threading scanner-image #3

Workflow file for this run

	on:
Check failure on line 1 in .github/workflows/attest.yml View workflow run for this annotation GitHub Actions / .github/workflows/attest.yml Invalid workflow file (Line: 94, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image, (Line: 103, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image, (Line: 112, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image, (Line: 119, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image, (Line: 132, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image, (Line: 145, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image, (Line: 163, Col: 13): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.scanner-image
	workflow_call:
	inputs:
	asset-name:
	description: 'Name of the asset to be scanned'
	type: string
	required: true
	api-url:
	type: string
	required: false
	default: "https://api.devguard.org"
	path:
	description: 'Path to the source code to be scanned'
	type: string
	required: false
	default: "/github/workspace"
	artifact-name:
	type: string
	required: false
	default: ''
	description: "The name of the artifact you are building. This is useful when a single pipeline builds more than a single artifact like a container with a shell inside and one without. If you build a single artifact - leave it empty."
	image-suffix:
	description: 'Suffix for the image name. You probably need this if you are building multiple images. For example building a <abc>/scanner image and a <abc>/web image.'
	type: string
	required: false
	default: ''
	should-deploy:
	# Input to determine if the attestation job should run
	description: 'Should the attestation job run'
	type: boolean
	required: false
	default: true
	scanner-image:
	type: string
	required: false
	default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
	description: "The DevGuard scanner image to use."

	secrets:
	devguard-token:
	description: 'DevGuard API token'
	required: true


	jobs:
	attest:
	if: inputs.should-deploy
	runs-on: ubuntu-latest
	steps:
	- name: Download image-digest artifact (can be created by build-image)
	uses: actions/download-artifact@v4
	with:
	name: image-digest${{ inputs.image-suffix }}
	path: .
	continue-on-error: true
	- name: Download image-tag artifact (can be created by build-image)
	uses: actions/download-artifact@v4
	with:
	name: image-tag${{ inputs.image-suffix }}
	path: .

	- name: Download artifact purl (can be created by build-image)
	uses: actions/download-artifact@v4
	with:
	name: artifact-purl${{ inputs.image-suffix }}
	if: inputs.artifact-name == ''

	- name: Download safe-artifact (can be created by build-image)
	uses: actions/download-artifact@v4
	with:
	name: artifact-purl-safe${{ inputs.image-suffix }}
	if: inputs.artifact-name == ''

	- name: set artifact-name variable if it is empty
	run: \|
	if [ -z "${{ inputs.artifact-name }}" ] && [ -f artifact-purl.txt ]; then
	echo "ARTIFACT_NAME=$(cat artifact-purl.txt)" >> $GITHUB_ENV
	echo "Using artifact name from file: $ARTIFACT_NAME"
	# For API calls, use safe artifact name if it exists
	if [ -f artifact-purl-safe.txt ]; then
	echo "API_ARTIFACT_NAME=$(cat artifact-purl-safe.txt)" >> $GITHUB_ENV
	else
	echo "API_ARTIFACT_NAME=$(cat artifact-purl.txt)" >> $GITHUB_ENV
	fi
	else
	# make sure to url encode
	echo "ARTIFACT_NAME=${{ inputs.artifact-name }}" >> $GITHUB_ENV
	echo "API_ARTIFACT_NAME=$(echo -n "${{ inputs.artifact-name }}" \| jq -s -R -r @uri)" >> $GITHUB_ENV
	echo "Using provided artifact name: ${{ inputs.artifact-name }}"
	echo "Encoded: $API_ARTIFACT_NAME"
	fi

	- name: Get SBOM
	uses: docker://${{ inputs.scanner-image }}
	with:
	args: >
	sh -c "
	slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/artifacts/${{ env.API_ARTIFACT_NAME }}/sbom.json/' --token='${{ secrets.devguard-token }}' > sbom.json
	"
	env:
	API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
	- name: Get VeX
	uses: docker://${{ inputs.scanner-image }}
	with:
	args: >
	sh -c "
	slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/artifacts/${{ env.API_ARTIFACT_NAME }}/vex.json/' --token='${{ secrets.devguard-token }}' > vex.json
	"
	env:
	API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
	- name: Get SAST-Results
	uses: docker://${{ inputs.scanner-image }}
	with:
	args: >
	sh -c "
	slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/sarif.json' --token='${{ secrets.devguard-token }}' > sarif.json
	"
	- name: Attest SBOM
	uses: docker://${{ inputs.scanner-image }}
	with:
	args: >
	sh -c "
	if [ -f image-digest.txt ]; then
	devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} sbom.json --predicateType='https://cyclonedx.org/bom' \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	else
	devguard-scanner attest sbom.json --predicateType='https://cyclonedx.org/bom' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	fi
	"
	env:
	ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
	- name: Attest VeX
	uses: docker://${{ inputs.scanner-image }}
	with:
	args: >
	sh -c "
	if [ -f image-digest.txt ]; then
	devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} vex.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --token='${{ secrets.devguard-token }}' --predicateType='https://cyclonedx.org/vex' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	else
	devguard-scanner attest vex.json --predicateType='https://cyclonedx.org/vex' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	fi
	"
	env:
	ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
	- name: Attest SAST-Results
	uses: docker://${{ inputs.scanner-image }}
	with:
	args: >
	sh -c "
	if [ -f image-digest.txt ]; then
	devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} sarif.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --predicateType='https://www.schemastore.org/schemas/json/sarif-2.1.0.json' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	else
	devguard-scanner attest sarif.json --predicateType='https://www.schemastore.org/schemas/json/sarif-2.1.0.json' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	fi
	"
	env:
	ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
	# download build-provenance.json if it exists
	- name: Download build-provenance.json
	uses: actions/download-artifact@v4
	with:
	name: build${{ inputs.image-suffix }}.provenance.json
	- name: Attest build-provenance.json
	uses: docker://${{ inputs.scanner-image }}
	continue-on-error: true
	with:
	args: >
	sh -c "
	if [ -f image-digest.txt ]; then
	devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} build.provenance.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --predicateType='https://slsa.dev/provenance/v1' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	else
	devguard-scanner attest build.provenance.json --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --predicateType='https://slsa.dev/provenance/v1' --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
	fi
	"
	env:
	ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

threading scanner-image #3

Workflow file

threading scanner-image #3

Uh oh!

Workflow file for this run

GitHub Actions / .github/workflows/attest.yml