Add filtering

.github/workflows/scan.yaml

@@ -22,6 +22,34 @@ jobs:
           sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
           stop-on-failed-policy-eval: true
           stop-on-processing-error: true
+          severity-at-least: medium
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+  filtered-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+          group-by-package: true
 
       - name: Upload SARIF file
         if: success() || failure() # Upload results regardless previous step fails

README.md

@@ -35,6 +35,18 @@ Fail the job if the Policy Evaluation is Failed.
 
 Fail the job if the Scanner terminates execution with errors.
 
+### `severity-at-least`
+
+Filtering option to only report vulnerabilities with at least the specified severity. Can take [`critical`|`high`|`medium`|`low`|`negligible`|`any`]. Default value "any" for no filtering.
+
+For example, if `severity-at-least` is set to `medium`, only Medium, High or Critical vulnerabilities will be reported.
+
+### `group-by-package`
+
+Enable grouping the vulnerabilities in the SARIF report by package.
+
+Useful if you want to manage security per package or condense the number of findings.
+
 ### `standalone`
 
 Enable standalone mode. Do not depend on Sysdig backend for 
@@ -79,7 +91,7 @@ Standalone mode.)
 
 ### `sysdig-secure-url`
 
-Sysdig Secure Endpoint URL. Defaults to `https://secure-sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions.
+Sysdig Secure Endpoint URL. Defaults to `https://secure.sysdig.com`. Please, visit the [official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) for more details on endpoints and regions.
 
 ### `sysdig-skip-tls`
 

action.yml

@@ -44,6 +44,14 @@ inputs:
   override-pullstring:
     description: Custom PullString to give the image when scanning and uploading. 
     required: false
+  severity-at-least:
+    description: Filtering option to only report vulnerabilities with at least the specified severity. Can take [critical|high|medium|low|negligible|any]. Default value "any" for no filtering.
+    default: any
+    required: false
+  group-by-package:
+    description: Enable grouping the vulnerabilities in the SARIF report by package.
+    default: "false"
+    required: false
   image-tag:
     description: Tag of the image to analyse.
     required: true