Migrating to new container scan command

.licensed.yml

@@ -20,3 +20,4 @@ ignored:
     - chainsaw
     - "@bufbuild/protobuf"
     - "@actions/http-client"
+    - "@protobuf-ts/plugin-framework"

__tests__/utils.test.ts

@@ -57,8 +57,8 @@ describe("utils", () => {
       expect(() =>
         getEndorctlChecksum(
           fakeChecksums,
-          "foo" as unknown as EndorctlAvailableOS,
-          "bar" as unknown as EndorctlAvailableArch
+          "foo" as EndorctlAvailableOS,
+          "bar" as EndorctlAvailableArch
         )
       ).toThrow();
     });

action.yml

@@ -116,15 +116,36 @@ inputs:
   # Scan container images
   scan_container:
     description: >-
-      "Scan a specified container image. The image must be set with `image` and a project can be defined with `project_name`."
+            "Scan a specified container image. The image must be set with `image` and a project can be defined with `project_name`."
     default: false
     # Container scan configuration. Image sets the image to scan and the project name defines the project for the scan.
   image:
     description: >-
       "Specify a container image to scan."
+  image_tar:
+    description: >-
+      "Specify a container image tar file to scan (alternative to `image`)."
+  as_ref:
+    description: >-
+      "Scan container in a persistent context and keep the version."
+    default: false
+  enable_os_reachability:
+    description: >-
+      "Enable OS reachability analysis for container scans."
+    default: false
   project_name:
     description: >-
       "Specify a project name for a container image scan."
+  project_tags:
+    description: >-
+      "Specify a comma-separated list of user-defined tags to add to the container scan project."
+  container_scan_path:
+    description: >-
+      "Set the path to a valid git repository for container scan context."
+    default: "."
+  profiling_data_dir:
+    description: >-
+      "Add a directory containing profiling data to include in the container scan."
   # Scan container images
   scan_package:
     description: >-

dist/index.js

@@ -77204,6 +77204,7 @@ function get_scan_options(options) {
     const PHANTOM_DEPENDENCIES = core.getBooleanInput("phantom_dependencies");
     const SCAN_PROJECT_NAME = core.getInput("project_name");
     const SCAN_IMAGE_NAME = core.getInput("image");
+    const SCAN_IMAGE_TAR = core.getInput("image_tar");
     const SCAN_SAST = core.getBooleanInput("scan_sast");
     const SCAN_AI_MODELS = core.getBooleanInput("scan_ai_models");
     const DISABLE_CODE_SNIPPET_STORAGE = core.getBooleanInput("disable_code_snippet_storage");
@@ -77227,6 +77228,14 @@ function get_scan_options(options) {
         !SCAN_GITHUB_ACTIONS) {
         core.error("At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_sast`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled");
     }
+    if (SCAN_CONTAINER) {
+        if (!SCAN_IMAGE_NAME && !SCAN_IMAGE_TAR) {
+            core.error("Either `image` or `image_tar` must be provided when `scan_container` is enabled");
+        }
+        if (SCAN_IMAGE_NAME && SCAN_IMAGE_TAR) {
+            core.error("Cannot provide both `image` and `image_tar` at the same time. Please provide only one");
+        }
+    }
     if (SCAN_CONTAINER && SCAN_DEPENDENCIES) {
         core.error("Container scan and dependency scan cannot be set at the same time");
     }
@@ -77281,12 +77290,6 @@ function get_scan_options(options) {
             options.push(`--ai-models=true`);
         }
     }
-    if (SCAN_CONTAINER) {
-        options.push(`--container=${SCAN_IMAGE_NAME}`);
-        if (SCAN_PROJECT_NAME) {
-            options.push(`--project-name=${SCAN_PROJECT_NAME}`);
-        }
-    }
     if (SCAN_PACKAGE) {
         options.push(`--package=true`);
         if (SCAN_PROJECT_NAME) {
@@ -77434,21 +77437,60 @@ function run() {
             const SCAN_PACKAGE = core.getBooleanInput("scan_package");
             if (SCAN_CONTAINER) {
                 const SCAN_IMAGE_NAME = core.getInput("image");
-                if (!SCAN_IMAGE_NAME) {
-                    core.setFailed("image is required to scan container and must be passed as an input from the workflow via an image parameter");
+                const SCAN_IMAGE_TAR = core.getInput("image_tar");
+                const SCAN_AS_REF = core.getBooleanInput("as_ref");
+                const SCAN_ENABLE_OS_REACHABILITY = core.getBooleanInput("enable_os_reachability");
+                const SCAN_PROJECT_NAME = core.getInput("project_name");
+                const SCAN_PROJECT_TAGS = core.getInput("project_tags");
+                const CONTAINER_SCAN_PATH = core.getInput("container_scan_path");
+                const PROFILING_DATA_DIR = core.getInput("profiling_data_dir");
+                if (!SCAN_IMAGE_NAME && !SCAN_IMAGE_TAR) {
+                    core.setFailed("Either image or image_tar is required to scan container and must be passed as an input from the workflow");
                     return;
                 }
-                core.info(`Scanning container image: ${SCAN_IMAGE_NAME}`);
+                // Use the new 'endorctl container scan' command structure
+                options.unshift(`container`, `scan`);
+                // Add container-specific options
+                if (SCAN_IMAGE_NAME) {
+                    options.push(`--image=${SCAN_IMAGE_NAME}`);
+                    core.info(`Scanning container image: ${SCAN_IMAGE_NAME}`);
+                }
+                if (SCAN_IMAGE_TAR) {
+                    options.push(`--image-tar=${SCAN_IMAGE_TAR}`);
+                    core.info(`Scanning container image tar: ${SCAN_IMAGE_TAR}`);
+                }
+                if (SCAN_AS_REF) {
+                    options.push(`--as-ref=true`);
+                }
+                if (SCAN_ENABLE_OS_REACHABILITY) {
+                    options.push(`--enable-os-reachability=true`);
+                }
+                if (SCAN_PROJECT_NAME) {
+                    options.push(`--project-name=${SCAN_PROJECT_NAME}`);
+                }
+                if (SCAN_PROJECT_TAGS) {
+                    options.push(`--project-tags=${SCAN_PROJECT_TAGS}`);
+                }
+                if (CONTAINER_SCAN_PATH) {
+                    options.push(`--path=${CONTAINER_SCAN_PATH}`);
+                }
+                if (PROFILING_DATA_DIR) {
+                    options.push(`--profiling-data-dir=${PROFILING_DATA_DIR}`);
+                }
+                // Note: get_scan_options is not called for container scans
+                // as container scan has its own set of options
             }
             else if (SCAN_PACKAGE) {
                 const SCAN_PATH = core.getInput("scan_path");
                 core.info(`Scanning an artifact: ${SCAN_PATH}`);
+                options.unshift(`scan`);
+                get_scan_options(options);
             }
             else {
                 core.info(`Scanning repository ${repoName}`);
+                options.unshift(`scan`);
+                get_scan_options(options);
             }
-            options.unshift(`scan`);
-            get_scan_options(options);
             let endorctl_command = `endorctl`;
             if (RUN_STATS) {
                 // Wrap scan commmand in `time -v` to get stats
@@ -77774,7 +77816,12 @@ const setupEndorctl = ({ version, checksum, api }) => __awaiter(void 0, void 0,
         }
     }
     catch (error) {
-        core.setFailed(error);
+        if (error instanceof Error) {
+            core.setFailed(error);
+        }
+        else {
+            core.setFailed(String(error));
+        }
     }
 });
 exports.setupEndorctl = setupEndorctl;

dist/setup/index.js

@@ -77567,7 +77567,12 @@ const setupEndorctl = ({ version, checksum, api }) => __awaiter(void 0, void 0,
         }
     }
     catch (error) {
-        core.setFailed(error);
+        if (error instanceof Error) {
+            core.setFailed(error);
+        }
+        else {
+            core.setFailed(String(error));
+        }
     }
 });
 exports.setupEndorctl = setupEndorctl;

dist/sign/index.js

@@ -77564,7 +77564,12 @@ const setupEndorctl = ({ version, checksum, api }) => __awaiter(void 0, void 0,
         }
     }
     catch (error) {
-        core.setFailed(error);
+        if (error instanceof Error) {
+            core.setFailed(error);
+        }
+        else {
+            core.setFailed(String(error));
+        }
     }
 });
 exports.setupEndorctl = setupEndorctl;

dist/verify/index.js

@@ -77407,7 +77407,12 @@ const setupEndorctl = ({ version, checksum, api }) => __awaiter(void 0, void 0,
         }
     }
     catch (error) {
-        core.setFailed(error);
+        if (error instanceof Error) {
+            core.setFailed(error);
+        }
+        else {
+            core.setFailed(String(error));
+        }
     }
 });
 exports.setupEndorctl = setupEndorctl;

src/scan.ts

@@ -30,6 +30,7 @@ function get_scan_options(options: string[]): void {
   const PHANTOM_DEPENDENCIES = core.getBooleanInput("phantom_dependencies");
   const SCAN_PROJECT_NAME = core.getInput("project_name");
   const SCAN_IMAGE_NAME = core.getInput("image");
+  const SCAN_IMAGE_TAR = core.getInput("image_tar");
   const SCAN_SAST = core.getBooleanInput("scan_sast");
   const SCAN_AI_MODELS = core.getBooleanInput("scan_ai_models");
   const DISABLE_CODE_SNIPPET_STORAGE = core.getBooleanInput(
@@ -62,6 +63,18 @@ function get_scan_options(options: string[]): void {
       "At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_sast`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled"
     );
   }
+  if (SCAN_CONTAINER) {
+    if (!SCAN_IMAGE_NAME && !SCAN_IMAGE_TAR) {
+      core.error(
+        "Either `image` or `image_tar` must be provided when `scan_container` is enabled"
+      );
+    }
+    if (SCAN_IMAGE_NAME && SCAN_IMAGE_TAR) {
+      core.error(
+        "Cannot provide both `image` and `image_tar` at the same time. Please provide only one"
+      );
+    }
+  }
   if (SCAN_CONTAINER && SCAN_DEPENDENCIES) {
     core.error(
       "Container scan and dependency scan cannot be set at the same time"
@@ -131,12 +144,6 @@ function get_scan_options(options: string[]): void {
       options.push(`--ai-models=true`);
     }
   }
-  if (SCAN_CONTAINER) {
-    options.push(`--container=${SCAN_IMAGE_NAME}`);
-    if (SCAN_PROJECT_NAME) {
-      options.push(`--project-name=${SCAN_PROJECT_NAME}`);
-    }
-  }
   if (SCAN_PACKAGE) {
     options.push(`--package=true`);
     if (SCAN_PROJECT_NAME) {
@@ -318,21 +325,66 @@ async function run() {
     const SCAN_PACKAGE = core.getBooleanInput("scan_package");
     if (SCAN_CONTAINER) {
       const SCAN_IMAGE_NAME = core.getInput("image");
-      if (!SCAN_IMAGE_NAME) {
+      const SCAN_IMAGE_TAR = core.getInput("image_tar");
+      const SCAN_AS_REF = core.getBooleanInput("as_ref");
+      const SCAN_ENABLE_OS_REACHABILITY = core.getBooleanInput(
+        "enable_os_reachability"
+      );
+      const SCAN_PROJECT_NAME = core.getInput("project_name");
+      const SCAN_PROJECT_TAGS = core.getInput("project_tags");
+      const CONTAINER_SCAN_PATH = core.getInput("container_scan_path");
+      const PROFILING_DATA_DIR = core.getInput("profiling_data_dir");
+
+      if (!SCAN_IMAGE_NAME && !SCAN_IMAGE_TAR) {
         core.setFailed(
-          "image is required to scan container and must be passed as an input from the workflow via an image parameter"
+          "Either image or image_tar is required to scan container and must be passed as an input from the workflow"
         );
         return;
       }
-      core.info(`Scanning container image: ${SCAN_IMAGE_NAME}`);
+
+      // Use the new 'endorctl container scan' command structure
+      options.unshift(`container`, `scan`);
+
+      // Add container-specific options
+      if (SCAN_IMAGE_NAME) {
+        options.push(`--image=${SCAN_IMAGE_NAME}`);
+        core.info(`Scanning container image: ${SCAN_IMAGE_NAME}`);
+      }
+      if (SCAN_IMAGE_TAR) {
+        options.push(`--image-tar=${SCAN_IMAGE_TAR}`);
+        core.info(`Scanning container image tar: ${SCAN_IMAGE_TAR}`);
+      }
+      if (SCAN_AS_REF) {
+        options.push(`--as-ref=true`);
+      }
+      if (SCAN_ENABLE_OS_REACHABILITY) {
+        options.push(`--enable-os-reachability=true`);
+      }
+      if (SCAN_PROJECT_NAME) {
+        options.push(`--project-name=${SCAN_PROJECT_NAME}`);
+      }
+      if (SCAN_PROJECT_TAGS) {
+        options.push(`--project-tags=${SCAN_PROJECT_TAGS}`);
+      }
+      if (CONTAINER_SCAN_PATH) {
+        options.push(`--path=${CONTAINER_SCAN_PATH}`);
+      }
+      if (PROFILING_DATA_DIR) {
+        options.push(`--profiling-data-dir=${PROFILING_DATA_DIR}`);
+      }
+
+      // Note: get_scan_options is not called for container scans
+      // as container scan has its own set of options
     } else if (SCAN_PACKAGE) {
       const SCAN_PATH = core.getInput("scan_path");
       core.info(`Scanning an artifact: ${SCAN_PATH}`);
+      options.unshift(`scan`);
+      get_scan_options(options);
     } else {
       core.info(`Scanning repository ${repoName}`);
+      options.unshift(`scan`);
+      get_scan_options(options);
     }
-    options.unshift(`scan`);
-    get_scan_options(options);
 
     let endorctl_command = `endorctl`;
     if (RUN_STATS) {

src/utils.ts

@@ -33,7 +33,7 @@ export const createHashFromFile = (filePath: string) =>
   new Promise((resolve) => {
     const hash = crypto.createHash("sha256");
     fs.createReadStream(filePath)
-      .on("data", (data) => hash.update(data))
+      .on("data", (data) => hash.update(data as crypto.BinaryLike))
       .on("end", () => resolve(hash.digest("hex")));
   });
 
@@ -294,7 +294,11 @@ export const setupEndorctl = async ({ version, checksum, api }: SetupProps) => {
       }
     }
   } catch (error: unknown) {
-    core.setFailed(error as Error);
+    if (error instanceof Error) {
+      core.setFailed(error);
+    } else {
+      core.setFailed(String(error));
+    }
   }
 };