Sync v1.4.1 to 1.x (#143)

* replace scanner example (#84)

* Write CSV with no vulns (#86)

* reproducing issue - test 1

* resolve issue 85 - test 2

* test 3

* test fix

---------

Co-authored-by: Michael Long <[email protected]>

* testing CSV with no vulns

* test against main branch

* Write Dockerfile CSV and Markdown on no vulns (#88)

Co-authored-by: Michael Long <[email protected]>

* Set example workflows to main branch for testing

* Display 'no vulns found' for Dockerfiles (#92)

Co-authored-by: Michael Long <[email protected]>

* Tweak dockerfile report (#93)

Co-authored-by: Michael Long <[email protected]>

* Omit Dockerfile table on no vulns (#94)

Co-authored-by: Michael Long <[email protected]>

* Updated workflows to v1.x - testing auto-updates (#96)

Co-authored-by: Michael Long <[email protected]>

* update README (#97)

Co-authored-by: Michael Long <[email protected]>

* Extend vulnerability severity providers (#98)

* Add severity providers: GHSA, GitLab

* Add severity providers: GHSA, GitLab

* Add REDHAT_CVE and UBUNTU_CVE providers

* rename GHSA to GITHUB

---------

Co-authored-by: Michael Long <[email protected]>

* Add platform argument for container image scans (#102)

* add --platform support for multi-arch containers

* test multi-arch images on current branch

* test actions against sbomgen 1.5.1-beta

* fix --platform parsing error

* fix platform parsing bug

* test workflows on sbomgen latest (1.5.2)

* Validate --platform input

* Add more test cases, and revert workflow definitions

* fix typo in platform arg

---------

Co-authored-by: Michael Long <[email protected]>

* Improve severity rating consistency (#112)

* fix severity rating mismatch

* temporarily add a test workflow

* Fix type issue: float provided, expected string

* Rename workflow / job name

* Add severity comparison logic

* Revise severity sorting and selection logic

* return default values on error

* skip EPSS ratings for severity column

* debugging unknown ratings

* fix ratings with unknown name

* Verify AMAZON_INSPECTOR renders correctly

* fix failing test

* temporarily disable failing tests

* pass unit test: test_parse_inspector_scan_result

* pass unit tests

* change '-f' to '--failfast' for clarity

* Remove unused type cast

* refactor csv test

* severity is rendered as 'other' not 'unknown'

* test build on all actions

* normalize dockerfile findings severity rating

* debugging dockerfile severity

* debugging

* Normalize Dockerfile severity 'info' to 'other'

* restore test actions

* minor comment update

* Remove develop workflow

* Address PR feedback

* test workflows against refactor

* handle edge case CVE-2025-22871

* fix missing severity edge case

* debugging epss

* debugging

* fix flawed test

* added test case for absent severity rating

* revert workflows to v1

---------

Co-authored-by: Michael Long <[email protected]>

* v1.3.0 (#123)

* Feature request 91 (#115)

* FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

* Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts"

This reverts commit bc532d4.

* FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

* FR-91: Fix unit tests

* FR-91: Fix typo in unit tests

* Revert "FR-91: Fix typo in unit tests"

This reverts commit e645542.

* Revert "FR-91: Fix unit tests"

This reverts commit f9157c9.

* Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts"

This reverts commit 812c685.

* FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present

* FR-91: Fixed missing variable

* FR-91: Fixed typo

* FR-91: Fixed typo

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* Add unit test for get_vuln_count

* Fix unit test for get_vuln_count

---------

Co-authored-by: Maria Carolina Conceição <[email protected]>

* Clarify license of inspector-sbomgen dependency (#121)

Co-authored-by: Michael Long <[email protected]>

* [v1.3.0] Only trigger vuln threshold on fixable vulns (#122)

* Add --threshold-fixable-only to CLI

* implemented business logic

* changed 'threshold_fixable_only' from str to bool

* Added more test coverage and CLI refinements

* debugging failing unit test

* test threshold-fixable-only in workflow

* test threshold-fixable-only in workflow

* debugging CI/CD

* debugging CI/CD

* debugging

* debugging

* debugging

* debugging

* removed debug log showing CLI arguments

* add missing argument, fixed_vuln_counts

* simplify get_fixed_vuln_counts() return values

* refactor return types in get_scan_result()

* refactor

* refine get_fixed_vuln_counts()

* update test_get_fixed_vuln_counts()

* testing case sensitivity

* revert 'TRUE' to 'true'

* use debug log when vuln doesnt have rating

* integrate --show-only-fixable-vulns (part 1)

* integrate only show fixable vulns

* test example workflows

* fix CLI input arguments

* remove leading '-' character for conditional inclusion

* add a no-op CLI arg (workaround)

* enable new arguments in workflows

* fix failing test

* update workflows for prod

---------

Co-authored-by: Michael Long <[email protected]>

* set workflows to v1.3.0 for burn-in

---------

Co-authored-by: CarolMebiom <[email protected]>
Co-authored-by: Maria Carolina Conceição <[email protected]>
Co-authored-by: Michael Long <[email protected]>

* Sync main to v1.3.0 (#126)

* Feature request 91 (#115)

* FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

* Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts"

This reverts commit bc532d4.

* FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

* FR-91: Fix unit tests

* FR-91: Fix typo in unit tests

* Revert "FR-91: Fix typo in unit tests"

This reverts commit e645542.

* Revert "FR-91: Fix unit tests"

This reverts commit f9157c9.

* Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts"

This reverts commit 812c685.

* FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present

* FR-91: Fixed missing variable

* FR-91: Fixed typo

* FR-91: Fixed typo

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* Add unit test for get_vuln_count

* Fix unit test for get_vuln_count

---------

Co-authored-by: Maria Carolina Conceição <[email protected]>

* Clarify license of inspector-sbomgen dependency (#121)

Co-authored-by: Michael Long <[email protected]>

* [v1.3.0] Only trigger vuln threshold on fixable vulns (#122)

* Add --threshold-fixable-only to CLI

* implemented business logic

* changed 'threshold_fixable_only' from str to bool

* Added more test coverage and CLI refinements

* debugging failing unit test

* test threshold-fixable-only in workflow

* test threshold-fixable-only in workflow

* debugging CI/CD

* debugging CI/CD

* debugging

* debugging

* debugging

* debugging

* removed debug log showing CLI arguments

* add missing argument, fixed_vuln_counts

* simplify get_fixed_vuln_counts() return values

* refactor return types in get_scan_result()

* refactor

* refine get_fixed_vuln_counts()

* update test_get_fixed_vuln_counts()

* testing case sensitivity

* revert 'TRUE' to 'true'

* use debug log when vuln doesnt have rating

* integrate --show-only-fixable-vulns (part 1)

* integrate only show fixable vulns

* test example workflows

* fix CLI input arguments

* remove leading '-' character for conditional inclusion

* add a no-op CLI arg (workaround)

* enable new arguments in workflows

* fix failing test

* update workflows for prod

---------

Co-authored-by: Michael Long <[email protected]>

* set workflows to v1.3.0 for burn-in

---------

Co-authored-by: CarolMebiom <[email protected]>
Co-authored-by: Maria Carolina Conceição <[email protected]>
Co-authored-by: Michael Long <[email protected]>

* Verify v1 tag works

* Verify action against 1.x

* v1.4.0 (#133)

* Use aws-cli instead of amazonlinux to speed up container build time (#128)

* Change Dockerfile source image to aws-cli

* Set WORKDIR back to default value

---------

Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]>

* set workflows to develop for aws-cli runtime tests

* add explicit permissions to GitHub Actions workflows (#130)

* Measuring installation time (#131) (#132)

* measuring installation time

* Change workflows to point to v1.4.0 branch

---------

Co-authored-by: Joshua Grisham <[email protected]>
Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]>

* (v1.4.1 hotfix) Fix multi-arch container image scanning (#138)

* added multi-arch image workflow

* disable scan validator

* debugging multi arch CICD

* added 'platform' argument to action.yml

* set action version to investigation branch

* test amd64 images

* test multi-arch matrix

* verify workaround

* Add multi-platform validation to prevent regression of platform argument

- Add validate_multi_platform_image_support.py script to validate SBOM architecture matches expected platform
- Update test_multi_arch_images.yml workflow to validate platform argument is correctly passed through to inspector-sbomgen

* re-enable inspector scan validation

* remove inspector-scan validator, not applicable

* remove boilerplate

* test action against multi-arch fix

* revert test workflows to v1.4.0

* remove emoji characters from console logs

* update workflows to v1.4.1 (#139)

* update multi arch test to v1.4.1 (#140)

* update version.txt to v1.4.1

---------

Co-authored-by: clueleaf <[email protected]>
Co-authored-by: Michael Long <[email protected]>
Co-authored-by: CarolMebiom <[email protected]>
Co-authored-by: Maria Carolina Conceição <[email protected]>
Co-authored-by: Joshua Grisham <[email protected]>
Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]>

Author: 7 people

.github/workflows/build_scan_container.yml

@@ -52,7 +52,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         id: inspector
         with:
           artifact_type: 'container'

.github/workflows/example_display_findings.yml

@@ -33,7 +33,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container

.github/workflows/test_archive.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'

.github/workflows/test_binary.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'

.github/workflows/test_containers.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'

.github/workflows/test_dockerfile_vulns.yml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_installation.yml

@@ -32,7 +32,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_multi_arch_images.yml

@@ -0,0 +1,63 @@
+name: Test Multi-arch images
+
+on:
+  schedule:
+    - cron: '0 */6 * * *' # runs every 6 hours
+  push:
+    branches: #
+      - '*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  test_multi_arch:
+    runs-on: ubuntu-latest
+    environment:
+      name: plugin-development
+    strategy:
+      matrix:
+        platform:
+          - "linux/386"
+          - "linux/amd64"
+          - "linux/arm/v5"
+          - "linux/arm/v7"
+          - "linux/arm64/v8"
+          - "linux/ppc64le"
+          - "linux/riscv64"
+          - "linux/s390x"
+
+    steps:
+
+      - name: Checkout this repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+
+      - name: Test multi-arch image - ${{ matrix.platform }}
+        id: inspector
+        uses: aws-actions/[email protected]
+        with:
+          artifact_type: 'container'
+          artifact_path: 'debian:trixie'
+          platform: ${{ matrix.platform }}
+          display_vulnerability_findings: "enabled"
+          sbomgen_version: "latest"
+
+      - name: Demonstrate SBOM Output (JSON)
+        run: cat ${{ steps.inspector.outputs.artifact_sbom }}
+
+      - name: Display scan results
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
+
+      - name: Validate multi-arch - ${{ matrix.platform }}
+        run: python3 validator/validate_multi_platform_image_support.py --platform "${{ matrix.platform }}" --sbom "${{ steps.inspector.outputs.artifact_sbom }}"
+
+

.github/workflows/test_no_vulns.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'