Image Security Scan (main) #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image Security Scan | |
| run-name: Image Security Scan (${{ github.event_name == 'schedule' && 'latest' || github.ref_name }}) | |
| on: | |
| schedule: | |
| # Monthly on the 1st at 00:00 UTC | |
| - cron: '0 0 1 * *' | |
| workflow_dispatch: | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Docker Buildx | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Build image | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| env: | |
| DOCKER_BUILD_CHECKS_ANNOTATIONS: false | |
| DOCKER_BUILD_SUMMARY: false | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| with: | |
| context: docker | |
| load: true | |
| tags: buildcage:scan | |
| - name: Scan image with Trivy | |
| if: github.ref == 'refs/heads/main' | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: ${{ github.event_name == 'schedule' && format('ghcr.io/{0}:latest', github.repository) || 'buildcage:scan' }} | |
| ignore-unfixed: true | |
| trivyignores: .trivyignore | |
| scanners: vuln | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| - name: Upload Trivy scan results to GitHub Security | |
| if: github.ref == 'refs/heads/main' | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Scan image with Trivy | |
| if: github.ref != 'refs/heads/main' | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: buildcage:scan | |
| ignore-unfixed: true | |
| trivyignores: .trivyignore | |
| scanners: vuln | |
| format: table | |
| severity: CRITICAL,HIGH |