|
| 1 | +--- |
| 2 | +name: Mend Scan (reusable) |
| 3 | + |
| 4 | +on: |
| 5 | + workflow_call: |
| 6 | + inputs: |
| 7 | + scan-type: |
| 8 | + description: | |
| 9 | + Type of scan to perform. |
| 10 | + Options: |
| 11 | + - 'sast' (or 'code') for Static Application Security Testing (scanning source code) |
| 12 | + - 'sca' (or 'dependencies') for Software Composition Analysis (scanning dependencies) |
| 13 | + - 'image' for Container Image Scanning. Note: This REQUIRES the 'image-list' input to be set. |
| 14 | + required: true |
| 15 | + type: string |
| 16 | + |
| 17 | + mend-app-name: |
| 18 | + description: "Mend Application Name" |
| 19 | + required: true |
| 20 | + type: string |
| 21 | + |
| 22 | + mend-project-name: |
| 23 | + description: "Mend Project Name" |
| 24 | + required: false |
| 25 | + type: string |
| 26 | + |
| 27 | + tags: |
| 28 | + description: "Assign tags to scan and project (comma-separated key:value pairs)" |
| 29 | + required: false |
| 30 | + type: string |
| 31 | + |
| 32 | + sast-source-path: |
| 33 | + description: "Path to the source code to be scanned" |
| 34 | + required: false |
| 35 | + type: string |
| 36 | + default: "." |
| 37 | + |
| 38 | + sast-engines: |
| 39 | + description: | |
| 40 | + **Recommended:** Comma-separated list of SAST engine IDs (e.g., '101,108' for Java and JavaScript). Omit for auto-recognition. |
| 41 | + Useful ones: Ruby(5), C/C++(12), Go(18), Java(101), Python(104), JavaScript(108) |
| 42 | + [See documentation for complete list](https://docs.mend.io/platform/latest/configure-the-mend-cli-for-sast#ConfiguretheMendCLIforSAST-Mend-CLI-SAST-supported-languages-and-engine-IDsMendCLISAST-supportedlanguagesandengineIDs) |
| 43 | + required: false |
| 44 | + type: string |
| 45 | + |
| 46 | + image-list: |
| 47 | + description: | |
| 48 | + List of container images to scan (one per line). |
| 49 | + Required when scan-type is 'image'. |
| 50 | + Example: |
| 51 | + myregistry.io/app:latest |
| 52 | + myregistry.io/api:v1.0 |
| 53 | + required: false |
| 54 | + type: string |
| 55 | + |
| 56 | + secrets: |
| 57 | + MEND_EMAIL: |
| 58 | + description: "Mend user email for authentication" |
| 59 | + required: true |
| 60 | + MEND_USER_KEY: |
| 61 | + description: "Mend user API key for authentication" |
| 62 | + required: true |
| 63 | + |
| 64 | +defaults: |
| 65 | + run: |
| 66 | + # Specify to ensure "pipefail and errexit" are set. |
| 67 | + # Ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell |
| 68 | + shell: bash |
| 69 | + |
| 70 | +env: |
| 71 | + MEND_APP: ${{ inputs.mend-app-name }} |
| 72 | + MEND_PROJ: ${{ inputs.mend-project-name }} # optional |
| 73 | + MEND_EMAIL: ${{ secrets.MEND_EMAIL }} |
| 74 | + MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }} |
| 75 | + MEND_URL: https://saas-eu.mend.io |
| 76 | + |
| 77 | +jobs: |
| 78 | + prepare-image-matrix: |
| 79 | + if: ${{ inputs.scan-type == 'image' }} |
| 80 | + |
| 81 | + runs-on: ubuntu-latest |
| 82 | + outputs: |
| 83 | + images: ${{ steps.parse.outputs.images }} |
| 84 | + |
| 85 | + steps: |
| 86 | + - name: Parse Image List |
| 87 | + id: parse |
| 88 | + run: | |
| 89 | + images='${{ inputs.image-list }}' |
| 90 | +
|
| 91 | + if [ -z "$images" ]; then |
| 92 | + echo "❌ Error: image-list input is required for image scanning" |
| 93 | + exit 1 |
| 94 | + fi |
| 95 | +
|
| 96 | + # Convert newline-separated list to JSON array |
| 97 | + # Remove comments (lines starting with #), empty lines, and whitespace |
| 98 | + json_array=$(echo "$images" | sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' | jq -R -s -c 'split("\n") | map(select(length > 0))') |
| 99 | +
|
| 100 | + echo "images=$json_array" >> $GITHUB_OUTPUT |
| 101 | + echo "📋 Images to scan: $json_array" |
| 102 | +
|
| 103 | +
|
| 104 | + scan-image: |
| 105 | + if: ${{ inputs.scan-type == 'image' }} |
| 106 | + |
| 107 | + runs-on: ubuntu-latest |
| 108 | + |
| 109 | + env: |
| 110 | + MEND_IMAGE_SCAN_TIMEOUT_TOTAL: "3600" |
| 111 | + MEND_IMAGE_SCAN_RETRIES: "3" |
| 112 | + |
| 113 | + needs: [prepare-image-matrix] |
| 114 | + |
| 115 | + strategy: |
| 116 | + fail-fast: false |
| 117 | + matrix: |
| 118 | + image: ${{ fromJson(needs.prepare-image-matrix.outputs.images) }} |
| 119 | + |
| 120 | + steps: |
| 121 | + - name: Install Mend CLI |
| 122 | + run: | |
| 123 | + if command -v mend &> /dev/null; then |
| 124 | + echo "✅ Mend CLI already installed" |
| 125 | + mend --version |
| 126 | + exit 0 |
| 127 | + fi |
| 128 | +
|
| 129 | + ARCH=$(uname -m) |
| 130 | + case $ARCH in |
| 131 | + x86_64) ARCH="amd64" ;; |
| 132 | + aarch64) ARCH="arm64" ;; |
| 133 | + esac |
| 134 | +
|
| 135 | + CLI_URL="https://downloads.mend.io/cli/linux_${ARCH}/mend" |
| 136 | + curl -fsSL "${CLI_URL}" -o /tmp/mend |
| 137 | + sudo mv /tmp/mend /usr/local/bin/mend |
| 138 | + sudo chmod +x /usr/local/bin/mend |
| 139 | + echo "✅ Mend CLI installed" |
| 140 | + mend --version |
| 141 | +
|
| 142 | + - name: Define Mend Project Name |
| 143 | + if: ${{ env.MEND_PROJ == '' }} |
| 144 | + run: | |
| 145 | + # Replace any forward slashes and colons in the image name with double underscores |
| 146 | + MEND_PROJ=$(echo "${{ matrix.image }}" | sed 's/[\/:]/__/g') |
| 147 | + echo "Normalized Mend Project Name: ${MEND_PROJ}" |
| 148 | + echo "MEND_PROJ=${MEND_PROJ}" >> $GITHUB_ENV |
| 149 | +
|
| 150 | + - name: Run Mend Image Scan |
| 151 | + id: scan |
| 152 | + run: | |
| 153 | + echo "🔍 Scanning image: ${{ matrix.image }}" |
| 154 | +
|
| 155 | + mend_args=( |
| 156 | + "--non-interactive" |
| 157 | + "--scope" "${MEND_APP}//${MEND_PROJ}" |
| 158 | + ) |
| 159 | +
|
| 160 | + if [ -n "${{ inputs.tags }}" ]; then |
| 161 | + mend_args+=("--tags" "${{ inputs.tags }}") |
| 162 | + fi |
| 163 | +
|
| 164 | + echo "Using Mend arguments:" |
| 165 | + for arg in "${mend_args[@]}"; do |
| 166 | + echo " - $arg" |
| 167 | + done |
| 168 | +
|
| 169 | + set +e |
| 170 | + mend image "${mend_args[@]}" "${{ matrix.image }}" |
| 171 | + exit_code=$? |
| 172 | + echo "mend-exit=$exit_code" >> $GITHUB_OUTPUT |
| 173 | +
|
| 174 | + - name: Process Scan Results |
| 175 | + env: |
| 176 | + SCAN_EXIT_CODE: ${{ steps.scan.outputs.mend-exit }} |
| 177 | + run: | |
| 178 | + # Generate GitHub Actions Job Summary |
| 179 | + echo "## 🔍 Mend Image Scan Results" >> $GITHUB_STEP_SUMMARY |
| 180 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 181 | + echo "**Image:** ${{ matrix.image }}" >> $GITHUB_STEP_SUMMARY |
| 182 | + echo "**Application:** ${MEND_APP}" >> $GITHUB_STEP_SUMMARY |
| 183 | + echo "**Project:** ${MEND_PROJ}" >> $GITHUB_STEP_SUMMARY |
| 184 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 185 | +
|
| 186 | + case $SCAN_EXIT_CODE in |
| 187 | + 0) |
| 188 | + echo "### ✅ Success" >> $GITHUB_STEP_SUMMARY |
| 189 | + echo "Image scan completed successfully with no policy violations." >> $GITHUB_STEP_SUMMARY |
| 190 | + ;; |
| 191 | + 1) |
| 192 | + echo "### ❌ Invalid Configuration" >> $GITHUB_STEP_SUMMARY |
| 193 | + echo "An invalid configuration parameter was passed. Check for typos in the parameters." >> $GITHUB_STEP_SUMMARY |
| 194 | + ;; |
| 195 | + 2) |
| 196 | + echo "### ❌ Connection Error" >> $GITHUB_STEP_SUMMARY |
| 197 | + echo "Unable to access the update or license details from the Mend server URL. Check internet connection." >> $GITHUB_STEP_SUMMARY |
| 198 | + ;; |
| 199 | + 9) |
| 200 | + echo "### ⚠️ Policy Violation" >> $GITHUB_STEP_SUMMARY |
| 201 | + echo "Image scan results contain vulnerabilities that contravene the defined policy." >> $GITHUB_STEP_SUMMARY |
| 202 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 203 | + echo "Please review the findings in the Mend platform." >> $GITHUB_STEP_SUMMARY |
| 204 | + ;; |
| 205 | + *) |
| 206 | + echo "### ❌ Error" >> $GITHUB_STEP_SUMMARY |
| 207 | + echo "Image scan failed with exit code: ${SCAN_EXIT_CODE}" >> $GITHUB_STEP_SUMMARY |
| 208 | + ;; |
| 209 | + esac |
| 210 | +
|
| 211 | + exit $SCAN_EXIT_CODE |
0 commit comments