docker-image-job

Signed-off-by: Vipin Yadav <vipin.yadav@progress.com>

Author: vipin230

.github/workflows/build-docker-image.yml

@@ -0,0 +1,107 @@
+# build-docker-image.yml
+# Reusable workflow to build a Docker image and upload it as an artifact.
+# Supports three build strategies:
+#   1. build-docker.sh script (e.g., dsm-erchef)
+#   2. Makefile with compose-build target
+#   3. Standard docker build (fallback)
+#
+# The built image is saved as a tar and uploaded as a GitHub Actions artifact
+# for downstream jobs (e.g., Wiz CLI scan, Grype scan) to consume.
+
+name: Build Docker image
+
+on:
+  workflow_call:
+    outputs:
+      image-names:
+        description: 'Space-separated list of built Docker image names (repository:tag)'
+        value: ${{ jobs.build.outputs.image-names }}
+
+jobs:
+  build:
+    name: Build and upload Docker image
+    runs-on: ubuntu-latest
+    outputs:
+      image-names: ${{ steps.build-image.outputs.IMAGES }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Configure git for private repos
+        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+
+      - name: Build Docker image
+        id: build-image
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          if [ ! -f "Dockerfile" ]; then
+            echo "❌ No Dockerfile found - cannot build"
+            exit 1
+          fi
+
+          echo "Building Docker image..."
+          REPO_NAME=$(basename $(pwd))
+
+          # Strategy 1: Check for build-docker.sh script (e.g., dsm-erchef)
+          if [ -f "build-docker.sh" ]; then
+            echo "Found build-docker.sh script - using it to build images"
+            chmod +x build-docker.sh
+            GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" ./build-docker.sh
+
+            # Detect all images built (typically repo name or repo-name-init)
+            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "^<none>")
+
+            if [ -z "$IMAGES" ]; then
+              echo "⚠️ No images found with prefix ${REPO_NAME} after build-docker.sh"
+              echo "Checking for any recently built images..."
+              IMAGES=$(docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r | head -5 | cut -f2 | grep -v "^<none>")
+            fi
+          # Strategy 2: Check for Makefile with compose-build target (e.g., chef-platform-user-accounts-service)
+          elif [ -f "Makefile" ] && grep -q "^compose-build:" Makefile; then
+            echo "Using Makefile compose-build target with GITHUB_TOKEN"
+            export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}"
+            make compose-build
+
+            echo "Detecting built images..."
+            docker compose images
+
+            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "^${REPO_NAME}" | grep -v "^<none>")
+
+            if [ -z "$IMAGES" ]; then
+              echo "No images found with prefix ${REPO_NAME}, scanning all recent images"
+              IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -5)
+            fi
+          # Strategy 3: Fallback to standard docker build
+          else
+            echo "Using standard docker build with GITHUB_TOKEN build arg"
+            docker build --build-arg GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" -t "${REPO_NAME}:latest" .
+            IMAGES="${REPO_NAME}:latest"
+          fi
+
+          if [ -z "$IMAGES" ]; then
+            echo "❌ No Docker images found after build"
+            exit 1
+          fi
+
+          echo "Found images:"
+          echo "$IMAGES"
+
+          # Output as space-separated list for downstream jobs
+          echo "IMAGES=$(echo $IMAGES | tr '\n' ' ')" >> "$GITHUB_OUTPUT"
+
+      - name: Save Docker images to tar
+        run: |
+          IMAGES="${{ steps.build-image.outputs.IMAGES }}"
+          echo "Saving images to /tmp/docker-image.tar: $IMAGES"
+          docker save $IMAGES -o /tmp/docker-image.tar
+          ls -lh /tmp/docker-image.tar
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image-for-scans
+          path: /tmp/docker-image.tar
+          retention-days: 1

.github/workflows/ci-main-pull-request.yml

@@ -1007,15 +1007,24 @@ jobs:
       fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
       grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
 
+  build-docker-image:
+    name: 'Build Docker image for security scans'
+    if: ${{ inputs.perform-wiz-scan == true }}
+    uses: chef/common-github-actions/.github/workflows/build-docker-image.yml@grype-wiz
+    needs: checkout
+    secrets: inherit
+
   run-wiz-scan:
     name: 'Wiz CLI security scan'
     if: ${{ inputs.perform-wiz-scan == true }}
     uses: chef/common-github-actions/.github/workflows/wiz.yml@grype-wiz
-    needs: checkout
+    needs: [checkout, build-docker-image]
     with:
       fail-build: ${{ inputs.wiz-fail-build }}
       fail-on-critical: ${{ inputs.wiz-fail-on-critical }}
       fail-on-high: ${{ inputs.wiz-fail-on-high }}
+      prebuilt-image-artifact: docker-image-for-scans
+      prebuilt-image-names: ${{ needs.build-docker-image.outputs.image-names }}
     secrets: inherit
 
   run-grype-hab-package-scan:

.github/workflows/wiz.yml

@@ -24,6 +24,16 @@ on:
         required: false
         type: boolean
         default: false
+      prebuilt-image-artifact:
+        description: 'Name of uploaded artifact containing a Docker image tar (skip Docker build if provided)'
+        required: false
+        type: string
+        default: ''
+      prebuilt-image-names:
+        description: 'Space-separated list of Docker image:tag names inside the prebuilt artifact tar'
+        required: false
+        type: string
+        default: ''
 
 jobs:
   wiz-scan:
@@ -55,8 +65,26 @@ jobs:
       #   if: ${{ !inputs.wiz-image-skip-aws }}
       #   uses: aws-actions/amazon-ecr-login@v2
 
+      - name: Download prebuilt Docker image
+        if: ${{ inputs.prebuilt-image-artifact != '' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.prebuilt-image-artifact }}
+          path: /tmp
+
+      - name: Load prebuilt Docker image
+        id: load-image
+        if: ${{ inputs.prebuilt-image-artifact != '' }}
+        run: |
+          echo "Loading prebuilt images from artifact..."
+          docker load -i /tmp/docker-image.tar
+          echo "IMAGES=${{ inputs.prebuilt-image-names }}" >> "$GITHUB_OUTPUT"
+          echo "Loaded images: ${{ inputs.prebuilt-image-names }}"
+          docker images
+
       - name: Build Docker image
         id: build-image
+        if: ${{ inputs.prebuilt-image-artifact == '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         run: |
@@ -74,60 +102,55 @@ jobs:
             chmod +x build-docker.sh
             GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" ./build-docker.sh
 
-            IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "^<none>" | head -1)
+            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "^<none>")
 
-            if [ -z "$IMAGE" ]; then
-              echo "⚠️ No image found with prefix ${REPO_NAME} after build-docker.sh"
+            if [ -z "$IMAGES" ]; then
+              echo "⚠️ No images found with prefix ${REPO_NAME} after build-docker.sh"
               echo "Checking for any recently built images..."
-              IMAGE=$(docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r | head -1 | cut -f2)
+              IMAGES=$(docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r | head -5 | cut -f2 | grep -v "^<none>")
             fi
           # Strategy 2: Check for Makefile with compose-build target
           elif [ -f "Makefile" ] && grep -q "^compose-build:" Makefile; then
             echo "Using Makefile compose-build target with GITHUB_TOKEN"
             export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}"
-            
-            # Record image IDs before build to detect newly built images
-            BEFORE_IDS=$(docker images -q --no-trunc | sort)
-            
             make compose-build
 
-            echo "Detecting built image..."
-            # Find newly created images by comparing before/after image IDs
-            AFTER_IDS=$(docker images -q --no-trunc | sort)
-            NEW_IDS=$(comm -13 <(echo "$BEFORE_IDS") <(echo "$AFTER_IDS"))
-            
-            if [ -n "$NEW_IDS" ]; then
-              for id in $NEW_IDS; do
-                # Use docker inspect instead of --filter (compatible with all Docker versions)
-                IMAGE=$(docker inspect --format '{{index .RepoTags 0}}' "$id" 2>/dev/null || true)
-                [ -n "$IMAGE" ] && [ "$IMAGE" != "<none>:<none>" ] && break
-                IMAGE=""
-              done
-            fi
+            echo "Detecting built images..."
+            docker compose images
 
-            if [ -z "$IMAGE" ]; then
-              echo "No new image detected by ID comparison, falling back to repo name match"
-              IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "<none>" | head -1)
-            fi
+            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "^${REPO_NAME}" | grep -v "^<none>")
 
-            if [ -z "$IMAGE" ]; then
-              echo "⚠️ No image found matching ${REPO_NAME}, using most recent non-runner image"
-              IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | grep -v "^ghcr.io/github/" | grep -v "^ghcr.io/dependabot/" | head -1)
+            if [ -z "$IMAGES" ]; then
+              echo "No images found with prefix ${REPO_NAME}, scanning all recent images"
+              IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -5)
             fi
           # Strategy 3: Fallback to standard docker build
           else
             echo "Using standard docker build with GITHUB_TOKEN build arg"
             docker build --build-arg GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" -t "${REPO_NAME}:latest" .
-            IMAGE="${REPO_NAME}:latest"
+            IMAGES="${REPO_NAME}:latest"
           fi
 
-          if [ -z "$IMAGE" ]; then
-            echo "❌ No Docker image found after build"
+          if [ -z "$IMAGES" ]; then
+            echo "❌ No Docker images found after build"
             exit 1
           fi
 
-          echo "Image to scan: $IMAGE"
-          echo "IMAGE=$IMAGE" >> "$GITHUB_OUTPUT"
+          echo "Found images to scan:"
+          echo "$IMAGES"
+          echo "IMAGES=$(echo $IMAGES | tr '\n' ' ')" >> "$GITHUB_OUTPUT"
+
+      - name: Set scan target images
+        id: scan-target
+        run: |
+          # Use prebuilt images if available, otherwise use freshly built images
+          IMAGES="${{ steps.load-image.outputs.IMAGES || steps.build-image.outputs.IMAGES }}"
+          if [ -z "$IMAGES" ]; then
+            echo "❌ No Docker images available for scanning"
+            exit 1
+          fi
+          echo "Scan targets: $IMAGES"
+          echo "IMAGES=$IMAGES" >> "$GITHUB_OUTPUT"
 
       - name: Fetch Wiz credentials from AKeyless
         id: fetch-secrets
@@ -150,50 +173,55 @@ jobs:
         run: |
           set -o pipefail
 
-          SCAN_TYPE='container-image'
-          SCAN_TARGET='${{ steps.build-image.outputs.IMAGE }}'
+          IMAGES='${{ steps.scan-target.outputs.IMAGES }}'
+          SCAN_RESULT="passed"
 
-          args=("$SCAN_TYPE")
-          if [ -n "$SCAN_TARGET" ]; then
-            args+=("$SCAN_TARGET")
-          fi
+          # Initialize combined output files
+          > /tmp/wiz-scan.json
+          > /tmp/wiz-scan-results.txt
 
-          # Always output JSON for severity analysis
-          args+=("--json-output-file" "/tmp/wiz-scan.json")
+          for IMAGE_NAME in $IMAGES; do
+            echo ""
+            echo "============================================"
+            echo "Scanning Docker image: $IMAGE_NAME"
+            echo "============================================"
+
+            JSON_FILE="/tmp/wiz-scan-$(echo $IMAGE_NAME | tr '/:' '__').json"
+
+            ./wizcli scan container-image "$IMAGE_NAME" --json-output-file "$JSON_FILE" 2>&1 | tee -a /tmp/wiz-scan-results.txt
+            EXIT_CODE=${PIPESTATUS[0]}
 
-          ./wizcli scan "${args[@]}" 2>&1 | tee /tmp/wiz-scan-results.txt
-          EXIT_CODE=${PIPESTATUS[0]}
+            # Append JSON result to combined file
+            cat "$JSON_FILE" >> /tmp/wiz-scan.json 2>/dev/null || true
+
+            if [ $EXIT_CODE -ne 0 ]; then
+              SCAN_RESULT="failed"
+            fi
+          done
 
           echo ""
           echo "============================================"
-          echo "Wiz CLI Scan Output"
-          echo "============================================"
-          cat /tmp/wiz-scan-results.txt
+          echo "Wiz CLI Scan Complete - Result: $SCAN_RESULT"
           echo "============================================"
-          echo ""
 
-          if [ $EXIT_CODE -eq 0 ]; then
-            echo "scan-result=passed" >> $GITHUB_OUTPUT
-          else
-            echo "scan-result=failed" >> $GITHUB_OUTPUT
-          fi
-          exit $EXIT_CODE
+          echo "scan-result=$SCAN_RESULT" >> $GITHUB_OUTPUT
+          [ "$SCAN_RESULT" = "failed" ] && exit 1 || exit 0
 
       - name: Check Wiz results for severity violations
         id: severity-check
         if: always()
         run: |
-          JSON_FILE="/tmp/wiz-scan.json"
-
-          if [ ! -f "$JSON_FILE" ]; then
-            echo "⚠️  Wiz JSON output not found, skipping severity check"
-            echo "severity-result=skipped" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Count vulnerabilities by severity from Wiz JSON analytics summary
-          CRITICAL_COUNT=$(jq '.result.analytics.vulnerabilities.criticalCount // 0' "$JSON_FILE" 2>/dev/null || echo "0")
-          HIGH_COUNT=$(jq '.result.analytics.vulnerabilities.highCount // 0' "$JSON_FILE" 2>/dev/null || echo "0")
+          # Aggregate vulnerability counts across all per-image JSON files
+          CRITICAL_COUNT=0
+          HIGH_COUNT=0
+
+          for JSON_FILE in /tmp/wiz-scan-*.json; do
+            [ -f "$JSON_FILE" ] || continue
+            C=$(jq '.result.analytics.vulnerabilities.criticalCount // 0' "$JSON_FILE" 2>/dev/null || echo "0")
+            H=$(jq '.result.analytics.vulnerabilities.highCount // 0' "$JSON_FILE" 2>/dev/null || echo "0")
+            CRITICAL_COUNT=$((CRITICAL_COUNT + C))
+            HIGH_COUNT=$((HIGH_COUNT + H))
+          done
 
           echo ""
           echo "============================================"
@@ -243,7 +271,7 @@ jobs:
             echo "| Field | Value |"
             echo "|-------|-------|"
             echo "| **Scan type** | \`container-image\` |"
-            echo "| **Target** | \`${{ steps.build-image.outputs.IMAGE }}\` |"
+            echo "| **Target(s)** | \`${{ steps.scan-target.outputs.IMAGES }}\` |"
             echo "| **Policy result** | **${SCAN_RESULT}** |"
             echo "| **Severity result** | **${SEVERITY_RESULT}** |"
             echo "| **Overall** | **${OVERALL}** |"
@@ -267,5 +295,5 @@ jobs:
         with:
           name: wiz-scan-${{ github.event.repository.name }}
           path: |
-            /tmp/wiz-scan.json
+            /tmp/wiz-scan*.json
             /tmp/wiz-scan-results.txt