Update inline_scan.sh and include report URL in action output.

Author: airadier

README.md

@@ -10,7 +10,7 @@ This action performs analysis on locally built container image and posts the res
 
 ### `sysdig-secure-token`
 
-**Required** API token for Sysdig Scanning auth. Example: `"924c7ddc-4c09-4d22-bd52-2f7db22f3066"`.
+**Required** API token for Sysdig Scanning auth. Example: `"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`.
 
 Directly specifying the API token in the action configuration is not recommended. A better approach is to [store it in GitHub secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets), and reference `${{ secrets.MY_SECRET_NAME }}` instead.
 

index.js

@@ -1,13 +1,37 @@
 const core = require('@actions/core');
 const exec = require('@actions/exec');
+const querystring = require("querystring");
 
 (async () => {
+  
   try {
+
     const image_tag = core.getInput('image-tag', {required: true});
     const sysdig_secure_token = core.getInput('sysdig-secure-token', {required: true});
     const sysdig_secure_url = core.getInput('sysdig-secure-url', {required: true});
     const dockerfile_path = core.getInput('dockerfile-path');
     const pull_from_registry = core.getInput('pull-from-registry') == 'true';
+    
+    let image_id = '';
+
+    // Calculate SYSDIG_DIGEST as done in inline_scan.sh
+    const options = {};
+    options.silent = true;
+    options.listeners = {
+      stdout: (data) => {
+        image_id += data.toString();
+      }
+    };
+
+    try {
+      await exec.exec(`docker inspect --format="{{index .RepoDigests 0}}" ${image_tag}`, [], options);
+      image_id = "sha256:" + image_id.split(':')[1];
+    } catch {
+      // Calculate from the output of docker inspect
+      image_id = '';
+      await exec.exec(`bash -c "docker inspect ${image_tag} | sha256sum | awk '{ print $1 }' | tr -d \\"\\n\\""`, [], options);
+      image_id = "sha256:" + image_id;
+    }
 
     let cmd = `${__dirname}/inline_scan.sh analyze -s ${sysdig_secure_url} -k ${sysdig_secure_token}`;
 
@@ -24,9 +48,16 @@ const exec = require('@actions/exec');
 
     cmd += ` ${image_tag}`;
 
-    await exec.exec(cmd);
+    try {
+      await exec.exec(cmd);
+      core.info(`Scan was SUCCESS. Check scan results at ${sysdig_secure_url}/#/scanning/scan-results/localbuild%2F${querystring.escape(image_tag)}/${image_id}`);
+    } catch (error) {
+      core.setFailed(`Scan FAILED. Check scan results at ${sysdig_secure_url}/#/scanning/scan-results/localbuild%2F${querystring.escape(image_tag)}/${image_id}`);
+    }
 
   } catch (error) {
     core.setFailed(error.message);
   }
+  
 })();
+

inline_scan.sh

@@ -27,7 +27,7 @@ POLICY_BUNDLE="./policy_bundle.json"
 TIMEOUT=300
 VOLUME_PATH="/tmp/"
 # Analyzer option variable defaults
-SYSDIG_BASE_SCANNING_URL=''
+SYSDIG_BASE_SCANNING_URL="https://secure.sysdig.com"
 SYSDIG_SCANNING_URL="http://localhost:9040/api/scanning"
 SYSDIG_ANCHORE_URL="http://localhost:9040/api/scanning/v1/anchore"
 SYSDIG_ANNOTATIONS="foo=bar"
@@ -55,22 +55,23 @@ cat << EOF
 
 Sysdig Inline Analyzer --
 
-  Script for performing analysis on local docker images, utilizing the Sysdig analyzer subsystem.
+  Script for performing analysis on local container images, utilizing the Sysdig analyzer subsystem.
   After image is analyzed, the resulting image archive is sent to a remote Sysdig installation
   using the -s <URL> option. This allows inline analysis data to be persisted & utilized for reporting.
 
   Images should be built & tagged locally.
 
-    Usage: ${0##*/} analyze -s <SYSDIG_REMOTE_URL> -k <API Token> [ OPTIONS ] <FULL_IMAGE_TAG>
+    Usage: ${0##*/} analyze -k <API Token> [ OPTIONS ] <FULL_IMAGE_TAG>
 
-      -s <TEXT>  [required] URL to Sysdig Secure URL (ex: -s 'https://secure-sysdig.com')
       -k <TEXT>  [required] API token for Sysdig Scanning auth (ex: -k '924c7ddc-4c09-4d22-bd52-2f7db22f3066')
+      -s <TEXT>  [optional] Sysdig Secure URL (ex: -s 'https://secure-sysdig.svc.cluster.local'). 
+                 If not specified, it will default to Sysdig Secure SaaS URL (https://secure.sysdig.com/).
       -a <TEXT>  [optional] Add annotations (ex: -a 'key=value,key=value')
       -f <PATH>  [optional] Path to Dockerfile (ex: -f ./Dockerfile)
       -i <TEXT>  [optional] Specify image ID used within Sysdig (ex: -i '<64 hex characters>')
       -d <PATH>  [optional] Specify image digest (ex: -d 'sha256:<64 hex characters>')
       -m <PATH>  [optional] Path to Docker image manifest (ex: -m ./manifest.json)
-      -P  [optional] Pull docker image from registry
+      -P  [optional] Pull container image from registry
       -V  [optional] Increase verbosity
 
 EOF
@@ -102,10 +103,10 @@ main() {
 
 get_and_validate_analyzer_options() {
     #Parse options
-    while getopts ':s:k:r:u:p:a:d:f:i:m:t:PgVh' option; do
+    while getopts ':k:s:r:u:p:a:d:f:i:m:t:PgVh' option; do
         case "${option}" in
-            s  ) s_flag=true; SYSDIG_BASE_SCANNING_URL="${OPTARG%%}";;
             k  ) k_flag=true; SYSDIG_API_TOKEN="${OPTARG}";;
+            s  ) s_flag=true; SYSDIG_BASE_SCANNING_URL="${OPTARG%%}";;
             a  ) a_flag=true; SYSDIG_ANNOTATIONS="${OPTARG}";;
             f  ) f_flag=true; DOCKERFILE="${OPTARG}";;
             i  ) i_flag=true; SYSDIG_IMAGE_ID="${OPTARG}";;
@@ -135,10 +136,6 @@ get_and_validate_analyzer_options() {
         printf '\n\t%s\n\n' "ERROR - must specify an image to analyze" >&2
         display_usage_analyzer >&2
         exit 1
-    elif [[ ! "${s_flag:-}" ]]; then
-        printf '\n\t%s\n\n' "ERROR - must provide a Sysdig Secure endpoint" >&2
-        display_usage_analyzer >&2
-        exit 1
     elif [[ "${s_flag:-}" ]] && [[ ! "${k_flag:-}" ]]; then
         printf '\n\t%s\n\n' "ERROR - must provide the Sysdig Secure API token" >&2
         display_usage_analyzer >&2
@@ -464,3 +461,4 @@ cleanup() {
 }
 
 main "$@"
+