forked from smart-mcp-proxy/mcpproxy-go
-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (123 loc) · 5.26 KB
/
Copy pathscanner-images.yml
File metadata and controls
136 lines (123 loc) · 5.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: scanner-images
# Build and publish the custom security scanner Docker images to
# ghcr.io/smart-mcp-proxy/scanner-*. Vendor images (trivy, semgrep, the
# AI scanner which lives in a separate repo) are NOT built here.
#
# Triggers:
# - push to main that touches docker/scanners/** or this workflow file
# - manual dispatch (for ad-hoc rebuilds)
# - pull requests: builds without pushing (to catch Dockerfile drift)
on:
push:
branches: [main]
paths:
- 'docker/scanners/**'
- '.github/workflows/scanner-images.yml'
pull_request:
paths:
- 'docker/scanners/**'
- '.github/workflows/scanner-images.yml'
workflow_dispatch:
inputs:
scanner:
description: 'Scanner id to rebuild (blank = all)'
required: false
default: ''
permissions:
contents: read
packages: write
security-events: write # required for SARIF upload to the Security tab
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- id: snyk
image: ghcr.io/smart-mcp-proxy/scanner-snyk
context: docker/scanners/snyk
- id: cisco
image: ghcr.io/smart-mcp-proxy/scanner-cisco
context: docker/scanners/cisco
- id: ramparts
image: ghcr.io/smart-mcp-proxy/scanner-ramparts
context: docker/scanners/ramparts
- id: proximity
image: ghcr.io/smart-mcp-proxy/scanner-proximity
context: docker/scanners/proximity
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Skip if not selected
if: ${{ github.event_name == 'workflow_dispatch' && inputs.scanner != '' && inputs.scanner != matrix.id }}
run: echo "Skipping ${{ matrix.id }} (workflow_dispatch selected ${{ inputs.scanner }})" && exit 0
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- name: Set up Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Log in to GHCR
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Derive tags
id: tags
run: |
set -euo pipefail
short_sha="${GITHUB_SHA:0:7}"
echo "short_sha=$short_sha" >> "$GITHUB_OUTPUT"
if [ "${GITHUB_REF}" = "refs/heads/main" ]; then
echo "tags=${{ matrix.image }}:latest,${{ matrix.image }}:$short_sha" >> "$GITHUB_OUTPUT"
else
echo "tags=${{ matrix.image }}:pr-${{ github.event.pull_request.number || 'dev' }}" >> "$GITHUB_OUTPUT"
fi
- name: Build and push
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: ${{ matrix.context }}
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.tags.outputs.tags }}
cache-from: type=gha,scope=scanner-${{ matrix.id }}
cache-to: type=gha,scope=scanner-${{ matrix.id }},mode=max
labels: |
org.opencontainers.image.source=https://github.com/smart-mcp-proxy/mcpproxy-go
org.opencontainers.image.revision=${{ github.sha }}
# Trivy image scan — runs only on push/workflow_dispatch (not pull_request) because
# multi-platform builds (linux/amd64,linux/arm64) cannot be loaded to the runner with
# `load: true`, so there is no local image to scan on PRs. On push the image is
# already in GHCR and Trivy pulls it directly.
# exit-code: '0' → report-only, never fails the build. Scanner base images routinely
# carry unfixable CVEs (upstream OS packages); blocking builds on those would create
# constant noise with no actionable remediation. Visibility via the Security tab and
# the workflow log is the goal.
- name: Scan image with Trivy
if: github.event_name != 'pull_request'
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ matrix.image }}:${{ steps.tags.outputs.short_sha }}
scan-type: image
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '0'
format: table
- name: Upload Trivy SARIF to Security tab
if: github.event_name != 'pull_request'
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ matrix.image }}:${{ steps.tags.outputs.short_sha }}
scan-type: image
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '0'
format: sarif
output: trivy-results-${{ matrix.id }}.sarif
- name: Upload SARIF
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
with:
sarif_file: trivy-results-${{ matrix.id }}.sarif
category: trivy-${{ matrix.id }}