-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0f2eeb5
commit c9e5ef3
Showing
1 changed file
with
35 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,47 @@ | ||
| name: Debricked scan | ||
| name: Debricked SCA | ||
|
|
||
| on: [push] | ||
|
|
||
| jobs: | ||
| vulnerabilities-scan: | ||
| debricked: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| container: | ||
| image: debricked/cli:latest-resolution-debian | ||
| # Choosing the right container image for your scan can be important. | ||
| # All Debricked images are here: https://hub.docker.com/r/debricked/cli | ||
|
|
||
| # Resolution images (contains "resolution" in tag) are bigger, but comes with a lot of pre-installed package managers: | ||
| # Here are the dockerfiles: https://github.com/debricked/cli/tree/main/build/docker | ||
| # This is the easiest way to integrate, but it may be better | ||
| # to run debricked scans in you build images. | ||
|
|
||
| # You can choose between debian and alpine images, where we do alpine by default. | ||
| # We recommend to use debian images for scanning Python projects, as the scanner will not | ||
| # need to compile some common c-based dependencies like pandas. | ||
|
|
||
| steps: | ||
| - name: Run Debricked Scan | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Install Debricked CLI | ||
| run: | | ||
| debricked files find | ||
| debricked scan | ||
| curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked | ||
| ./debricked --version | ||
| # Here we run the Debricked CLI, where you have multiple options to configure your scan. | ||
| # The CLI repo can be found here: https://github.com/debricked/cli | ||
| # Docs to CLI: https://portal.debricked.com/debricked-cli-63/debricked-cli-documentation-298 | ||
| # I recommend you to download the CLI and explore the commands (./debricked -h) | ||
| # You can for instanice configure the CLI to: | ||
| # - Not resolve manifest-files | ||
| # - Generate callgraphs | ||
| # - Filter out different paths to be scanned or not scanned with glob patterns | ||
| # - Run resolution, callgraph generation, etc, in separate steps in more complex builds. | ||
|
|
||
| # The base "debricked scan" does all this with sane default values. | ||
| - name: Run Scan | ||
| run: | | ||
| ./debricked scan | ||
| env: | ||
| DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} | ||
|
|
||
|
|
||
|
|