|
| 1 | +# wiz.yml |
| 2 | +# Wiz CLI security scan for Docker image vulnerabilities and policy violations |
| 3 | +# Uses the prgs-community/githubactions-reusableworkflows/actions/wizcli composite action |
| 4 | +# which handles Wiz CLI install, AKeyless auth, scanning, and job summary automatically. |
| 5 | +# https://docs.wiz.io/wiz-docs/docs/wiz-cli-overview |
| 6 | + |
| 7 | +name: Wiz CLI security scan |
| 8 | + |
| 9 | +on: |
| 10 | + workflow_call: |
| 11 | + inputs: |
| 12 | + fail-build: |
| 13 | + description: 'Fail the build on Wiz policy violations' |
| 14 | + required: false |
| 15 | + type: boolean |
| 16 | + default: true |
| 17 | + wiz-image-skip-aws: |
| 18 | + description: 'Skip AWS ECR login (assumes images are scanned elsewhere)' |
| 19 | + required: false |
| 20 | + type: boolean |
| 21 | + default: false |
| 22 | + |
| 23 | +jobs: |
| 24 | + wiz-scan: |
| 25 | + name: Wiz CLI container image scan |
| 26 | + runs-on: ubuntu-latest |
| 27 | + permissions: |
| 28 | + id-token: write |
| 29 | + contents: read |
| 30 | + steps: |
| 31 | + - name: Checkout code |
| 32 | + uses: actions/checkout@v6 |
| 33 | + with: |
| 34 | + fetch-depth: 0 |
| 35 | + |
| 36 | + - name: Configure git for private repos |
| 37 | + run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/" |
| 38 | + |
| 39 | + # - name: Configure AWS credentials |
| 40 | + # uses: aws-actions/configure-aws-credentials@v4 |
| 41 | + # if: ${{ !inputs.wiz-image-skip-aws }} |
| 42 | + # with: |
| 43 | + # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} |
| 44 | + # aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |
| 45 | + # aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }} |
| 46 | + # aws-region: us-east-2 |
| 47 | + |
| 48 | + # - name: Login to Amazon ECR |
| 49 | + # id: login-ecr |
| 50 | + # if: ${{ !inputs.wiz-image-skip-aws }} |
| 51 | + # uses: aws-actions/amazon-ecr-login@v2 |
| 52 | + |
| 53 | + - name: Build Docker image |
| 54 | + id: build-image |
| 55 | + env: |
| 56 | + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} |
| 57 | + run: | |
| 58 | + REPO_NAME=$(basename $(pwd)) |
| 59 | +
|
| 60 | + if [ ! -f "Dockerfile" ]; then |
| 61 | + echo "❌ No Dockerfile found - this workflow requires a Dockerfile to scan Docker image" |
| 62 | + exit 1 |
| 63 | + fi |
| 64 | +
|
| 65 | + echo "Building Docker image..." |
| 66 | +
|
| 67 | + # Strategy 1: Check for build-docker.sh script (e.g., dsm-erchef) |
| 68 | + if [ -f "build-docker.sh" ]; then |
| 69 | + echo "Found build-docker.sh script - using it to build images" |
| 70 | + chmod +x build-docker.sh |
| 71 | + GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" ./build-docker.sh |
| 72 | +
|
| 73 | + IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "^<none>" | head -1) |
| 74 | +
|
| 75 | + if [ -z "$IMAGE" ]; then |
| 76 | + echo "⚠️ No image found with prefix ${REPO_NAME} after build-docker.sh" |
| 77 | + echo "Checking for any recently built images..." |
| 78 | + IMAGE=$(docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r | head -1 | cut -f2) |
| 79 | + fi |
| 80 | + # Strategy 2: Check for Makefile with compose-build target |
| 81 | + elif [ -f "Makefile" ] && grep -q "^compose-build:" Makefile; then |
| 82 | + echo "Using Makefile compose-build target with GITHUB_TOKEN" |
| 83 | + export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" |
| 84 | + |
| 85 | + # Record image IDs before build to detect newly built images |
| 86 | + BEFORE_IDS=$(docker images -q --no-trunc | sort) |
| 87 | + |
| 88 | + make compose-build |
| 89 | +
|
| 90 | + echo "Detecting built image..." |
| 91 | + # Find newly created images by comparing before/after image IDs |
| 92 | + AFTER_IDS=$(docker images -q --no-trunc | sort) |
| 93 | + NEW_IDS=$(comm -13 <(echo "$BEFORE_IDS") <(echo "$AFTER_IDS")) |
| 94 | + |
| 95 | + if [ -n "$NEW_IDS" ]; then |
| 96 | + for id in $NEW_IDS; do |
| 97 | + IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" --filter "id=${id}" | grep -v "<none>" | head -1) |
| 98 | + [ -n "$IMAGE" ] && break |
| 99 | + done |
| 100 | + fi |
| 101 | +
|
| 102 | + if [ -z "$IMAGE" ]; then |
| 103 | + echo "No new image detected, using most recent image" |
| 104 | + IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -1) |
| 105 | + fi |
| 106 | + # Strategy 3: Fallback to standard docker build |
| 107 | + else |
| 108 | + echo "Using standard docker build with GITHUB_TOKEN build arg" |
| 109 | + docker build --build-arg GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" -t "${REPO_NAME}:latest" . |
| 110 | + IMAGE="${REPO_NAME}:latest" |
| 111 | + fi |
| 112 | +
|
| 113 | + if [ -z "$IMAGE" ]; then |
| 114 | + echo "❌ No Docker image found after build" |
| 115 | + exit 1 |
| 116 | + fi |
| 117 | +
|
| 118 | + echo "Image to scan: $IMAGE" |
| 119 | + echo "IMAGE=$IMAGE" >> "$GITHUB_OUTPUT" |
| 120 | +
|
| 121 | + - name: Wiz CLI container image scan |
| 122 | + id: wiz-scan |
| 123 | + uses: prgs-community/githubactions-reusableworkflows/actions/wizcli@latest |
| 124 | + with: |
| 125 | + scan-type: 'container-image' |
| 126 | + scan-target: ${{ steps.build-image.outputs.IMAGE }} |
| 127 | + fail-build: ${{ inputs.fail-build }} |
0 commit comments