Closed markbaird closed 4 months ago
Hello @markbaird thank you for reaching out. I just wanted to confirm receipt and let you know that we are investigating your issue and will report back.
@markbaird that you for your feedback. I can see how not showing a vulnerability table in this case causes friction. I also see value in showing a vulnerability summary table with zero vulnerabilities present. We are presently working on a fix and will get back to you when we have pertinent updates.
@bluesentinelsec thanks for the quick response!
@markbaird we have deployed a new release (v1.1.1) to restore the vulnerability summary table when zero vulnerabilities are present.
Please update your workflow to point to this release, i.e.:
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.1
You can see an example report here:
Code changes are here:
Please feel free to reach out if you have follow-on questions or comments.
Thank you for the extremely quick turn around! This looks great!
Description
In version 1.0 as long as
display_vuln_findings == "enabled"
was set, you would get the markdown output in the GitHub Actions summary page. With version 1.1 that no longer happens unless there is a vulnerability found. This means that you can't quickly glance at the Actions summary page to see if you have zero vulnerabilities, because now you simply get a misleading blank summary page that makes you question if you even have the summary output enabled.Expected Behavior
Always send the markdown output to the GitHub Actions summary page when
display_vuln_findings == "enabled"
is set. Get a nice table of 0 vulnerabilities found when you have no vulnerabilities.Actual Behavior
An empty GitHub summary page that doesn't even indicate that the vulnerability scan was performed.
Steps to Reproduce
Set
display_vuln_findings == "enabled"
and run against anything that has no vulnerabilities.Other Information
This change appears to be because
orchestrator.py
in version 1.0 had this condition on line338
:The corresponding code in version 1.1 of
orchestrator.py
is now on line426
and it has an additional condition:I think this behavior is a step backwards. Instead of being able to point to an Actions summary page and show that I am getting zero vulnerabilities from the scan, as I could before, I now have to click down into the action run log, and find the actual console output from the Inspector step in order to demonstrate to concerned parties that I have a build with zero vulnerabilities reported.