Amazon Inspector InspectorScan invoke action reference - Amazon CodePipeline
Action type IDConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Inspector InspectorScan invoke action reference

Amazon Inspector is a vulnerability management service that automatically discovers workloads and continually scans them for software vulnerabilities and unintended network exposure. The InspectorScan action in CodePipeline automates detecting and fixing security vulnerabilities in your open source code. The action is a managed compute action with security scanning capabilities. You can use InspectorScan with application source code in your third-party repository, such as GitHub or Bitbucket Cloud, or with images for container applications. Your action will scan and report on vulnerability levels and alerts that you configure.

Note: The CodePipeline action for InspectorScan is not available in the China (Beijing) and China (Ningxia) Regions. To reference other available actions, see Product and service integrations with CodePipeline.

Important

This action uses CodePipeline managed CodeBuild compute to run commands in a build environment. Running the action will incur separate charges in Amazon CodeBuild.

Action type ID

  • Category: Invoke

  • Owner: AWS

  • Provider: InspectorScan

  • Version: 1

Example:


            {
                "Category": "Invoke",
                "Owner": "AWS",
                "Provider": "InspectorScan",
                "Version": "1"
            },

Configuration parameters

InspectorRunMode

(Required) The string that indicates the mode of the scan. Valid values are SourceCodeScan | ECRImageScan.

ECRRepositoryName

The name of the Amazon ECR repository where the image was pushed.

ImageTag

The tag used for the image.

The parameters for this action scan for levels of vulnerability that you specify. The following levels for vulnerability thresholds are available:

CriticalThreshold

The number of critical severity vulnerabilities found in your source beyond which CodePipeline should fail the action.

HighThreshold

The number of high severity vulnerabilities found in your source beyond which CodePipeline should fail the action.

MediumThreshold

The number of medium severity vulnerabilities found in your source beyond which CodePipeline should fail the action.

LowThreshold

The number of low severity vulnerabilities found in your source beyond which CodePipeline should fail the action.

Add an InspectorScan action to your pipeline.

Input artifacts

  • Number of artifacts: 1

  • Description: The source code to scan for vulnerabilities. If the scan is for an ECR repository, this input artifact is not needed.

Output artifacts

  • Number of artifacts: 1

  • Description: Vulnerability details of your source in the form of a Software Bill of Materials (SBOM) file.

Output variables

When configured, this action produces variables that can be referenced by the action configuration of a downstream action in the pipeline. This action produces variables which can be viewed as output variables, even if the action doesn't have a namespace. You configure an action with a namespace to make those variables available to the configuration of downstream actions.

For more information, see Variables reference.

HighestScannedSeverity

The highest severity output from the scan. Valid values are medium | high | critical.

Action declaration

YAML
name: Scan
actionTypeId:
  category: Invoke
  owner: AWS
  provider: InspectorScan
  version: '1'
runOrder: 1
configuration:
  InspectorRunMode: SourceCodeScan
outputArtifacts:
- name: output
inputArtifacts:
- name: SourceArtifact
region: us-east-1
JSON
{
                        "name": "Scan",
                        "actionTypeId": {
                            "category": "Invoke",
                            "owner": "AWS",
                            "provider": "InspectorScan",
                            "version": "1"
                        },
                        "runOrder": 1,
                        "configuration": {
                            "InspectorRunMode": "SourceCodeScan"
                        },
                        "outputArtifacts": [
                            {
                                "name": "output"
                            }
                        ],
                        "inputArtifacts": [
                            {
                                "name": "SourceArtifact"
                            }
                        ],
                        "region": "us-east-1"
                    },

The following related resources can help you as you work with this action.

  • For more information about Amazon Inspector, see the Amazon Inspector User Guide.