sysdiglabs
diff --git a/‎.github/workflows/ci-scan.yaml‎
Lines changed: 52 additions & 0 deletions b/‎.github/workflows/ci-scan.yaml‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 9 additions & 1 deletion b/‎README.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎action.yml‎
Lines changed: 3 additions & 0 deletions b/‎action.yml‎
Lines changed: 3 additions & 0 deletions
@@ -180,3 +180,55 @@ jobs:
             echo "Scan failed but it should have succeeded."
             exit 1
           fi
+
+  scan-with-correct-checksum:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan with correct checksum
+        id: scan
+        uses: ./
+        with:
+          cli-scanner-version: '1.22.6'
+          cli-scanner-sha256sum: '68ec2fc48c6ad61eba60a2469c5548153700fedab40ac79e34b7baa5f2e86e42'
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: false
+
+      - name: Check that the scan has succeeded
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded as expected."
+          else
+            echo "Scan failed but it should have succeeded."
+            exit 1
+          fi
+
+  scan-with-incorrect-checksum:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan with incorrect checksum
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          cli-scanner-version: '1.22.6'
+          cli-scanner-sha256sum: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "failure" ]; then
+            echo "Scan failed as expected."
+          else
+            echo "Scan succeeded but it should have failed due to incorrect checksum."
+            exit 1
+          fi
@@ -11,6 +11,7 @@ This action performs analysis on a specific container image and posts the result
 | `cli-scanner-url`            | URL to `sysdig-cli-scanner` binary download. The action will detect the runner OS and architecture. For more info about the Sysdig CLI Scanner download visit [the official documentation](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/).                               |                           |
 | `mode`                       | Mode of operation. Can be "vm" or "iac".                                                                                                                                                                                                                                                                                 | `vm`                      |
 | `cli-scanner-version`        | Custom sysdig-cli-scanner version to download. Minimum required version is 1.18.0. Please note that for VM mode the Action has only been tested with the current default version and it is not guaranteed that it will work as expected with other versions.                                                             | `1.22.6`                  |
+| `cli-scanner-sha256sum`      | SHA256 sum of the Sysdig CLI scanner binary to verify the download. If not provided, the action will automatically download the official checksum from Sysdig for verification. The scanner download is always verified.                                                                                             |                           |
 | `registry-user`              | Registry username to authenticate to while pulling the image to scan.                                                                                                                                                                                                                                                    |                           |
 | `registry-password`          | Registry password to authenticate to while pulling the image to scan.                                                                                                                                                                                                                                                    |                           |
 | `stop-on-failed-policy-eval` | Fail the job if the Policy Evaluation is Failed.                                                                                                                                                                                                                                                                         |                           |
@@ -33,7 +34,14 @@ This action performs analysis on a specific container image and posts the result
 | `extra-parameters`           | Additional parameters to be added to the CLI Scanner. Note that these may not be supported with the current Action.                                                                                                                                                                                                      |                           |
 | `recursive`                  | Recursively scan all folders within the folder specified in the iacScanPath.                                                                                                                                                                                                                                             |                           |
 | `minimum-severity`           | Minimum severity to fail when scanning in IaC mode.                                                                                                                                                                                                                                                                      |                           |
-| `iac-scan-path`              | Path to the IaC files to scan.                                                                                                                                                                                                                                                                                           |                           |
+| `iac-scan-path`              | Path to the IaC files to scan.                                                                                                                                                               |                           |
+
+### Checksum Verification
+
+The action always verifies the SHA256 checksum of the `sysdig-cli-scanner` binary to ensure its integrity. This process is handled as follows:
+
+- **When `cli-scanner-sha256sum` is provided:** The downloaded binary is compared against the checksum you specified. The action will fail if they do not match.
+- **When `cli-scanner-sha256sum` is not provided:** The action automatically downloads the official checksum file from Sysdig. The downloaded binary is then compared against this official checksum. The action will fail if they do not match.
 
 ### Filtering Examples
 
 
@@ -8,6 +8,9 @@ inputs:
     description: Custom sysdig-cli-scanner version to download. Oldest supported version is 1.18.0.
     default: "1.22.6"
     required: false
+  cli-scanner-sha256sum:
+    description: 'SHA256 sum of the Sysdig CLI scanner binary to verify the download.'
+    required: false
   registry-user:
     description: Registry username.
     required: false