@@ -110,6 +110,7 @@ jobs:
110110 *.cache-from=type=gha
111111 *.cache-to=type=gha,mode=max
112112push : true
113+ sbom : true
113114
114115 - uses : depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
115116 - name : Build and push (depot)
@@ -129,8 +130,9 @@ jobs:
129130 ./docker-metadata-rollups-runtime/docker-metadata-action-bake.json
130131 ./docker-metadata-rollups-database/docker-metadata-action-bake.json
131132push : true
133+ sbom : true
132134
133- trivy :
135+ scout :
134136 runs-on : ubuntu-latest
135137 needs :
136138 - build
@@ -143,61 +145,30 @@ jobs:
143145 packages : read
144146 name : trivy-${{ matrix.target }}
145147 steps :
146- - name : Download all docker- metadata artifacts
148+ - name : Download bake metadata
147149 uses : actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
148150 with :
149- pattern : docker-metadata-*
150- path : packages/sdk/
151-
152- - name : Trivy Setup
153- uses : aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.0
154- with :
155- cache : true
156- version : v0.69.1
157-
158- - name : Collect image references
159- id : images
160- run : |
161- set -euo pipefail
162-
163- mapfile -t IMAGES < <(
164- jq -r '.. | .tags? // empty | .[]?' \
165- packages/sdk/docker-metadata-${{ matrix.target }}/docker-metadata-action-bake.json \
166- | awk 'NF > 0' \
167- | sort -u
168- )
169-
170- if [ "${#IMAGES[@]}" -eq 0 ]; then
171- echo "No image tags found in docker metadata artifacts."
172- exit 0
173- fi
151+ name : bake-metadata
174152
175- {
176- echo "images<<EOF"
177- printf '%s\n' "${IMAGES[@]}"
178- echo "EOF"
179- } >> "$GITHUB_OUTPUT"
180-
181- name : Scan images with Trivy
182- if : ${{ steps.images.outputs.images != '' }}
153+ - name : Get image digest
154+ id : image-ref
183155 run : |
184- set -euo pipefail
185-
186- while IFS= read -r image; do
187- [ -z "$image" ] && continue
188- echo "Scanning $image"
189- {
190- echo "<details><summary><strong>Trivy image scan : ${{ matrix.target }} </strong></summary><pre lang="shell"><code>"
156+ DIGEST=$(jq -r '."${{ matrix.target }}"["containerimage.digest"]' bake-metadata.json)
157+ echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
191158
192- trivy image \
193- --scanners vuln \
194- --format table \
195- --report summary \
196- --severity HIGH,CRITICAL \
197- --ignore-unfixed \
198- --exit-code 1 \
199- "$image"
159+ name : Login to DockerHub
160+ uses : docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
161+ with :
162+ username : ${{ secrets.DOCKERHUB_USERNAME }}
163+ password : ${{ secrets.DOCKERHUB_TOKEN }}
200164
201- echo "</code></pre></details><hr>"
202- } >> $GITHUB_STEP_SUMMARY
203- done <<< "${{ steps.images.outputs.images }}"
165+ - name : Docker Scout
166+ id : docker-scout
167+ if : ${{ github.event_name == 'pull_request' }}
168+ uses : docker/scout-action@8910519cee8ac046f3ee99686b0dc6654d5ba1a7 # v1.20.3
169+ with :
170+ command : quickview,cves
171+ image : ghcr.io/cartesi/${{ matrix.target }}@${{ steps.image-ref.outputs.digest }}
172+ ignore-unchanged : true
173+ only-severities : critical,high
174+ github-token : ${{ secrets.GITHUB_TOKEN }}
0 commit comments