Skip to content
This repository has been archived by the owner on Apr 3, 2024. It is now read-only.

README Improvements #11

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

README Improvements #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e8e39fa
Github Actions Update
May 10, 2020
ebf2655
add GCP example, format input descriptions consistently in action.yml
Sep 11, 2020
caf9f39
adjust findings threshold
Sep 11, 2020
6150c50
additional comments and documentation
Sep 11, 2020
24a97f1
README Improvments
Sep 22, 2020
a118f87
Merge branch 'master' into master
Oct 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 21 additions & 21 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@

## Scan your containers with [Deep Security Smart Check](https://www.trendmicro.com/smartcheck).

This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline, you can use as a standalone Docker container published in the [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, that wraps the container published in Dockerhub.
This project was built by the [Deep Security Smart Check](trendmicro.com/smartcheck) team to help you to scan your containers in your CI/CD pipeline. You can use the Smartcheck Scan Action as a standalone Docker container published in [Dockerhub](https://hub.docker.com/r/deepsecurity/smartcheck-scan-action) to scan your images. This tool is also used by the [Deep Security Smart Check plugin for Jenkins](https://plugins.jenkins.io/deepsecurity-smartcheck/) and the GitHub Action, which provides a useful wrapper for the container published in Dockerhub for Github Workflow.

## Requirements

* Have an [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up for free trial now](https://www.trendmicro.com/product_trials/download/index/us/168) if it's not already the case!
* Have [Deep Security Smart Check](https://www.trendmicro.com/smartcheck) deployed. [Sign up now for a free trial](https://www.trendmicro.com/product_trials/download/index/us/168)!

* A container image to scan in any [supported Docker Registry](https://deep-security.github.io/smartcheck-docs/admin_docs/admin.html#supported-registries).

## Usage
Expand All @@ -18,8 +19,7 @@ Smart Check.

```yml
- name: Deep Security Smart Check
# Be sure to specify the latest version of smartcheck-scan-action
uses: deep-security/smartcheck-scan-action@v1.1.0
uses: deep-security/smartcheck-scan-action@version*
with:
# Mandatory
DSSC_IMAGE_NAME: registryhost/myimage
Expand Down Expand Up @@ -74,8 +74,8 @@ be given with `DSSC_IMAGE_NAME`.
```json
'{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}'
```
**PS.: ALWAYS use secrets to expose your credentials!**

**PS.: ALWAYS use secrets to not expose your credentials!**
See [creating a scan][] in the [Deep Security Smart Check API Reference][]
for additional registry credentials options.

Expand Down Expand Up @@ -181,50 +181,50 @@ jobs:

# AWS Example:
- name: Deep Security Smart Check Scan ECR
# Be sure to specify the latest version of smartcheck-scan-action
uses: deep-security/smartcheck-scan-action@v1.1.0
uses: deep-security/smartcheck-scan-action@version*
with:
DSSC_IMAGE_NAME: myECRrepo/myimage
DSSC_IMAGE_NAME: accountid.dkr.ecr.region.amazonaws.com/myimage
DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }}
DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }}
DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }}
# You will need to generate an access key and secret for your AWS user
DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID","secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}'
DSSC_IMAGE_PULL_AUTH: '{"aws":{"region":"us-east-1","accessKeyID":"$AWS_ACCESS_KEY_ID" "secretAccessKey":"$AWS_SECRET_ACCESS_KEY"}}'
DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'
DSSC_INSECURE_SKIP_TLS_VERIFY: true
DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true

# Azure Example:
- name: Deep Security Smart Check Scan ACR
# Be sure to specify the latest version of smartcheck-scan-action
uses: deep-security/smartcheck-scan-action@v1.1.0
uses: deep-security/smartcheck-scan-action@version*
with:
DSSC_IMAGE_NAME: myrepo.azurecr.io/myimage
DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }}
DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }}
DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }}
DSSC_IMAGE_PULL_AUTH: '{"username": "${{ secrets.ACR_USER }}","password": "${{ secrets.ACR_PASSWORD }}"}'
DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true
DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'
DSSC_INSECURE_SKIP_TLS_VERIFY: true
DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true

- name: Cloud One Container Security Scan GCR
# Be sure to specify the latest version of smartcheck-scan-action
uses: deep-security/smartcheck-scan-action@v1.1.0
# GCP Example:
- name: Deep Security Smart Check Scan GCR
uses: deep-security/smartcheck-scan-action@version*
with:
DSSC_IMAGE_NAME: region.gcr.io/projectname/myimage
DSSC_SMARTCHECK_HOST: ${{ secrets.DSSC_SMARTCHECK_HOST }}
DSSC_SMARTCHECK_USER: ${{ secrets.DSSC_SMARTCHECK_USER }}
DSSC_SMARTCHECK_PASSWORD: ${{ secrets.DSSC_SMARTCHECK_PASSWORD }}
# You will need to generate a JSON service account key in GCP and save it as a secret
DSSC_IMAGE_PULL_AUTH: '{"username": "_json_key", "password": "${{ secrets.GCP_JSON_KEY }}"}'
DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}' DSSC_INSECURE_SKIP_TLS_VERIFY: true
DSSC_IMAGE_PULL_AUTH: '{"username": "_json_token", "password": "${{ secrets.GCP_JSON_KEY }}"}'
DSSC_FINDINGS_THRESHOLD: '{"malware": 100, "vulnerabilities": { "defcon1": 100, "critical": 100, "high": 100 }, "contents": { "defcon1": 100, "critical": 100, "high": 100 }, "checklists": { "defcon1": 100, "critical": 100, "high": 100 }}'
DSSC_INSECURE_SKIP_TLS_VERIFY: true
DSSC_INSECURE_SKIP_REGISTRY_TLS_VERIFY: true
```
The example above demonstrates how to add a Smartcheck Scan action as a step in your Github Worflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry.
The example above demonstrates how to add a Deep Security Smart Check Scan action as a step in your Github Workflow. This can be used to scan an image from a container registry in either Google Container Registry, Microsoft Azure Container Registry or Amazon Elastic Container Registry.

For Google Container Registry and Microsoft Azure Container Registry, the `username` and `password` required for `DSSC_IMAGE_PULL_AUTH` are the same as the docker login credentials you would use to authenticate to a registry in the provided platform:
- [Google Cloud Platform](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key)
- [Microsoft Azure Web Services](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication)
- [Microsoft Azure](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication)

To authenticate to an Amazon Elastic Container Registry the `DSSC_IMAGE_PULL_AUTH` should be formatted to match the `credentials.aws` object specified in the [Smartcheck API Documentation to create a Scan](https://deep-security.github.io/smartcheck-docs/api/index.html#operation/createScan).

Expand Down
3 changes: 2 additions & 1 deletion action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: "Deep Security Smart Check"

name: "Deep Security Smart Check Scan Action"
description: "Scan container images with Deep Security Smart Check."
inputs:
DSSC_IMAGE_NAME:
Expand Down