v1.4.0 #133
Merged
v1.4.0 #133
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…128) * Change Dockerfile source image to aws-cli * Set WORKDIR back to default value --------- Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]>
cjbaco
approved these changes
Sep 15, 2025
bluesentinelsec
added a commit
that referenced
this pull request
Sep 16, 2025
* replace scanner example (#84) * Write CSV with no vulns (#86) * reproducing issue - test 1 * resolve issue 85 - test 2 * test 3 * test fix --------- Co-authored-by: Michael Long <[email protected]> * testing CSV with no vulns * test against main branch * Write Dockerfile CSV and Markdown on no vulns (#88) Co-authored-by: Michael Long <[email protected]> * Set example workflows to main branch for testing * Display 'no vulns found' for Dockerfiles (#92) Co-authored-by: Michael Long <[email protected]> * Tweak dockerfile report (#93) Co-authored-by: Michael Long <[email protected]> * Omit Dockerfile table on no vulns (#94) Co-authored-by: Michael Long <[email protected]> * Updated workflows to v1.x - testing auto-updates (#96) Co-authored-by: Michael Long <[email protected]> * update README (#97) Co-authored-by: Michael Long <[email protected]> * Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long <[email protected]> * Add platform argument for container image scans (#102) * add --platform support for multi-arch containers * test multi-arch images on current branch * test actions against sbomgen 1.5.1-beta * fix --platform parsing error * fix platform parsing bug * test workflows on sbomgen latest (1.5.2) * Validate --platform input * Add more test cases, and revert workflow definitions * fix typo in platform arg --------- Co-authored-by: Michael Long <[email protected]> * Improve severity rating consistency (#112) * fix severity rating mismatch * temporarily add a test workflow * Fix type issue: float provided, expected string * Rename workflow / job name * Add severity comparison logic * Revise severity sorting and selection logic * return default values on error * skip EPSS ratings for severity column * debugging unknown ratings * fix ratings with unknown name * Verify AMAZON_INSPECTOR renders correctly * fix failing test * temporarily disable failing tests * pass unit test: test_parse_inspector_scan_result * pass unit tests * change '-f' to '--failfast' for clarity * Remove unused type cast * refactor csv test * severity is rendered as 'other' not 'unknown' * test build on all actions * normalize dockerfile findings severity rating * debugging dockerfile severity * debugging * Normalize Dockerfile severity 'info' to 'other' * restore test actions * minor comment update * Remove develop workflow * Address PR feedback * test workflows against refactor * handle edge case CVE-2025-22871 * fix missing severity edge case * debugging epss * debugging * fix flawed test * added test case for absent severity rating * revert workflows to v1 --------- Co-authored-by: Michael Long <[email protected]> * v1.3.0 (#123) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <[email protected]> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <[email protected]> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <[email protected]> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <[email protected]> Co-authored-by: Maria Carolina Conceição <[email protected]> Co-authored-by: Michael Long <[email protected]> * Sync main to v1.3.0 (#126) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <[email protected]> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <[email protected]> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <[email protected]> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <[email protected]> Co-authored-by: Maria Carolina Conceição <[email protected]> Co-authored-by: Michael Long <[email protected]> * Verify v1 tag works * Verify action against 1.x * v1.4.0 (#133) * Use aws-cli instead of amazonlinux to speed up container build time (#128) * Change Dockerfile source image to aws-cli * Set WORKDIR back to default value --------- Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]> * set workflows to develop for aws-cli runtime tests * add explicit permissions to GitHub Actions workflows (#130) * Measuring installation time (#131) (#132) * measuring installation time * Change workflows to point to v1.4.0 branch --------- Co-authored-by: Joshua Grisham <[email protected]> Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]> --------- Co-authored-by: clueleaf <[email protected]> Co-authored-by: Michael Long <[email protected]> Co-authored-by: CarolMebiom <[email protected]> Co-authored-by: Maria Carolina Conceição <[email protected]> Co-authored-by: Joshua Grisham <[email protected]> Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]>
bluesentinelsec
added a commit
that referenced
this pull request
Sep 24, 2025
* replace scanner example (#84) * Write CSV with no vulns (#86) * reproducing issue - test 1 * resolve issue 85 - test 2 * test 3 * test fix --------- Co-authored-by: Michael Long <[email protected]> * testing CSV with no vulns * test against main branch * Write Dockerfile CSV and Markdown on no vulns (#88) Co-authored-by: Michael Long <[email protected]> * Set example workflows to main branch for testing * Display 'no vulns found' for Dockerfiles (#92) Co-authored-by: Michael Long <[email protected]> * Tweak dockerfile report (#93) Co-authored-by: Michael Long <[email protected]> * Omit Dockerfile table on no vulns (#94) Co-authored-by: Michael Long <[email protected]> * Updated workflows to v1.x - testing auto-updates (#96) Co-authored-by: Michael Long <[email protected]> * update README (#97) Co-authored-by: Michael Long <[email protected]> * Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long <[email protected]> * Add platform argument for container image scans (#102) * add --platform support for multi-arch containers * test multi-arch images on current branch * test actions against sbomgen 1.5.1-beta * fix --platform parsing error * fix platform parsing bug * test workflows on sbomgen latest (1.5.2) * Validate --platform input * Add more test cases, and revert workflow definitions * fix typo in platform arg --------- Co-authored-by: Michael Long <[email protected]> * Improve severity rating consistency (#112) * fix severity rating mismatch * temporarily add a test workflow * Fix type issue: float provided, expected string * Rename workflow / job name * Add severity comparison logic * Revise severity sorting and selection logic * return default values on error * skip EPSS ratings for severity column * debugging unknown ratings * fix ratings with unknown name * Verify AMAZON_INSPECTOR renders correctly * fix failing test * temporarily disable failing tests * pass unit test: test_parse_inspector_scan_result * pass unit tests * change '-f' to '--failfast' for clarity * Remove unused type cast * refactor csv test * severity is rendered as 'other' not 'unknown' * test build on all actions * normalize dockerfile findings severity rating * debugging dockerfile severity * debugging * Normalize Dockerfile severity 'info' to 'other' * restore test actions * minor comment update * Remove develop workflow * Address PR feedback * test workflows against refactor * handle edge case CVE-2025-22871 * fix missing severity edge case * debugging epss * debugging * fix flawed test * added test case for absent severity rating * revert workflows to v1 --------- Co-authored-by: Michael Long <[email protected]> * v1.3.0 (#123) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <[email protected]> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <[email protected]> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <[email protected]> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <[email protected]> Co-authored-by: Maria Carolina Conceição <[email protected]> Co-authored-by: Michael Long <[email protected]> * Sync main to v1.3.0 (#126) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <[email protected]> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <[email protected]> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <[email protected]> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <[email protected]> Co-authored-by: Maria Carolina Conceição <[email protected]> Co-authored-by: Michael Long <[email protected]> * Verify v1 tag works * Verify action against 1.x * v1.4.0 (#133) * Use aws-cli instead of amazonlinux to speed up container build time (#128) * Change Dockerfile source image to aws-cli * Set WORKDIR back to default value --------- Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]> * set workflows to develop for aws-cli runtime tests * add explicit permissions to GitHub Actions workflows (#130) * Measuring installation time (#131) (#132) * measuring installation time * Change workflows to point to v1.4.0 branch --------- Co-authored-by: Joshua Grisham <[email protected]> Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]> * (v1.4.1 hotfix) Fix multi-arch container image scanning (#138) * added multi-arch image workflow * disable scan validator * debugging multi arch CICD * added 'platform' argument to action.yml * set action version to investigation branch * test amd64 images * test multi-arch matrix * verify workaround * Add multi-platform validation to prevent regression of platform argument - Add validate_multi_platform_image_support.py script to validate SBOM architecture matches expected platform - Update test_multi_arch_images.yml workflow to validate platform argument is correctly passed through to inspector-sbomgen * re-enable inspector scan validation * remove inspector-scan validator, not applicable * remove boilerplate * test action against multi-arch fix * revert test workflows to v1.4.0 * remove emoji characters from console logs * update workflows to v1.4.1 (#139) * update multi arch test to v1.4.1 (#140) * update version.txt to v1.4.1 --------- Co-authored-by: clueleaf <[email protected]> Co-authored-by: Michael Long <[email protected]> Co-authored-by: CarolMebiom <[email protected]> Co-authored-by: Maria Carolina Conceição <[email protected]> Co-authored-by: Joshua Grisham <[email protected]> Co-authored-by: Joshua-Grisham_SSCSpace <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements performance improvements and security best practices.
Changes Made
⚡ Performance Optimization
• Updated Dockerfile to use
public.ecr.aws/aws-cli/aws-cli:latestbase image instead of building fromamazonlinux:latest• Eliminates need to install Python3 and AWS CLI during build, reducing action installation time by 10-20 seconds
🔒 Security Hardening
• Added explicit permissions blocks to all workflows following principle of least privilege
• Granted only necessary permissions (contents: read, id-token: write, actions: write where needed)
📦 Version Updates
• Updated all workflow references from v1.3.0 to v1.4.0
Files Modified
• 14 workflow files updated with permissions and version bumps
• Dockerfile optimized for faster builds
Benefits
• Faster CI/CD: Reduced action startup time by 10-20 seconds per workflow run
• Enhanced Security: Explicit permission declarations prevent privilege escalation
🙏 Acknowledgments
Special thanks to @joshuagrisham for his contribution from #128 and issue #129.