Fix inline scan 2.3 output (#9)

airadier · web-flow · commit f9d15fa418db · 2021-02-17T19:21:38.000+01:00
* fix: change log path to fix output in inline-scan:2.3

* fix: run as same UID to prevent permission issues

* fix: add conclusion to the run check
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -1,7 +1,6 @@
 name: Scan Image
 
 on:
-  push:
   workflow_dispatch:
 
 jobs:
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/index.js b/index.js
@@ -68,7 +68,7 @@ function printOptions(opts) {
 }
 
 function composeFlags(opts) {
-  let dockerFlags = `--rm -v ${process.cwd()}/scan-output:/tmp/sysdig-inline-scan`;
+  let dockerFlags = `--rm -v ${process.cwd()}/scan-output:/tmp/logs -e LOGS_DIR=/tmp/logs`;
   let runFlags = `--sysdig-token=${opts.sysdigSecureToken || ""} --format=JSON`;
 
   if (opts.sysdigSecureURL) {
@@ -95,6 +95,8 @@ function composeFlags(opts) {
 
   if (opts.runAsUser) {
     dockerFlags += ` -u ${opts.runAsUser}`;
+  } else {
+    dockerFlags += ` -u ${process.getuid()}`
   }
 
   if (opts.sysdigSkipTLS) {
@@ -166,8 +168,10 @@ async function processScanResult(result) {
   try {
     report = JSON.parse(result.Output);
   } catch (error) {
-    core.error("Error parsing analysis JSON report: " + error);
+    core.error("Error parsing analysis JSON report: " + error + ". Output was: " + result.output);
+    throw new ExecutionError(result.Output, result.Error);
   }
+
   if (report) {
 
     let vulnerabilities = [];
@@ -208,9 +212,7 @@ async function executeInlineScan(scanImage, dockerFlags, runFlags) {
   let errOutput = '';
 
   fs.mkdirSync("./scan-output", { recursive: true });
-  fs.chmodSync("./scan-output", 0o777);
   fs.closeSync(fs.openSync("./scan-output/info.log", 'w'));
-  fs.chmodSync("./scan-output/info.log", 0o666);
   let tail = new Tail("./scan-output/info.log", { fromBeginning: true, follow: true });
   tail.on("line", function (data) {
     console.log(data);
@@ -401,12 +403,19 @@ async function generateChecks(scanResult, evaluationResults, vulnerabilities) {
     return;
   }
 
+  let conclusion = "success";
+  if (scanResult != "Success") {
+    conclusion = "failure";
+  }
+
   try {
     check_run = await octokit.checks.create({
       owner: github.context.repo.owner,
       repo: github.context.repo.repo,
       name: "Scan results",
       head_sha: github.context.sha,
+      status: "completed",
+      conclusion:  conclusion,
       output: {
         title: "Inline scan results",
         summary: "Scan result is " + scanResult,
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "secure-inline-scan-action",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "This actions performs image analysis on locally built container image and posts the result of the analysis to Sysdig Secure.",
   "main": "index.js",
   "scripts": {
diff --git a/tests/index.test.js b/tests/index.test.js
@@ -104,7 +104,7 @@ describe("docker flags", () => {
     it("uses default docker flags", () => {
         let flags = index.composeFlags({});
         expect(flags.dockerFlags).toMatch(/(^| )--rm($| )/)
-        expect(flags.dockerFlags).toMatch(new RegExp(`(^| )-v ${process.cwd()}/scan-output:/tmp/sysdig-inline-scan($| )`));
+        expect(flags.dockerFlags).toMatch(new RegExp(`(^| )-v ${process.cwd()}/scan-output:/tmp/logs($| )`));
     })
 
     it("mounts the input file", () => {
@@ -304,7 +304,7 @@ describe("process scan results", () => {
             Output: "Some output",
             Error: "Some error"
         };
-        return expect(index.processScanResult(scanResult)).rejects.toThrow(new index.ExecutionError('Some output', "Some error"));
+        return expect(index.processScanResult(scanResult)).rejects.toThrow(new index.ExecutionError('Some output', 'Some error'));
     })
 
     it("handles error on invalid JSON", async () => {
@@ -316,8 +316,7 @@ describe("process scan results", () => {
             Error: ""
         };
 
-        let success = await index.processScanResult(scanResult);
-        expect(success).toBe(true);
+        await expect(index.processScanResult(scanResult)).rejects.toThrow(new index.ExecutionError('invalid JSON', ''));
         expect(core.error).toBeCalledTimes(1);
         expect(core.error.mock.calls[0][0]).toMatch(/Error parsing analysis JSON report/)
     })
@@ -449,7 +448,7 @@ describe("process scan results", () => {
     })
 
     xit("generates SARIF report with gates", async () => {
-
+        //TODO: Gates are not included in SARIF report
     })
 })
 

-Original file line number
+Diff line change
@@ @@ -1,7 +1,6 @@ @@
 name: Scan Image
 on:
 -  push:
   workflow_dispatch:
 jobs:
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "secure-inline-scan-action",`
`3`		`- "version": "3.0.0",`
	`3`	`+ "version": "3.0.2",`
`4`	`4`	`"description": "This actions performs image analysis on locally built container image and posts the result of the analysis to Sysdig Secure.",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"scripts": {`