Skip to content

Commit c076cda

Browse files
milsman2milsman2
authored
feat: docker build and scan github action
feat: docker build and scan github action
2 parents aea0f7f + fb708d9 commit c076cda

2 files changed

Lines changed: 78 additions & 0 deletions

File tree

.github/workflows/docker-build-and-scan.yaml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
name: Docker Build and Trivy Scan
2+
3+
on:
4+
push:
5+
branches:
6+
- '**'
7+
8+
jobs:
9+
build-and-scan:
10+
runs-on: ubuntu-latest
11+
env:
12+
DOCKER_PATH_CONTEXT: .
13+
DOCKER_BUILD_DOCKERFILE: Dockerfile
14+
DOCKER_LOAD_BOOL: true
15+
DOCKER_TAGS: sample-python-app:${{ github.sha }}
16+
steps:
17+
- name: Checkout repository
18+
uses: actions/checkout@v4
19+
- name: Set up QEMU
20+
uses: docker/setup-qemu-action@v3
21+
- name: Set up Docker Buildx
22+
uses: docker/setup-buildx-action@v3
23+
- name: Build Docker Image
24+
id: build-image
25+
uses: docker/build-push-action@v6
26+
with:
27+
context: ${{ env.DOCKER_PATH_CONTEXT }}
28+
file: ${{ env.DOCKER_BUILD_DOCKERFILE }}
29+
load: ${{ env.DOCKER_LOAD_BOOL }}
30+
tags: ${{ env.DOCKER_TAGS }}
31+
- name: Run Trivy vulnerability scanner
32+
uses: aquasecurity/trivy-action@0.33.1
33+
with:
34+
image-ref: ${{ env.DOCKER_TAGS }}
35+
format: 'table'
36+
exit-code: '1'
37+
ignore-unfixed: true
38+
vuln-type: 'os,library'
39+
severity: 'CRITICAL,HIGH'

Dockerfile

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim AS builder
2+
ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
3+
4+
ENV UV_NO_DEV=1
5+
6+
ENV UV_PYTHON_DOWNLOADS=0
7+
8+
WORKDIR /app
9+
RUN --mount=type=cache,target=/root/.cache/uv \
10+
--mount=type=bind,source=uv.lock,target=uv.lock \
11+
--mount=type=bind,source=pyproject.toml,target=pyproject.toml \
12+
uv sync --locked --no-install-project
13+
COPY . /app
14+
RUN --mount=type=cache,target=/root/.cache/uv \
15+
uv sync --locked
16+
17+
FROM python:3.13-slim-bookworm
18+
19+
RUN apt-get update \
20+
&& apt-get upgrade -y \
21+
&& apt-get clean \
22+
&& rm -rf /var/lib/apt/lists/*
23+
24+
RUN groupadd --system --gid 999 nonroot \
25+
&& useradd --system --gid 999 --uid 999 --create-home nonroot
26+
27+
COPY --from=builder --chown=nonroot:nonroot /app /app
28+
29+
ENV PATH="/app/.venv/bin:$PATH"
30+
31+
USER nonroot
32+
33+
WORKDIR /app
34+
35+
USER nonroot
36+
37+
WORKDIR /app
38+
39+
CMD ["python", "-m","sample_python_app.main"]

0 commit comments

Comments
 (0)