This directory contains shell scripts used by GitHub Actions workflows for vulnerability scanning of published Docker images.
For Support & Sales: See SECURITY.md for a guide on understanding vulnerability reports, terminology definitions, and how to interpret scan results.
Generates a JSON matrix of Docker images and tags to scan from Docker Hub. Used by the trivy-scan-published-images.yml workflow to determine which published tags to scan.
Usage:
./generate-dockerhub-matrix.sh [max_tags]Arguments:
max_tags: Maximum number of tags to scan per image (default: 10)
Environment Variables:
MAX_TAGS: Maximum tags per image (overrides argument)GITHUB_OUTPUT: GitHub Actions output file path (optional)
Outputs:
- JSON matrix written to stdout and
$GITHUB_OUTPUTif available - Format:
{"include":[{"image":"...","tag":"...","published":"..."}]}
Example:
# Generate matrix for 5 most recent tags
./generate-dockerhub-matrix.sh 5
# Use in GitHub Actions
MAX_TAGS=10 ./generate-dockerhub-matrix.shHow it works:
- Queries Docker Hub API for active tags of
liquibase/liquibaseandliquibase/liquibase-secure - Filters to semantic version tags only (e.g.,
5.0.1,4.28) - Removes redundant minor version tags when the full version exists (e.g., skips
4.28if4.28.0exists) - Returns the most recent N tags per image as a GitHub Actions matrix
- bash: Shell interpreter (version 4.0+)
- jq: JSON processor
- curl: For Docker Hub API access
- SECURITY.md - Understanding vulnerability scan reports
- Trivy Documentation - Official Trivy scanner documentation
- Grype Documentation - Official Grype scanner documentation