gmetribin/build-tools
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
build-tools/.github/workflows/push-container-scan.yml
Sahil Ahuja 60d2d0c243 Changes
2025-02-13 17:24:09 +05:30

63 lines
2.1 KiB
YAML
Raw Blame History

name: Image Vulnerability Scan
# Secrets can only viewed in "push" events. Not pull_request events.
# That's why this step needs to be called on push, and not on pull_request (to read docker login password).
on:
workflow_call:
env:
REPO: ${{ github.repository }}/temp #Add /temp for temporary images
jobs:
push-container-scan:
runs-on: ubuntu-22.04
steps:
- id: get-id
name: Get a unique tag for this build
run: |
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
BUILD_ID=$BRANCH_NAME-${SHA:0:8};
DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID;
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
- name: Print build id and image name
run: |
echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}";
echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
- name: Login to docker container registry
uses: docker/login-action@v3
with:
registry: ${{ vars.docker_repo2_registry }}
username: ${{ secrets.docker_repo2_username }}
password: ${{ secrets.docker_repo2_password }}
- name: Build the container image (quick, without PUBLIC_BUILD_VERSION)
run: |
docker build \
--build-arg BUILD_STEP=container \
--build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \
--file fab/d/actions-build.Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
.;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Scan container image for vulnerabilities with grype
uses: anchore/scan-action@v6
with:
image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
cache-db: true #Cache Grype DB in Github Actions
output-format: table
only-fixed: true
severity-cutoff: critical
fail-build: true
Reference in New Issue View Git Blame Copy Permalink