diff --git a/README.md b/README.md index 580cd6d..250acf7 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,12 @@ ## Scan your containers with [Deep Security Smart Check](https://www.trendmicro.com/smartcheck). -This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline, you can use as a standalone Docker container published in the [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, that wraps the container published in Dockerhub. +This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline. You can use the Smartcheck Scan Action as a standalone Docker container published in [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, which provides a useful wrapper for the container published in Dockerhub for Github Workflow. ## Requirements -* Have an [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up for free trial now](https://www.trendmicro.com/product_trials/download/index/us/168) if it's not already the case! +* Have [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up now for a free trial](https://www.trendmicro.com/product_trials/download/index/us/168)! + * A container image to scan in any [supported Docker Registry](https://deep-security.github.io/smartcheck-docs/admin_docs/admin.html#supported-registries). ## Usage @@ -18,8 +19,7 @@ Smart Check. ```yml - name: Deep Security Smart Check - # Be sure to specify the latest version of smartcheck-scan-action - uses: deep-security/smartcheck-scan-action@v1.1.0 + uses: deep-security/smartcheck-scan-action@version* with: # Mandatory DSSC_IMAGE_NAME: registryhost/myimage @@ -74,8 +74,8 @@ be given with `DSSC_IMAGE_NAME`. ```json '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' ``` - **PS.: ALWAYS use secrets to expose your credentials!** - + **PS.: ALWAYS use secrets to not expose your credentials!** + See [creating a scan][] in the [Deep Security Smart Check API Reference][] for additional registry credentials options. @@ -181,50 +181,50 @@ jobs: # AWS Example: - name: Deep Security Smart Check Scan ECR - # Be sure to specify the latest version of smartcheck-scan-action - uses: deep-security/smartcheck-scan-action@v1.1.0 + uses: deep-security/smartcheck-scan-action@version* with: - DSSC_IMAGE_NAME: myECRrepo/myimage + DSSC_IMAGE_NAME: accountid.dkr.ecr.region.amazonaws.com/myimage DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} # You will need to generate an access key and secret for your AWS user - DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' + DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID" "secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}' DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true # Azure Example: - name: Deep Security Smart Check Scan ACR - # Be sure to specify the latest version of smartcheck-scan-action - uses: deep-security/smartcheck-scan-action@v1.1.0 + uses: deep-security/smartcheck-scan-action@version* with: DSSC_IMAGE_NAME: myrepo.azurecr.io/myimage DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} DSSC_IMAGE_PULL_AUTH: '{"username": "${{ secrets.ACR_USER }}","password": "${{ secrets.ACR_PASSWORD }}"}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true - - - name: Cloud One Container Security Scan GCR - # Be sure to specify the latest version of smartcheck-scan-action - uses: deep-security/smartcheck-scan-action@v1.1.0 + + # GCP Example: + - name: Deep Security Smart Check Scan GCR + uses: deep-security/smartcheck-scan-action@version* with: DSSC_IMAGE_NAME: region.gcr.io/projectname/myimage DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }} DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }} DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }} # You will need to generate a JSON service account key in GCP and save it as a secret - DSSC_IMAGE_PULL_AUTH: '{"username": "_json_key", "password": "${{ secrets.GCP_JSON_KEY }}"}' - DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true + DSSC_IMAGE_PULL_AUTH: '{"username": "_json_token", "password": "${{ secrets.GCP_JSON_KEY }}"}' + DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' + DSSC_INSECURE_SKIP_TLS_VERIFY: true DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true ``` -The example above demonstrates how to add a Smartcheck Scan action as a step in your Github Worflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry. +The example above demonstrates how to add a Deep Security Smart Check Scan action as a step in your Github Workflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry. For Google Container Registry and Microsoft Azure Container Registry, the `username` and `password` required for `DSSC_IMAGE_PULL_AUTH` are the same as the docker login credentials you would use to authenticate to a registry in the provided platform: - [Google Cloud Platform](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key) -- [Microsoft Azure Web Services](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication) +- [Microsoft Azure](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication) To authenticate to an Amazon Elastic Container Registry the `DSSC_IMAGE_PULL_AUTH` should be formatted to match the `credentials.aws` object specified in the [Smartcheck API Documentation to create a Scan](https://deep-security.github.io/smartcheck-docs/api/index.html#operation/createScan). diff --git a/action.yml b/action.yml index e45906f..ad251aa 100644 --- a/action.yml +++ b/action.yml @@ -1,4 +1,5 @@ -name: "Deep Security Smart Check" + +name: "Deep Security Smart Check Scan Action" description: "Scan container images with Deep Security Smart Check." inputs: DSSC_IMAGE_NAME: