Skip to content

Commit 41d4b0b

Browse files
timbastintimbastin
committed
made devguard scanner image configurable
1 parent 6f824ee commit 41d4b0b

11 files changed

Lines changed: 74 additions & 19 deletions

.github/workflows/attest.yml

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,11 @@ on:
3030
type: boolean
3131
required: false
3232
default: true
33+
scanner-image:
34+
type: string
35+
required: false
36+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
37+
description: "The DevGuard scanner image to use."
3338

3439
secrets:
3540
devguard-token:
@@ -86,7 +91,7 @@ jobs:
8691
fi
8792
8893
- name: Get SBOM
89-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
94+
uses: docker://${{ inputs.scanner-image }}
9095
with:
9196
args: >
9297
sh -c "
@@ -95,7 +100,7 @@ jobs:
95100
env:
96101
API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
97102
- name: Get VeX
98-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
103+
uses: docker://${{ inputs.scanner-image }}
99104
with:
100105
args: >
101106
sh -c "
@@ -104,14 +109,14 @@ jobs:
104109
env:
105110
API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
106111
- name: Get SAST-Results
107-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
112+
uses: docker://${{ inputs.scanner-image }}
108113
with:
109114
args: >
110115
sh -c "
111116
slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/sarif.json' --token='${{ secrets.devguard-token }}' > sarif.json
112117
"
113118
- name: Attest SBOM
114-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
119+
uses: docker://${{ inputs.scanner-image }}
115120
with:
116121
args: >
117122
sh -c "
@@ -124,7 +129,7 @@ jobs:
124129
env:
125130
ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
126131
- name: Attest VeX
127-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
132+
uses: docker://${{ inputs.scanner-image }}
128133
with:
129134
args: >
130135
sh -c "
@@ -137,7 +142,7 @@ jobs:
137142
env:
138143
ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
139144
- name: Attest SAST-Results
140-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
145+
uses: docker://${{ inputs.scanner-image }}
141146
with:
142147
args: >
143148
sh -c "
@@ -155,7 +160,7 @@ jobs:
155160
with:
156161
name: build${{ inputs.image-suffix }}.provenance.json
157162
- name: Attest build-provenance.json
158-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
163+
uses: docker://${{ inputs.scanner-image }}
159164
continue-on-error: true
160165
with:
161166
args: >

.github/workflows/build-image.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,11 @@ on:
3434
type: string
3535
required: false
3636
default: ''
37+
scanner-image:
38+
type: string
39+
required: false
40+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
41+
description: "The DevGuard scanner image to use."
3742
secrets:
3843
devguard-token:
3944
description: 'DevGuard API token'
@@ -63,7 +68,7 @@ jobs:
6368
persist-credentials: false
6469
- name: In-Toto Provenance record start
6570
id: in-toto-start
66-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
71+
uses: docker://${{ inputs.scanner-image }}
6772
with:
6873
args: devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }}
6974
continue-on-error: true
@@ -192,7 +197,7 @@ jobs:
192197
path: image-tag.txt
193198

194199
- name: In-Toto Provenance record stop
195-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
200+
uses: docker://${{ inputs.scanner-image }}
196201
with:
197202
args: devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance
198203
continue-on-error: true

.github/workflows/code-risk-identification.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,15 @@ on:
2424
required: false
2525
default: "https://app.devguard.org"
2626
description: "The URL of the DevGuard Web UI. This is used to link the results in the DevGuard Web UI."
27+
scanner-image:
28+
type: string
29+
required: false
30+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
31+
description: "The DevGuard scanner image to use."
2732
secrets:
2833
devguard-token:
2934
description: 'DevGuard API token'
30-
required: true
35+
required: true
3136
jobs:
3237
code-risk-identification:
3338
runs-on: ubuntu-latest
@@ -46,6 +51,6 @@ jobs:
4651
if: ${{ inputs.sarif-artifact-name != '' }}
4752

4853
- name: DevGuard Code Risk Identification
49-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
54+
uses: docker://${{ inputs.scanner-image }}
5055
with:
5156
args: devguard-scanner sarif ${{ inputs.sarif-file }} --assetName=${{ inputs.asset-name }} --apiUrl=${{ inputs.api-url }} --token="${{ secrets.devguard-token }}" --defaultRef=${{ github.event.repository.default_branch }} --isTag=${{ github.ref_type == 'tag' }} --ref=${{ github.ref_name }} --webUI=${{ inputs.web-ui }}

.github/workflows/container-scanning.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,11 @@ on:
4343
type: string
4444
required: false
4545
default: ''
46+
scanner-image:
47+
type: string
48+
required: false
49+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
50+
description: "The DevGuard scanner image to use."
4651
secrets:
4752
devguard-token:
4853
description: 'DevGuard API token'
@@ -97,7 +102,7 @@ jobs:
97102
if: inputs.fetch-image-from-registry == true
98103

99104
- name: DevGuard Container-Scanning
100-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
105+
uses: docker://${{ inputs.scanner-image }}
101106
with:
102107
args: devguard-scanner container-scanning --assetName=${{ inputs.asset-name }} --apiUrl=${{ inputs.api-url }} --token="${{ secrets.devguard-token }}" --path=${{ inputs.image-path }} --defaultRef=${{ github.event.repository.default_branch }} --isTag=${{ github.ref_type == 'tag' }} --ref=${{ github.ref_name }} --failOnRisk=${{ inputs.fail-on-risk }} --failOnCVSS=${{ inputs.fail-on-cvss }} --artifactName=${{ env.ARTIFACT_NAME }} --webUI=${{ inputs.web-ui }}
103108
env:

.github/workflows/dependency-risk-identification.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,11 @@ on:
3939
required: false
4040
default: "critical"
4141
description: "Fail the workflow if a dependency with this CVSS score or higher is found. Valid values are: none, low, medium, high, critical."
42+
scanner-image:
43+
type: string
44+
required: false
45+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
46+
description: "The DevGuard scanner image to use."
4247

4348
secrets:
4449
devguard-token:
@@ -63,6 +68,6 @@ jobs:
6368
if: ${{ inputs.sbom-artifact-name != '' }}
6469

6570
- name: DevGuard Dependency Risk Identification
66-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
71+
uses: docker://${{ inputs.scanner-image }}
6772
with:
6873
args: devguard-scanner sbom ${{ inputs.sbom-file }} --assetName=${{ inputs.asset-name }} --apiUrl=${{ inputs.api-url }} --token="${{ secrets.devguard-token }}" --defaultRef=${{ github.event.repository.default_branch }} --isTag=${{ github.ref_type == 'tag' }} --ref=${{ github.ref_name }} --artifactName=${{ inputs.artifact-name }} --webUI=${{ inputs.web-ui }} --failOnRisk=${{ inputs.fail-on-risk }} --failOnCVSS=${{ inputs.fail-on-cvss }}

.github/workflows/deploy.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,11 @@ on:
3232
required: false
3333
default: ''
3434
description: "Suffix used to look up build artifacts by name. Defaults to image-suffix when not set."
35+
scanner-image:
36+
type: string
37+
required: false
38+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
39+
description: "The DevGuard scanner image to use."
3540

3641
secrets:
3742
devguard-token:
@@ -73,7 +78,7 @@ jobs:
7378
run: echo "DIGEST=$(cat image-digest.txt)" >> $GITHUB_ENV
7479

7580
- name: In-Toto Provenance run
76-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
81+
uses: docker://${{ inputs.scanner-image }}
7782
with:
7883
args: devguard-scanner intoto run --step=deploy --materials=image-tag.txt --products=image-tag.txt --products=image-digest.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --supplyChainOutputDigest="${{ env.DIGEST }}"
7984
continue-on-error: true

.github/workflows/iac.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ on:
2323
type: boolean
2424
required: false
2525
default: true
26+
scanner-image:
27+
type: string
28+
required: false
29+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
30+
description: "The DevGuard scanner image to use."
2631
secrets:
2732
devguard-token:
2833
description: 'DevGuard API token'
@@ -39,7 +44,7 @@ jobs:
3944
persist-credentials: false
4045
fetch-depth: 0
4146
- name: DevGuard Infrastructure as Code
42-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
47+
uses: docker://${{ inputs.scanner-image }}
4348
continue-on-error: ${{ inputs.continue-on-open-code-risk }}
4449
with:
4550
args: devguard-scanner iac --assetName=${{ inputs.asset-name }} --apiUrl=${{ inputs.api-url }} --token="${{ secrets.devguard-token }}" --path=${{ inputs.path }} --defaultRef=${{ github.event.repository.default_branch }} --isTag=${{ github.ref_type == 'tag' }} --ref=${{ github.ref_name }} --webUI=${{ inputs.web-ui }}

.github/workflows/secret-scanning.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ on:
2323
type: boolean
2424
required: false
2525
default: true
26+
scanner-image:
27+
type: string
28+
required: false
29+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
30+
description: "The DevGuard scanner image to use."
2631
secrets:
2732
devguard-token:
2833
description: 'DevGuard API token'
@@ -40,7 +45,7 @@ jobs:
4045
persist-credentials: false
4146
uses: actions/checkout@v4
4247
- name: DevGuard Secret-Scanning
43-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
48+
uses: docker://${{ inputs.scanner-image }}
4449
continue-on-error: ${{ inputs.continue-on-open-code-risk }}
4550
with:
4651
args: devguard-scanner secret-scanning --assetName=${{ inputs.asset-name }} --apiUrl=${{ inputs.api-url }} --token="${{ secrets.devguard-token }}" --path=${{ inputs.path }} --defaultRef=${{ github.event.repository.default_branch }} --isTag=${{ github.ref_type == 'tag' }} --ref=${{ github.ref_name }} --webUI=${{ inputs.web-ui }}

.github/workflows/sign.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,11 @@ on:
2525
type: boolean
2626
required: false
2727
default: true
28+
scanner-image:
29+
type: string
30+
required: false
31+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
32+
description: "The DevGuard scanner image to use."
2833

2934
secrets:
3035
devguard-token:
@@ -58,6 +63,6 @@ jobs:
5863
run: echo "IMAGE_TAG_AND_DIGEST=$(cat image-tag.txt)@$(cat image-digest.txt)" >> $GITHUB_ENV
5964

6065
- name: DevGuard Image-Signing
61-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
66+
uses: docker://${{ inputs.scanner-image }}
6267
with:
6368
args: devguard-scanner sign -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} --token="${{ secrets.devguard-token }}" ${{ env.IMAGE_TAG_AND_DIGEST }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }}

.github/workflows/software-composition-analysis.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,11 @@ on:
3232
required: false
3333
default: "source"
3434
description: "The name of the artifact you are building. This is useful when a single pipeline builds more than a single artifact like a container with a shell inside and one without. If you build a single artifact - leave it empty."
35+
scanner-image:
36+
type: string
37+
required: false
38+
default: "ghcr.io/l3montree-dev/devguard/scanner:main-latest"
39+
description: "The DevGuard scanner image to use."
3540
secrets:
3641
devguard-token:
3742
description: 'DevGuard API token'
@@ -47,7 +52,7 @@ jobs:
4752
persist-credentials: true # we need the credentials to be able to use the devguard-scanner in private repositories
4853
uses: actions/checkout@v4 # Check out the repository content to the runner
4954
- name: DevGuard SCA
50-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
55+
uses: docker://${{ inputs.scanner-image }}
5156
with:
5257
args: devguard-scanner sca --assetName=${{ inputs.asset-name }} --apiUrl=${{
5358
inputs.api-url }} --token="${{ secrets.devguard-token }}" --path=${{

0 commit comments

Comments
 (0)