-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathaction.yml
More file actions
224 lines (224 loc) · 8.78 KB
/
action.yml
File metadata and controls
224 lines (224 loc) · 8.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
name: "Endor Labs Scan"
description: "Endor Labs repository scan"
author: "Endor Labs"
inputs:
# Custom arguments to the endorctl binary. See the endorctl documentation for command flags.
additional_args:
description: >-
"Use this to add custom arguments to the endorctl command."
# Use this to define the base api path.
api:
description: >-
"Set to the Endor Labs API to use."
default: "https://api.endorlabs.com"
# Use this to define your api key.
api_key:
description: >-
"Set the API key used to authenticate with Endor Labs".
# Use this to define your api secret.
api_secret:
description: >-
"Set the secret corresponding to the API key used to authenticate with Endor Labs."
# Deprecated
ci_run:
deprecationMessage: >-
The `ci_run` option has been deprecated, please use `pr` instead."
default: true
# Deprecated
ci_run_tags:
deprecationMessage: >-
The `ci_run_tags` option has been deprecated, please use `tags` instead."
# User must enable `id-token: write` permissions in their github action.
enable_github_action_token:
description: >-
"Set to `false` if you prefer to use another form of authentication over GitHub action OIDC tokens."
default: true
# Use this to enable PR comments from endorctl. This is only applicable when a workflow is triggered by a PR.
enable_pr_comments:
description: >-
"Set to `true` to publish new findings as review comments. Must be used together with `pr` and `github_token`.
Additionally, the `issues: write` and `pull-requests: write` permissions must be set in the workflow."
default: false
# Use this to set the endorctl checksum.
endorctl_checksum:
description: >-
"Set to the checksum associated with a pinned version of endorctl."
# Use this to pin the endorctl version.
endorctl_version:
description: >-
"Set to a version of endorctl to pin this specific version for use. Defaults to the latest version."
# Use this to enable/disable the artifact export. Works only with "json" output type.
# The artifact name will be "endor-scan" and the json output file name will be "result-<RUN_ID>.json"
export_scan_result_artifact:
description: >-
"Set to `false` to disable the json scan result artifact export."
default: true
# Use this to define your gcp service account.
gcp_service_account:
description: >-
"Set the target service account for GCP based authentication. GCP authentication is only enabled if this flag is set.
Cannot be used with `api_key`."
# Use this to provide the github token for your repo.
github_token:
description: >-
"Set the token used to authenticate with GitHub. Required if `enable_pr_comments` is set to `true`."
# Use this for endorctl troubleshooting.
log_level:
description: >-
"Set the endorctl log level, see also `log_verbose`."
default: "info"
# Use this for endorctl troubleshooting.
log_verbose:
description: >-
"Set to `true` to enable verbose logging."
default: false
# Use this to define your Endor Labs tenant namespace.
namespace:
description: >-
"Set to the namespace of the project that you are working with."
required: true
# Use this to save the scan results output to a file instead of printing to the log
output_file:
description: >-
"Set to the name of a file to save results to. File name will be in the `results` output item. Default just writes to STDOUT."
required: false
# Use this for PRs.
pr:
description: >-
"Set to `false` to track this scan in Endor Labs as a release, as opposed to
a point in time policy and finding test for a PR."
default: true
# Set the baseline branch to enable action policies to only flag new findings for PRs.
# Note that the findings are still created, but they will not block the commit unless they are new.
pr_baseline:
description: >-
'Set the baseline branch to enable action policies to only act on new findings.
Must be used together with `pr` Example: `pr_baseline: "main"`.'
pr_incremental:
description: >-
"Set to `true` to only scan files, or packages with dependencies that have changed compared to the baseline scan.
The GitHub PR ID or PR baseline must be available in order to use this option."
default: false
# Use this to control if `time -v` wraps runs.
run_stats:
description: >-
"Set to `true` to report of CPU/RAM/time scan statistics via `time -v`; Linux runners only."
default: false
# Use this to export a summary of the findings to a SARIF file.
sarif_file:
description: >-
"Set to a location on your GitHub runner to output the findings in SARIF format."
# Scan dependencies.
scan_dependencies:
description: >-
"Scan git commits and generate findings for all dependencies."
default: true
# Scan container images
scan_container:
description: >-
"Scan a specified container image. The image must be set with `image` and a project can be defined with `project_name`."
default: false
# Container scan configuration. Image sets the image to scan and the project name defines the project for the scan.
image:
description: >-
"Specify a container image to scan."
image_tar:
description: >-
"Specify a container image tar file to scan (alternative to `image`)."
as_ref:
description: >-
"Scan container in a persistent context and keep the version."
default: false
os_reachability:
description: >-
"Enable OS reachability analysis for container scans."
default: false
project_name:
description: >-
"Specify a project name for a container image scan."
project_tags:
description: >-
"Specify a comma-separated list of user-defined tags to add to the container scan project."
container_scan_path:
description: >-
"Set the path to a valid git repository for container scan context."
default: "."
profiling_data_dir:
description: >-
"Add a directory containing profiling data to include in the container scan."
# Scan container images
scan_package:
description: >-
"Scan a specified artifact or a package. The path to an artifact must be set with `scan_path`."
default: false
# Scan tools.
scan_tools:
description: >-
"Scan source code repository for CI/CD tools."
default: false
# Scan all commits for exposed secrets.
scan_git_logs:
description: >-
"Perform a more complete and detailed scan of secrets in the repository history.
Must be used together with `scan_secrets`."
default: false
# Scan github action workflow files
scan_github_actions:
default: false
description: >-
"Scan source code repository for github actions used in workflow files to analyze vulnerabilities and malware."
# Source Code Path To Scan.
scan_path:
description: >-
"Set to the path to scan. Defaults to the current working directory."
default: "."
# Scan source code for exposed secrets.
scan_secrets:
description: >-
"Scan source code repository and generate findings for secrets. See also `scan_git_logs`."
default: false
# Scan source code for SAST.
scan_sast:
description: >-
"Scan source code repository and generate findings for SAST."
default: false
# Scan source code for AI models.
scan_ai_models:
description: >-
"Scan source code repository for AI models."
default: false
# Set the endorctl output format.
scan_summary_output_type:
description: >-
"Set the desired output format to one of: `table`, `json`, `yaml`, or `summary`."
default: "json"
# Use this to provide searchable tags for your scans.
tags:
description: >-
"Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later."
# bazel configuration
use_bazel:
default: false
description: >-
"Enable the usage of Bazel for the scan."
bazel_exclude_targets:
description: >-
"Specify a a list of Bazel targets to exclude from scan."
bazel_include_targets:
description: >-
"Specify a list of Bazel targets to scan. If `bazel_targets_include` is not set the `bazel_targets_query` value is used to determine with bazel targets to scan."
bazel_targets_query:
description: >-
"Specify a Bazel query to determine with Bazel targets to scan. Ignored if `bazel_targets_include` is set."
# Scan for phantom dependencies
phantom_dependencies:
default: false
description: >-
"Enable phantom dependency analysis to identify dependencies used, but not declared in the manifest file."
disable_code_snippet_storage:
description: >-
"Do not store or display the source code related to a finding."
default: false
runs:
using: "node24"
main: "dist/index.js"