Find End-of-life (EOL) software in files or containers
This is a GitHub Action for invoking the Xeol scanner and returning the end-of-life (EOL) packages. You can set it to fail pipelines when
EOL software is found by setting the fail-build
input to true
.
Use this in your workflows to quickly verify files or containers' content after a build and before pushing, allowing PRs, or deploying updates.
The action invokes the xeol
command-line tool, with these benefits:
- Runs locally, without sending data outbound - no credentials required!
- Speedy scan operations
- Scans both paths and container images
By default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:
Supported Linux Distributions:
- Alpine
- BusyBox
- CentOS and RedHat
- Debian and Debian-based distros like Ubuntu
Supported packages and libraries:
- Ruby Bundles
- Python Wheel, Egg,
requirements.txt
- JavaScript NPM/Yarn
- Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
- Go modules
The simplest workflow for scanning a localbuild/testimage
container:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: build local container
uses: docker/build-push-action@v2
with:
tags: localbuild/testimage:latest
push: false
load: true
- name: Scan image
uses: xeol-io/[email protected]
with:
image: "localbuild/testimage:latest"
To scan a directory, add the following step:
- name: Scan current project
uses: xeol-io/[email protected]
with:
path: "."
The path
key allows any valid path for the current project. The root of the path ("."
in this example) is the repository root.
Use the sbom
key to scan an SBOM file:
- name: Create SBOM
uses: anchore/sbom-action@v0
with:
format: spdx-json
output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
- name: Scan SBOM
uses: xeol-io/[email protected]
with:
sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
By default, the action will fail if it finds any out-of-date software.
You change the fail-build
field to false
to avoid failing the build in the case that an out-of-date package is found:
- name: Scan image
uses: xeol-io/[email protected]
with:
image: "localbuild/testimage:latest"
fail-build: false
The inputs image
, path
, and sbom
are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:
Input Name | Description | Default Value |
---|---|---|
image |
The image to scan | N/A |
path |
The file path to scan | N/A |
sbom |
The SBOM to scan | N/A |
registry-username |
The registry username to use when authenticating to an external registry | |
registry-password |
The registry password to use when authenticating to an external registry | |
fail-build |
Fail the build if an end-of-life (EOL) software is found | false |
api-key |
The API key to use to send results to xeol.io | N/A |
output-format |
Set the output parameter after successful action execution. Valid choices are json , and table , where table output will print to the console instead of generating a file. |
table |
Output Name | Description | Type |
---|---|---|
report |
Path to the report file , if output-format is json |
string |
Assuming your repository has a Dockerfile in the root directory:
name: Container Image CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: xeol-io/[email protected]
with:
image: "localbuild/testimage:latest"
fail-build: true
A sub-action to download Xeol.
Input parameters:
Parameter | Description | Default |
---|---|---|
xeol-version |
An optional Xeol version to download, defaults to the pinned version in XeolVersion.js. |
Output parameters:
Parameter | Description |
---|---|
cmd |
a reference to the Xeol binary. |
cmd
can be referenced in a workflow like other output parameters:
${{ steps.<step-id>.outputs.cmd }}
Example usage:
- uses: xeol-io/xeol-action/download-xeol@v3
id: xeol
- run: ${{steps.xeol.outputs.cmd}} dir:.
We love contributions, feedback, and bug reports. For issues with the invocation of this action, file issues in this repository.
For contributing, see Contributing.
For documentation on Xeol itself, including other output capabilities, see the xeol project
This action makes extensive use of GitHub Action debug logging,
which can be enabled as described here
by setting a secret in your repository of ACTIONS_STEP_DEBUG
to true
.