- Have a CrowdStrike Container Workload Protection (CWP) subscription
- Create an OAUTH2 secret at https://falcon.crowdstrike.com/support/api-clients-and-keys
- Add your OAUTH2 secret called
FALCON_CLIENT_SECRET
to a GitHub secret athttps://github.com/<your_org>/<your_repo>/settings/secrets/actions
- Create a workflow
.yml
file in your.github/workflows
directory. An example workflow is available below. For more information, reference the GitHub Help Documentation for Creating a workflow file
falcon_client_id
: Your CrowdStrike OAUTH2 Client IDcontainer_repository
: The container image to scan (e.g.my_image
ormyregistry.io/my_container
)container_tag
: The container tag to scan against (default:latest
)crowdstrike_region
: The CrowdStrike Cloud region to submit for scanning (default:us-1
)crowdstrike_score
: The score threshold used to allow for step success (optional, default:500
)retry_count
: How many attempts will be made to download the scan report before giving up (optional, default:10
)json_report
: Path to output the json report (optional, default:None
)log_level
: Set the logging level (optional, default:INFO
)
NOTE: Scoring is based on the CrowdStrike vulnerability severity table scoring shown below.
Severity | Score |
---|---|
Critical | 2000 |
High | 500 |
Medium | 100 |
Low | 20 |
Create a workflow (eg: .github/workflows/scan.yml
):
name: Scan Container Images
on:
push:
branches:
- master
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: CrowdStrike Container Image Scan
uses: crowdstrike/[email protected]
with:
falcon_client_id: <my_falcon_client_id>
container_repository: docker.io/library/busybox
env:
FALCON_CLIENT_SECRET: "${{ secrets.FALCON_CLIENT_SECRET }}"
Alternatively if you want to run all the configurations as secrets, set any the following as environment variables under env
instead of uses
:
name: Scan Container Images
on:
push:
branches:
- master
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: CrowdStrike Container Image Scan
uses: crowdstrike/[email protected]
env:
FALCON_CLIENT_ID: "${{ secrets.FALCON_CLIENT_ID }}"
FALCON_CLIENT_SECRET: "${{ secrets.FALCON_CLIENT_SECRET }}"
FALCON_CLOUD_REGION: "{{ secrets.FALCON_CLOUD_REGION }}"
CONTAINER_REPO: "{{ secrets.CONTAINER_REPO }}"
CONTAINER_TAG: "{{ secrets.CONTAINER_TAG }}"