172 | echo "## Bug Fixes" >> CHANGES.md 173 | echo "$_fix" >> CHANGES.md 174 | fi 175 | 176 | if [ "${_docs}${_doc}" != "" ]; then 177 | echo "## Documentation Updates" >> CHANGES.md 178 | if [ "$_doc" != "" ]; then echo "$_doc" >> CHANGES.md; fi 179 | if [ "$_docs" != "" ]; then echo "$_docs" >> CHANGES.md; fi 180 | fi 181 | 182 | if [ "${_style}${_chore}${_build}${_ci}${_test}" != "" ]; then 183 | echo "## Other Changes" >> CHANGES.md 184 | if [ "$_style" != "" ]; then echo "$_style" >> CHANGES.md; fi 185 | if [ "$_chore" != "" ]; then echo "$_chore" >> CHANGES.md; fi 186 | if [ "$_build" != "" ]; then echo "$_build" >> CHANGES.md; fi 187 | if [ "$_ci" != "" ]; then echo "$_ci" >> CHANGES.md; fi 188 | if [ "$_metric" != "" ]; then echo "$_metric" >> CHANGES.md; fi 189 | if [ "$_test" != "" ]; then echo "$_test" >> CHANGES.md; fi 190 | fi 191 | } 192 | 193 | generate_release_notes() { 194 | log "generating release notes at RELEASE_NOTES.md" 195 | load_list_of_changes 196 | echo "# Release Notes" > RELEASE_NOTES.md 197 | echo "Another day, another release. These are the release notes for the version \`v$VERSION\`." >> RELEASE_NOTES.md 198 | echo "" >> RELEASE_NOTES.md 199 | echo "$(cat CHANGES.md)" >> RELEASE_NOTES.md 200 | } 201 | 202 | push_release() { 203 | log "commiting and pushing the release to github" 204 | _version_no_tag=$(echo $VERSION | awk -F. '{printf("%d.%d.%d", $1, $2, $3)}') 205 | if [ "${CI:-}" != "" ]; then 206 | git config --global user.email $git_email 207 | git config --global user.name $git_user 208 | git config --global user.signingkey $GPG_SIGNING_KEY 209 | fi 210 | git checkout -B release 211 | git commit -sS -am "release: v$_version_no_tag" 212 | git push origin release -f 213 | } 214 | 215 | open_pull_request() { 216 | local _body="/tmp/pr.json" 217 | local _pr="/tmp/pr.out" 218 | 219 | log "opening GH pull request" 220 | generate_pr_body "$_body" 221 | curl -XPOST -H "Authorization: token $GITHUB_TOKEN" --data "@$_body" \ 222 | https://api.github.com/repos/${org_name}/${project_name}/pulls > $_pr 223 | 224 | _pr_url=$(jq .html_url $_pr) 225 | log "" 226 | log "It is time to review the release!" 227 | log " $_pr_url" 228 | } 229 | 230 | tag_release() { 231 | local _tag="v$VERSION" 232 | log "creating github tag: $_tag" 233 | git tag "$_tag" 234 | git push origin "$_tag" 235 | } 236 | 237 | prerequisites() { 238 | local _branch=$(git rev-parse --abbrev-ref HEAD) 239 | if [ "$_branch" != "main" ]; then 240 | warn "Releases must be generated from the 'main' branch. (current $_branch)" 241 | warn "Switch to the main branch and try again." 242 | exit 127 243 | fi 244 | 245 | local _unsaved_changes=$(git status -s) 246 | if [ "$_unsaved_changes" != "" ]; then 247 | warn "You have unsaved changes in the main branch. Are you resuming a release?" 248 | warn "To resume a release you have to start over, to remove all unsaved changes run the command:" 249 | warn " git reset --hard origin/main" 250 | exit 127 251 | fi 252 | } 253 | 254 | find_latest_version() { 255 | local _pattern="v[0-9]\+.[0-9]\+.[0-9]\+" 256 | local _versions 257 | local _latest_version 258 | _versions=$(git ls-remote --tags --quiet | grep $_pattern | tr '/' ' ' | tr 'v' ' ' | awk '{print $NF}') 259 | _latest_version=$(echo "$_versions" | tr '.' ' ' | sort -nr -k 1 -k 2 -k 3 | tr ' ' '.' | head -1) 260 | echo "v$_latest_version" 261 | } 262 | 263 | check_for_minor_version_bump() { 264 | if release_contains_features; then 265 | log "new feature detected, minor version bump" 266 | echo $VERSION | awk -F. '{printf("%d.%d.0", $1, $2+1)}' > VERSION 267 | VERSION=$(cat VERSION) 268 | log "updated version to v$VERSION" 269 | fi 270 | } 271 | 272 | remove_tag_version() { 273 | echo $VERSION | awk -F. '{printf("%d.%d.%d", $1, $2, $3)}' > VERSION 274 | VERSION=$(cat VERSION) 275 | log "updated version to v$VERSION" 276 | } 277 | 278 | bump_version() { 279 | log "updating version after tagging release" 280 | latest_version=$(find_latest_version) 281 | 282 | if [[ "v$VERSION" == "$latest_version" ]]; then 283 | case "${1:-}" in 284 | major) 285 | echo $VERSION | awk -F. '{printf("%d.%d.%d-dev", $1+1, $2, $3)}' > VERSION 286 | ;; 287 | minor) 288 | echo $VERSION | awk -F. '{printf("%d.%d.%d-dev", $1, $2+1, $3)}' > VERSION 289 | ;; 290 | *) 291 | echo $VERSION | awk -F. '{printf("%d.%d.%d-dev", $1, $2, $3+1)}' > VERSION 292 | ;; 293 | esac 294 | VERSION=$(cat VERSION) 295 | log "version bumped from $latest_version to v$VERSION" 296 | else 297 | log "skipping version bump. Already bumped to v$VERSION" 298 | return 299 | fi 300 | 301 | log "commiting and pushing the vertion bump to github" 302 | if [ "${CI:-}" != "" ]; then 303 | git config --global user.email $git_email 304 | git config --global user.name $git_user 305 | git config --global user.signingkey $GPG_SIGNING_KEY 306 | fi 307 | git add VERSION 308 | git commit -sS -m "ci: version bump to v$VERSION" 309 | git push origin main 310 | } 311 | 312 | create_release() { 313 | local _tag 314 | _tag=$(git describe --tags) 315 | local _body="/tmp/release.json" 316 | local _release="/tmp/release.out" 317 | 318 | log "generating GH release $_tag" 319 | generate_release_body "$_body" 320 | curl -XPOST -H "Authorization: token $GITHUB_TOKEN" --data "@$_body" \ 321 | https://api.github.com/repos/${org_name}/${project_name}/releases > $_release 322 | 323 | log "the release has been completed!" 324 | log "" 325 | log " -> https://github.com/${org_name}/${project_name}/releases/tag/${_tag}" 326 | } 327 | 328 | generate_pr_body() { 329 | _file=${1:-pr.json} 330 | _version_no_tag=$(echo $VERSION | awk -F. '{printf("%d.%d.%d", $1, $2, $3)}') 331 | _release_notes=$(jq -aRs . <<< cat RELEASE_NOTES.md) 332 | cat < $_file 333 | { 334 | "base": "main", 335 | "head": "release", 336 | "title": "Release v$_version_no_tag", 337 | "body": $_release_notes 338 | } 339 | EOF 340 | } 341 | 342 | generate_release_body() { 343 | _file=${1:-release.json} 344 | _tag=$(git describe --tags) 345 | _release_notes=$(jq -aRs . <<< cat RELEASE_NOTES.md) 346 | cat < $_file 347 | { 348 | "tag_name": "$_tag", 349 | "name": "$_tag", 350 | "draft": false, 351 | "prerelease": false, 352 | "body": $_release_notes 353 | } 354 | EOF 355 | } 356 | 357 | log() { 358 | echo "--> ${project_name}: $1" 359 | } 360 | 361 | warn() { 362 | echo "xxx ${project_name}: $1" >&2 363 | } 364 | 365 | main "$@" || exit 99 366 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # v1.4.5 2 | 3 | 4 | --- 5 | # v1.4.4 6 | 7 | ## Other Changes 8 | * chore: Set result in github summary default to true (#81) (Lei Jin)([a14f2af](https://github.com/lacework/lw-scanner-action/commit/a14f2af4f83dbfb6406bd5273c613e3b3e77a582)) 9 | --- 10 | # v1.4.2 11 | 12 | ## Bug Fixes 13 | * fix: remove tests folder (#72) (Pengyuan Zhao)([0a0bd15](https://github.com/lacework/lw-scanner-action/commit/0a0bd158a1ea119be188fda9bbb9bda9e48e510b)) 14 | ## Other Changes 15 | * chore:Upgrade inline scanner version to 0.27.0 (#75) (Lei Jin)([74fb2c2](https://github.com/lacework/lw-scanner-action/commit/74fb2c2ee06c8188d35705a1f296c54bfca5078b)) 16 | * ci: version bump to v1.4.2-dev (Lacework)([975a4e1](https://github.com/lacework/lw-scanner-action/commit/975a4e11203b24b7201da7ab4f1fc0e7ef4e62ed)) 17 | --- 18 | # v1.4.1 19 | 20 | ## Documentation Updates 21 | * docs(CONTRIBUTING.md): Fix link (#63) (Mateusz Wroński)([2d20deb](https://github.com/lacework/lw-scanner-action/commit/2d20deb947955add3ee4e1ce34157dde3873067d)) 22 | * docs(readme): fix typo (#64) (Mateusz Wroński)([24a046e](https://github.com/lacework/lw-scanner-action/commit/24a046ed6e50ce18ba1e0452fd2c0e40cbd83171)) 23 | ## Other Changes 24 | * chore(tests): Use newer docker actions as old version use deprecated node version. (#67) (Tim Arenz)([04dc248](https://github.com/lacework/lw-scanner-action/commit/04dc2487967670ed26f5a2bd835d0ef0385e85db)) 25 | * chore(deps): lw-scanner to version 0.23.2 (#65) (lacework-releng)([a4dae24](https://github.com/lacework/lw-scanner-action/commit/a4dae249a84654d2384f9a7f962d02326cac17db)) 26 | * ci: fix workflow url in slack message (#69) (Pengyuan Zhao)([cf13c01](https://github.com/lacework/lw-scanner-action/commit/cf13c01ffebabcb40fd5ca7b1f465fefc82f9faf)) 27 | * ci: migrate Codefresh pipelines to Github Actions (#68) (Pengyuan Zhao)([35b05ef](https://github.com/lacework/lw-scanner-action/commit/35b05efd9997d734b89ec3a8502291706a05886e)) 28 | * ci: version bump to v1.4.1-dev (Lacework)([4127bc0](https://github.com/lacework/lw-scanner-action/commit/4127bc0cf4a54319fa4adc65d7dde1af8fad90d8)) 29 | --- 30 | # v1.4.0 31 | 32 | ## Features 33 | * feat: add github summary integration (#57) (Jean-Yves CAMIER)([2e9e3ce](https://github.com/lacework/lw-scanner-action/commit/2e9e3cef38f74485f3700167824d0cb9ced4e12b)) 34 | * feat: add github summury integration (#52) (Jean-Yves CAMIER)([065f92e](https://github.com/lacework/lw-scanner-action/commit/065f92eb94c6f58dd9a2397f3e9585d4da123210)) 35 | ## Bug Fixes 36 | * fix: output for non job-summary runs (#60) (Tim Arenz)([439c2c5](https://github.com/lacework/lw-scanner-action/commit/439c2c55020f12a6fe43a7ba1fb78c798da39f66)) 37 | ## Other Changes 38 | * chore(deps): lw-scanner to version 0.22.0 (#58) (lacework-releng)([b9e56e6](https://github.com/lacework/lw-scanner-action/commit/b9e56e6aa9a85da60ad046a1bcfd0cafcdffbe4a)) 39 | * chore(deps): lw-scanner to version 0.22.0 (#50) (lacework-releng)([97373a6](https://github.com/lacework/lw-scanner-action/commit/97373a6ea94ab890adae000f1a8d59d2bb081dff)) 40 | * ci: run tests on pull requests (#55) (Tim Arenz)([84a6732](https://github.com/lacework/lw-scanner-action/commit/84a6732502573b24afce5ed6fb0cbb2a7f8f4a30)) 41 | * ci: version bump to v1.3.3-dev (Lacework)([55d9ca8](https://github.com/lacework/lw-scanner-action/commit/55d9ca8274566417ae3bc2f34e880bf8cc61f34e)) 42 | --- 43 | # v1.3.2 44 | 45 | ## Other Changes 46 | * chore(deps): lw-scanner to version 0.20.1 (#48) (lacework-releng)([8fd0495](https://github.com/lacework/lw-scanner-action/commit/8fd049529be242b4473eee1abadaf09b3224f7e5)) 47 | * ci: update the version-bump script argument check (#46) (Dave Hill)([c518fa9](https://github.com/lacework/lw-scanner-action/commit/c518fa9e4c88161804b2fc401170bed3729b2995)) 48 | * ci: version bump to v1.3.2-dev (Lacework)([74e69ef](https://github.com/lacework/lw-scanner-action/commit/74e69ef1ac67d4ee10ec2ca6e692c145af911fb9)) 49 | --- 50 | # v1.3.1 51 | 52 | ## Documentation Updates 53 | * docs: add environment variable examples (#38) (Tim Arenz)([1b323ac](https://github.com/lacework/lw-scanner-action/commit/1b323ac458f26d9904779c4e4c437d0465722029)) 54 | ## Other Changes 55 | * ci: update commit message version-bump.sh (#44) (Salim Afiune)([4fc19f6](https://github.com/lacework/lw-scanner-action/commit/4fc19f678329b9dbce5b44a4c63b233d8cf05b64)) 56 | * ci: fix scripts/version-bump.sh (#43) (Salim Afiune)([6cdd7e6](https://github.com/lacework/lw-scanner-action/commit/6cdd7e604bbf326995d1efbdde0a6eee68075353)) 57 | * ci: fix scripts/version-bump.sh (#41) (Salim Afiune)([2dd82a4](https://github.com/lacework/lw-scanner-action/commit/2dd82a4b014047f97f37f69525af86f114d983fe)) 58 | * ci: fix scripts/version-bump.sh (#40) (Salim Afiune)([e4c98c4](https://github.com/lacework/lw-scanner-action/commit/e4c98c4fd4fc975545daaca5cb02b3b9089421eb)) 59 | * ci: add version-bump.sh script (#39) (Salim Afiune)([65fb0c3](https://github.com/lacework/lw-scanner-action/commit/65fb0c3ae62e4461123ae112cf918f5808c9ee50)) 60 | * ci: version bump to v1.3.1-dev (Lacework)([775290a](https://github.com/lacework/lw-scanner-action/commit/775290ae24b50b50f380066f9a5edb79f7079f42)) 61 | --- 62 | # v1.3.0 63 | 64 | ## Features 65 | * feat(cli): add option to specify additional parameters for the lacework scanner cli (#34) (Stephan Stiefel)([4daf846](https://github.com/lacework/lw-scanner-action/commit/4daf846889a3c74416763bfd16e8b0fa340ae54f)) 66 | ## Other Changes 67 | * chore: fix vulnerabilities typo in README.md (#31) (Noah Kreiger)([6d4a629](https://github.com/lacework/lw-scanner-action/commit/6d4a62968864ed50af4190288febf4a878fe1a70)) 68 | * ci: version bump to v1.2.1-dev (Lacework)([7747b15](https://github.com/lacework/lw-scanner-action/commit/7747b15e5811afb0d1dd2bc27c672f256875663e)) 69 | --- 70 | # v1.2.0 71 | 72 | ## Features 73 | * feat: add new output options and use as default (Tim Arenz)([9edcf8f](https://github.com/lacework/lw-scanner-action/commit/9edcf8f49c0706dbd98698b063c9708d924dcc13)) 74 | ## Bug Fixes 75 | * fix: set debug default value and align with comon naming schema (Tim Arenz)([30ee752](https://github.com/lacework/lw-scanner-action/commit/30ee752b796a59a83ba9160110aa9c0fdd22a600)) 76 | ## Other Changes 77 | * chore: update scanner version to 0.10.1 (Tim Arenz)([5b10068](https://github.com/lacework/lw-scanner-action/commit/5b10068d63f7bc5b1f6b31921e4bb596fed5e716)) 78 | * ci: use v3 actions (Tim Arenz)([f8f0fdb](https://github.com/lacework/lw-scanner-action/commit/f8f0fdb19fcd7af84b407948cb6a5cc99739cad0)) 79 | * ci: clean up test-actions and use prebuilt image in all jobs (Tim Arenz)([b6a58a0](https://github.com/lacework/lw-scanner-action/commit/b6a58a07f0dc317708a90c646d4cdc5d7699791b)) 80 | * ci: version bump to v1.1.2-dev (Lacework)([9427c17](https://github.com/lacework/lw-scanner-action/commit/9427c17df21995fc2768c3de8b9826bb959fe17a)) 81 | --- 82 | # v1.1.1 83 | 84 | ## Bug Fixes 85 | * fix: release script (#24) (Salim Afiune)([e0adb9c](https://github.com/lacework/lw-scanner-action/commit/e0adb9c68866d6ee48789bea1a11f963b9749a8d)) 86 | * fix: change debug to argument instead of variable (#20) (Andre Elizondo)([3393a74](https://github.com/lacework/lw-scanner-action/commit/3393a74db7bf16a93f604dbe6b4253e2e68eac4d)) 87 | ## Other Changes 88 | * ci: fix release script to fint latest version (#22) (Salim Afiune)([4027f36](https://github.com/lacework/lw-scanner-action/commit/4027f36074bb294f0b61d4ccf674feb6bf34fdb8)) 89 | * ci: fix bug that avoids automatic version bump (Salim Afiune Maya)([9eb8578](https://github.com/lacework/lw-scanner-action/commit/9eb85783118bea3bd4b35e3a7858d27e71685c0c)) 90 | * ci: version bump to v1.1.1 (Salim Afiune Maya)([0657580](https://github.com/lacework/lw-scanner-action/commit/0657580f91858b945652b6c1752f77d16746abe9)) 91 | --- 92 | # v1.1.0 93 | 94 | ## Features 95 | * feat: add debug option to scanner definition (#17) (Andre Elizondo)([0362a01](https://github.com/lacework/lw-scanner-action/commit/0362a01f29d1941114ab915eccb296c1cd249c69)) 96 | ## Refactor 97 | * refactor(v1.0.0): Use native policies from the platform (#9) (Salim Afiune)([3fc0763](https://github.com/lacework/lw-scanner-action/commit/3fc076363453880f21ef59b0a7a2f83f124e0ab2)) 98 | ## Other Changes 99 | * chore: update scanner version to 0.7.0 (#15) (Tim Arenz)([3826818](https://github.com/lacework/lw-scanner-action/commit/382681814f446aa932ff4247ca0d871ea1e8cf4d)) 100 | * chore: update README.md (#12) (Salim Afiune)([4d3222d](https://github.com/lacework/lw-scanner-action/commit/4d3222d9895a5aca6412a2919c1b8d3a48467dd0)) 101 | * ci: fix test-action job (#13) (Salim Afiune)([315fc0b](https://github.com/lacework/lw-scanner-action/commit/315fc0bcbbdeac239783afe93fa44af4d3af54da)) 102 | * ci: version bump to v0.7.2-dev (Lacework)([32292e5](https://github.com/lacework/lw-scanner-action/commit/32292e503b37817e7e78a13ad1d66a5668c2446a)) 103 | --- 104 | # v1.0.1 105 | 106 | ## Other Changes 107 | * chore: update scanner version to 0.7.0 (#15) (Tim Arenz)([3826818](https://github.com/lacework/lw-scanner-action/commit/382681814f446aa932ff4247ca0d871ea1e8cf4d)) 108 | * chore: update README.md (#12) (Salim Afiune)([4d3222d](https://github.com/lacework/lw-scanner-action/commit/4d3222d9895a5aca6412a2919c1b8d3a48467dd0)) 109 | * ci: fix test-action job (#13) (Salim Afiune)([315fc0b](https://github.com/lacework/lw-scanner-action/commit/315fc0bcbbdeac239783afe93fa44af4d3af54da)) 110 | --- 111 | # v1.0.0 112 | 113 | ## Refactor 114 | * refactor(v1.0.0): Use native policies from the platform (#9) (Salim Afiune)([3fc0763](https://github.com/lacework/lw-scanner-action/commit/3fc076363453880f21ef59b0a7a2f83f124e0ab2)) 115 | ## Other Changes 116 | * ci: version bump to v0.7.2-dev (Lacework)([32292e5](https://github.com/lacework/lw-scanner-action/commit/32292e503b37817e7e78a13ad1d66a5668c2446a)) 117 | --- 118 | # v0.7.1 119 | 120 | ## Bug Fixes 121 | * fix(jq): binary missing and logic corrections (#7) (Tim Arenz)([0c6d283](https://github.com/lacework/lw-scanner-action/commit/0c6d283089626713a4c86decae2793183fd84803)) 122 | ## Other Changes 123 | * ci: version bump to v0.7.1-dev (Lacework)([a49f3c8](https://github.com/lacework/lw-scanner-action/commit/a49f3c85912e285410771cbbb5fcfdd4552009bf)) 124 | --- 125 | # v0.7.0 126 | 127 | ## Refactor 128 | * refactor: update lw-scanner docker image (Salim Afiune Maya)([44a662b](https://github.com/lacework/lw-scanner-action/commit/44a662bcc4af2069129ec00ea3a2f0852b666002)) 129 | ## Other Changes 130 | * chore: add release tooling to project (ipcrm)([ec203ad](https://github.com/lacework/lw-scanner-action/commit/ec203adfa2ec16b4768832ba6b3579b39b2721af)) 131 | * chore(docs): update documentation and reorg after org move (ipcrm)([8a11419](https://github.com/lacework/lw-scanner-action/commit/8a114198c7278d6f4f999ecdb4d0dd559c9e194c)) 132 | * ci: init RELEASE_NOTES.md (#6) (Salim Afiune)([6c01578](https://github.com/lacework/lw-scanner-action/commit/6c0157810ac82ab8a73890e7db96d645aa1169b2)) 133 | * ci: add nightly builds (Salim Afiune Maya)([e5b0c8d](https://github.com/lacework/lw-scanner-action/commit/e5b0c8d1f9ac0b5418ac23b53e49999bf6ff96f1)) 134 | --- 135 | # v0.6.0 136 | ## Features 137 | ## Other Changes 138 | * Update lw-scanner to version 0.2.5 139 | * Change logic around scanning non-os packages by default 140 | --- 141 | 142 | # v0.5.1 143 | ## Bug Fixes 144 | * Reintroduce fail only if fixable vulnerabilities found 145 | ## Other Changes 146 | * Update to action description 147 | --- 148 | 149 | # v0.5.0 150 | ## Features 151 | * Changed variables and how this action works to make the user expirence consitent across differnt CI platforms like Bitbucket, GitHub Actions, CircleCI, etc. 152 | * Changed exit codes, action will fail with exit code 1 regardles of the severity of the vulnerability / policy. 153 | * Fix evalution of found vulnerabilites as json schema changed. 154 | * Remove option to only fail if fixable, as of today it is not mapped to specific severity. If this functionality is required it can be archived using the new policy feature. 155 | --- 156 | 157 | # v0.4.0 158 | ## Features 159 | * Add support for Lacework policy management feature (beta). To enable set `use_policy` parameter to `true`. As a result all `fail_...` parameters will be ignored. 160 | * Added overview of exit codes 161 | ## Other Changes 162 | * Updated Lacework Scanner to version [0.2.2](https://github.com/lacework/lacework-vulnerability-scanner/releases/tag/v0.2.2) 163 | --- 164 | 165 | # v0.3.1 166 | ## Other Changes 167 | * Updated Lacework Scanner to version [0.2.1](https://github.com/lacework/lacework-vulnerability-scanner/releases/tag/v0.2.1) 168 | --- 169 | 170 | # v0.3.0 171 | ## Features 172 | * Added option to change HTML report file name: `html_report_file_name` 173 | ## Breaking changes 174 | * arguments `scan_library_packages` and `save_results_in_lacework` are deprecated and have been replaced with the offical environment variables `LW_SCANNER_SCAN_LIBRARY_PACKAGES` and `LW_SCANNER_SAVE_RESULTS`: 175 | * `save_build_report` arugment name changed to `save_html_report` 176 | --- 177 | --------------------------------------------------------------------------------