search

aws-actions / vulnerability-scan-github-action-for-amazon-inspector

Scan artifacts with Amazon Inspector from GitHub Actions workflows.
https://docs.aws.amazon.com/inspector/
MIT License
25 stars 6 forks source link

No longer displays anything in the GitHub actions summary if no vulnerabilities were found #59

Closed markbaird closed 4 months ago

markbaird commented 4 months ago

Description

In version 1.0 as long as display_vuln_findings == "enabled" was set, you would get the markdown output in the GitHub Actions summary page. With version 1.1 that no longer happens unless there is a vulnerability found. This means that you can't quickly glance at the Actions summary page to see if you have zero vulnerabilities, because now you simply get a misleading blank summary page that makes you question if you even have the summary output enabled.

Expected Behavior

Always send the markdown output to the GitHub Actions summary page when display_vuln_findings == "enabled" is set. Get a nice table of 0 vulnerabilities found when you have no vulnerabilities.

Actual Behavior

An empty GitHub summary page that doesn't even indicate that the vulnerability scan was performed.

Steps to Reproduce

Set display_vuln_findings == "enabled" and run against anything that has no vulnerabilities.

Other Information

This change appears to be because orchestrator.py in version 1.0 had this condition on line 338:

if args.display_vuln_findings == "enabled":

The corresponding code in version 1.1 of orchestrator.py is now on line 426 and it has an additional condition:

if args.display_vuln_findings == "enabled" and total_vulns > 0:

I think this behavior is a step backwards. Instead of being able to point to an Actions summary page and show that I am getting zero vulnerabilities from the scan, as I could before, I now have to click down into the action run log, and find the actual console output from the Inspector step in order to demonstrate to concerned parties that I have a build with zero vulnerabilities reported.

bluesentinelsec commented 4 months ago

Hello @markbaird thank you for reaching out. I just wanted to confirm receipt and let you know that we are investigating your issue and will report back.

bluesentinelsec commented 4 months ago

@markbaird that you for your feedback. I can see how not showing a vulnerability table in this case causes friction. I also see value in showing a vulnerability summary table with zero vulnerabilities present. We are presently working on a fix and will get back to you when we have pertinent updates.

markbaird commented 4 months ago

@bluesentinelsec thanks for the quick response!

bluesentinelsec commented 4 months ago

@markbaird we have deployed a new release (v1.1.1) to restore the vulnerability summary table when zero vulnerabilities are present.

Please update your workflow to point to this release, i.e.: uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.1

You can see an example report here:

Code changes are here:

Please feel free to reach out if you have follow-on questions or comments.

markbaird commented 4 months ago

Thank you for the extremely quick turn around! This looks great!