This action roughly implements this configuration to scan docker images with the Wiz CLI.
- run: docker build --tag myimage .
- uses: freckle/wiz-action@v1
with:
wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }}
wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }}
image: myimage- id: build
uses: docker/build-push-action@v5
with:
tags: ${{ steps.meta.outputs.tags }}
load: true # required so we can scan it
- uses: freckle/wiz-action@v1
with:
wiz-client-id: ${{ secrets.WIZ_CLIENT_ID }}
wiz-client-secret: ${{ secrets.WIZ_CLIENT_SECRET }}
image: ${{ steps.build.outputs.imageid }}
custom-policies: tvm_automation_policyRequired:
wiz-client-id: Wiz Service Account Client Idwiz-client-secret: Wiz Service Account Client Secretimage: The image to scan
Optional:
custom-policies: Custom policies to use (comma-separated).fail: Fail the job if the image violates policy? Default istrue. Note that scan errors will fail the job regardless of this setting.pull: Rundocker pull <image>before scanning? Default isfalse.
scan-id: the Id of the Scan Result report.scan-result: the outcome of the scan, one ofpassed,failed, orerror.
See action.yml for a complete list of inputs and outputs.
This action can fetch the scan results back from the Wiz API and print a nicely formatted Job Summary for you. However, interacting with the Wiz API uses two additional inputs:
wiz-api-endpoint-url: The host API, e.g.https://api.us19.app.wiz.io/graphql.wiz-api-idp: IdP used for the API,auth0orcognito(default). This is only needed if your account hasn't migrated to Cognito yet.
To find these values for yourself, visit this page.
Versioned tags will exist, such as v1.0.0 and v2.1.1. Branches will exist
for each major version, such as v1 or v2 and contain the newest version in
that series.
Given a latest version of v1.0.1,
Is this a new major version?
If yes,
git checkout main
git pull
git checkout -b v2
git tag -s -m v2.0.0 v2.0.0
git push --follow-tagsOtherwise,
git checkout main
git pull
git checkout v1
git merge --ff-only -
git tag -s -m v1.0.2 v1.0.2 # or v1.1.0
git push --follow-tags