Use this GitHub Action to scan your container images for security issues. Doing so can help you identify and fix software vulnerabilities before your images are deployed.
| Parameter | Description | Default | Example |
|---|---|---|---|
| api-token (Required) | The API token used to communicate with Tenable Cloud Security. Generated in the Tenable Cloud Security Console during initial GitHub Actions setup. | ||
| api-url (Required) | The URL of the Tenable Cloud Security API. The API URL varies based on the region in which your Tenable Cloud Security environment is deployed. | https://us.app.ermetic.com/ |
|
| name (Required) | The container name (alpine:latest / alpine / alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 / f8c20f8bbcb6 ) | alpine:latest |
|
| exclude-paths | Exclude specific paths from the scan. | dev/ |
|
| exclude-vulnerabilities | The vulnerability IDs to exclude from the scan. | CVE-2021-44228 |
|
| fail-on-min-cvss-score | The minimum CVSS score of detected vulnerabilities that should return an exit code different from 0, and fail the build workflow. If no value is defined, the workflow will not fail. Possible values: any number between 0.0 and 10.0 (including decimal points) |
7.8 |
|
| fail-on-min-severity | The minimum policy severity that should return an exit code different from 0, and fail the build workflow. If no value is defined, the workflow will not fail. Possible values: information low medium high critical |
critical |
|
| logs | Whether to print log messages to the standard workflow output. Log messages include information about the run process of the scanner and debug information, such as the number of files/lines scanned. Possible values: true false |
false |
true |
| min-cvss-score | The minimum CVSS score of detected vulnerabilities that you want included in the scan. Possible values: any number between 0.0 and 10.0 (including decimal points) |
5.0 |
|
| min-severity | The minimum severity of Tenable Workload Protection policies that you want included in the scan. Possible values: information low medium high critical |
information |
medium |
| output-file-formats | The format/s of the report output file/s which will be exported. Possible values: cyclonedx json junit md |
json,csv |
|
| output-file-name | The name of the report output file/s which will be exported. If multiple formats are selected, all files will have the same name. | results |
results |
| output-junit-test-name-prefix | Prefix for JUnit test output name. Used to create a first-level hierarchy in test results. Can be used when junit is defined as an output file format. |
Scan1 |
|
| output-path | The export path for the report output file/s. | results/ |
|
| registry-password | The password for your container registry. | ||
| registry-username | The username for your container registry. | ||
| silent | Whether to print scan result content to the standard workflow output. Scan result output contains detailed information about issues found during scanning. Independent from logs. Possible values: true false |
false |
true |
| summary | The parameter allows printing the summary output at the end of the pipeline step execution. Possible values: true false |
true |
false |