-
Notifications
You must be signed in to change notification settings - Fork 1
73 lines (65 loc) · 2.85 KB
/
image-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Build-Scan-Push-Image-scan
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
env:
BuildNumber: ${{ github.run_id }}-${{ github.run_number }}
ImageName: 'manasiprabhavalkar/python-flask'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- name: Build Docker image
uses: docker/[email protected]
with:
# Username used to log in to a Docker registry. If not set then no login will occur
username: ${{ secrets.DockerHubUser }}
# Password or personal access token used to log in to a Docker registry. If not set then no login will occur
password: ${{ secrets.DockerHubPassword }}
# Docker repository to tag the image with
repository: ${{ env.ImageName }}
# Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags
tags: 'github-${{ env.BuildNumber }}'
# Path to the Dockerfile (Default is '{path}/Dockerfile')
dockerfile: 'Dockerfile'
# Whether to push the image
push: false
#- name: Trivy Scan
# uses: aquasecurity/trivy-action@master
# with:
# # image reference
# image-ref: ${{ env.ImageName }}:github-${{ env.BuildNumber }}
# # Type of vulnerabilities
# vuln-type: 'os,library'
# format: 'sarif'
# output: 'trivy-results.sarif'
# exit-code: 1
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivyExploitable.sarif'
#- name: Push Docker image
# uses: docker/[email protected]
# with:
# # Username used to log in to a Docker registry. If not set then no login will occur
# username: ${{ secrets.DockerHubUser }}
# # Password or personal access token used to log in to a Docker registry. If not set then no login will occur
# password: ${{ secrets.DockerHubPassword }}
# # Docker repository to tag the image with
# repository: ${{ env.ImageName }}
# # Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags
# tags: 'github-${{ env.BuildNumber }}'
# # Path to the Dockerfile (Default is '{path}/Dockerfile')
# dockerfile: 'Dockerfile'
# # Whether to push the image
# push: true