-
-
Notifications
You must be signed in to change notification settings - Fork 0
123 lines (123 loc) · 4.14 KB
/
docker-image-scan.yml
File metadata and controls
123 lines (123 loc) · 4.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
---
name: Security scan for Docker images
on:
workflow_call:
inputs:
image-refs-json:
required: true
type: string
description: JSON array of image references to scan
image-artifact-name:
required: false
type: string
description: Image tarball artifact name to download
default: null
registry:
required: false
type: string
description: Image registry to login (e.g., ghcr.io, docker.io)
default: null
registry-user:
required: false
type: string
description: Registry username
default: ${{ github.repository_owner }}
trivy-scanners:
required: false
type: string
description: List of scanners to use
default: vuln,secret,misconfig
trivy-severity:
required: false
type: string
description: Severity levels to fail the scan
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-ignore-unfixed:
required: false
type: boolean
description: Ignore unpatched/unfixed vulnerabilities
default: true
trivy-exit-code:
required: false
type: number
description: Exit code for pre-build scan
default: 1
trivy-config:
required: false
type: string
description: Path to a Trivy config file
default: null
trivy-timeout:
required: false
type: string
description: Timeout for the Trivy scan
default: 5m0s
runs-on:
required: false
type: string
description: GitHub Actions runner to use
default: ubuntu-latest
secrets:
DOCKER_TOKEN:
required: false
description: Registry token
GH_TOKEN:
required: false
description: GitHub token
permissions:
contents: write
defaults:
run:
shell: bash -euo pipefail {0}
working-directory: .
jobs:
scan:
runs-on: ${{ inputs.runs-on }}
strategy:
fail-fast: false
matrix:
image-ref: ${{ fromJSON(inputs.image-refs-json) }}
steps:
- name: Download the image tarball artifact
if: inputs.image-artifact-name != null
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ inputs.image-artifact-name }}
path: /tmp/
- name: Load the image tarball
if: inputs.image-artifact-name != null
env:
IMAGE_TAR: /tmp/${{ inputs.image-artifact-name }}.tar
run: >
docker load -i "${IMAGE_TAR}"
- name: Checkout repository
if: inputs.trivy-config != null
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- name: Login to the image registry
if: inputs.registry != null
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.registry-user }}
password: ${{ secrets.DOCKER_TOKEN }} # zizmor: ignore[secrets-outside-env] caller-provided secret
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
with:
scan-type: image
image-ref: ${{ matrix.image-ref }}
scanners: ${{ inputs.trivy-scanners }}
severity: ${{ inputs.trivy-severity }}
ignore-unfixed: ${{ inputs.trivy-ignore-unfixed }}
exit-code: ${{ inputs.trivy-exit-code }}
trivy-config: ${{ inputs.trivy-config }}
timeout: ${{ inputs.trivy-timeout }}
format: github
output: dependency-results.${{ strategy.job-index }}.sbom.json
github-pat: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} # zizmor: ignore[secrets-outside-env] caller-provided secret
env:
TRIVY_CHECKS_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db