Releases: aws-actions/vulnerability-scan-github-action-for-amazon-inspector
v1.4.0
Summary
This PR updates all GitHub Actions workflows to use the latest v1.4.0 release while implementing performance improvements and security best practices.
Changes Made
⚡ Performance Optimization
• Updated Dockerfile to use public.ecr.aws/aws-cli/aws-cli:latest base image instead of building from amazonlinux
• Eliminates need to install Python3 and AWS CLI during build, reducing action installation time by 10-20 seconds
🔒 Security Hardening
• Added explicit permissions blocks to all workflows following principle of least privilege
• Granted only necessary permissions (contents: read, id-token: write, actions: write where needed)
📦 Version Updates
• Updated all workflow references from v1.3.0 to v1.4.0
Files Modified
• 14 workflow files updated with permissions and version bumps
• Dockerfile optimized for faster builds
Benefits
• Faster CI/CD: Reduced action startup time by 10-20 seconds per workflow run
• Enhanced Security: Explicit permission declarations prevent privilege escalation
🙏 Acknowledgments
Special thanks to @joshuagrisham for his contribution from #128.
Contributors
Assets 2
v1.3.0
Added a new option, threshold_fixable_only. When set to true, only vulnerabilities with a fix count towards threshold exceeded vulnerability counts. Vulnerabilities without a fix do not count towards the threshold. This option is intended to support workflows that wish to invoke custom logic, such as job failure, only when fixable vulnerabilities are present.
- Resolves #91
Added a new option, show_only_fixable_vulns. When enabled, the action will only display vulnerabilities for which a fix is available in the GitHub Actions step summary. Vulnerabilities without a fix are still present in the raw Inspector scan JSON or CSV.
- 🎉 Special thanks for the community contribution from @CarolMebiom! #115
Added reference in project README to the Amazon Inspector SBOM Generator software license: AWS Intellectual Property License.
- Resolves #120
An example workflow demonstrating these new features is available here.
For more information, feel encouraged to peruse the source code changes: #123
Contributors
Assets 2
v1.2.1
Improves consistency between Vulnerability Counts by Severity summary and detailed Vulnerability Findings tables when rendering the Inspector Scan step summary.
- Resolves issue #111
v1.2.0
This release adds support for scanning multi-arch container images.
To use this feature, specify the OS and CPU platform matching the image you wish to scan by adding the platform argument to your workflows, as shown below:
- name: Scan built image with Inspector
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
id: inspector
with:
artifact_type: 'container'
artifact_path: 'alpine:latest'
...
platform: "linux/arm64/v8"
sbomgen_version: "latest"If platform is unspecified, this action will default to the OS/CPU platform that matches the GitHub Actions runner.
v1.1.5
Improved handling of Inspector reports (CSV, JSON, Markdown) when no vulnerabilities were found.
v1.1.4
v1.1.3
This patch release improves parsing and rendering of the Inspector vulnerability summary report (#72, #75, #77, #78):
- Added new column
Sourcewhich denotes the vendor that provided the vulnerability severity, such as NVD, MITRE, or Amazon Inspector. - Resolved issue that was causing vulnerability severity to be empty when the severity was provided by a source other than NVD.
v1.1.2
Resolves an issue that prevented the action from executing on aarch64 systems. #62
v1.1.1
The vulnerability step summary is now displayed when zero vulnerabilities are present. #60
v1.1.0
This release adds support for a new vulnerability finding type: Dockerfile security configuration issues.
This action will scan stand alone Dockerfiles in your project, archive, or container image for vulnerabilities.
Additionally, this action will scan an image's build history for security issues.