60 lines
1.9 KiB
YAML
60 lines
1.9 KiB
YAML
name: Image Vulnerability Scan
|
|
|
|
on:
|
|
workflow_call:
|
|
|
|
env:
|
|
REPO: ${{ github.repository }}/temp #Add /temp for PR workflow
|
|
|
|
jobs:
|
|
|
|
image-vulnerability-scan:
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
- id: get-id
|
|
name: Get a unique tag for this build
|
|
run: |
|
|
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
|
|
BUILD_ID=$BRANCH_NAME-${SHA:0:8};
|
|
DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID;
|
|
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
|
|
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
|
|
|
|
- name: Print build id and image name
|
|
run: |
|
|
echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}";
|
|
echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Login to docker container registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ vars.docker_repo2_registry }}
|
|
username: ${{ vars.docker_repo2_username }}
|
|
password: ${{ vars.docker_repo2_password }}
|
|
|
|
- name: Build the container image (quick, without PUBLIC_BUILD_VERSION)
|
|
# Commenting this from docker build for speed: --build-arg PUBLIC_BUILD_VERSION=$BUILD_ID \
|
|
run: |
|
|
docker build \
|
|
--file fab/d/actions-build.Dockerfile \
|
|
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
|
|
.;
|
|
|
|
- name: Container details
|
|
run: |
|
|
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
|
|
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
|
|
|
|
- name: Scan container image for vulnerabilities with grype
|
|
uses: anchore/scan-action@v6
|
|
with:
|
|
image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
|
|
cache-db: true #Cache Grype DB in Github Actions
|
|
output-format: table
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
fail-build: true
|