-
Notifications
You must be signed in to change notification settings - Fork 15
74 lines (64 loc) · 2.05 KB
/
Copy pathdocker-scanner.yml
File metadata and controls
74 lines (64 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
---
name: 🐳 docker-scanner
on:
workflow_call:
inputs:
severity:
required: true
type: string
dockerfile-path:
required: false
type: string
default: ./Dockerfile
description: dockerfile path
security-upload:
default: false
type: string
description: "Enable image scan report upload to GitHub Security tab."
block_action:
default: false
type: string
description: "Block github action if severity detected."
jobs:
build-image:
name: 🔧 Build Images
runs-on: ubuntu-latest
steps:
- name: 📦 Checkout Repository
uses: actions/checkout@v7
- name: 🛠️ Set up QEMU
uses: docker/setup-qemu-action@v4
- name: 🛠️ Set up Docker Buildx
uses: docker/setup-buildx-action@v4.1.0
- name: 🏗️ Build and export to Docker
id: build-id
uses: docker/build-push-action@v7
with:
push: false
load: true # Export to Docker Engine rather than pushing to a registry
tags: ${{ github.sha }}
platforms: linux/amd64
file: ${{inputs.dockerfile-path}}
- name: 🔍 Docker Scan with trivy (non-blocking)
uses: aquasecurity/trivy-action@master
env:
tags: ${{ github.sha }}
with:
image-ref: ${{ github.sha }}
exit-code: 0
format: 'sarif'
output: 'trivy-results.sarif'
- name: ☁️ Upload Trivy scan results to GitHub Security tab
if: ${{ inputs.security-upload == 'true' }}
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
- name: 🚨 Docker Scan with trivy (blocking)
if: ${{ inputs.block_action == true }}
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ github.sha }}
format: table
exit-code: 1
severity: ${{ inputs.severity}}
...