|
23 | 23 | type: boolean |
24 | 24 | description: Toggle to reinstall poetry on top of python version installed by asdf. |
25 | 25 | default: false |
| 26 | + run_docker_scan: |
| 27 | + type: boolean |
| 28 | + description: Toggle to run docker vulnerability scan on this repository. |
| 29 | + default: false |
| 30 | + required: false |
| 31 | + docker_images: |
| 32 | + type: string |
| 33 | + description: JSON array of docker image references to scan when docker scanning is enabled. |
| 34 | + default: "[]" |
| 35 | + required: false |
26 | 36 |
|
27 | 37 | jobs: |
28 | 38 | quality_checks: |
| 39 | + outputs: |
| 40 | + docker_images: ${{ steps.normalized_docker_images.outputs.images }} |
29 | 41 | runs-on: ubuntu-22.04 |
30 | 42 | steps: |
31 | 43 | - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 |
@@ -305,6 +317,35 @@ jobs: |
305 | 317 | output: "dependency_results_java.txt" |
306 | 318 | exit-code: "1" |
307 | 319 | trivy-config: trivy.yaml |
| 320 | + - name: Build docker images |
| 321 | + if: ${{ inputs.run_docker_scan == true }} |
| 322 | + run: | |
| 323 | + make docker-build |
| 324 | +
|
| 325 | + - name: Determine docker images to scan |
| 326 | + id: normalized_docker_images |
| 327 | + run: | |
| 328 | + if [ "${{ inputs.run_docker_scan }}" != "true" ]; then |
| 329 | + echo "Docker scanning disabled; emitting empty image list." |
| 330 | + echo 'images=[]' >> "$GITHUB_OUTPUT" |
| 331 | + exit 0 |
| 332 | + fi |
| 333 | +
|
| 334 | + INPUT='${{ inputs.docker_images }}' |
| 335 | + DEFAULT_IMAGE="docker.io/my-organization/my-app:${GITHUB_SHA}" |
| 336 | +
|
| 337 | + if [ -z "$INPUT" ]; then |
| 338 | + INPUT="[]" |
| 339 | + fi |
| 340 | +
|
| 341 | + if [ "$INPUT" = "[]" ]; then |
| 342 | + echo "No docker images provided; defaulting to $DEFAULT_IMAGE" |
| 343 | + echo "images=[\"$DEFAULT_IMAGE\"]" >> "$GITHUB_OUTPUT" |
| 344 | + else |
| 345 | + echo "Using provided docker images: $INPUT" |
| 346 | + echo "images=$INPUT" >> "$GITHUB_OUTPUT" |
| 347 | + fi |
| 348 | +
|
308 | 349 | - name: Show vulnerability output |
309 | 350 | if: always() |
310 | 351 | run: | |
@@ -344,6 +385,48 @@ jobs: |
344 | 385 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
345 | 386 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
346 | 387 |
|
| 388 | + docker_vulnerability_scan: |
| 389 | + runs-on: ubuntu-22.04 |
| 390 | + needs: quality_checks |
| 391 | + if: ${{ inputs.run_docker_scan == true }} |
| 392 | + strategy: |
| 393 | + matrix: |
| 394 | + docker_image: ${{ fromJson(needs.quality_checks.outputs.docker_images) }} |
| 395 | + steps: |
| 396 | + - name: Checkout code |
| 397 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd |
| 398 | + with: |
| 399 | + ref: ${{ env.BRANCH_NAME }} |
| 400 | + fetch-depth: 0 |
| 401 | + |
| 402 | + - name: Prepare trivy config |
| 403 | + run: | |
| 404 | + cat <<'EOF' > trivy.yaml |
| 405 | + pkg: |
| 406 | + include-dev-deps: true |
| 407 | + EOF |
| 408 | +
|
| 409 | + - name: Check docker vulnerabilities |
| 410 | + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 |
| 411 | + with: |
| 412 | + scan-type: "image" |
| 413 | + image-ref: ${{ matrix.docker_image }} |
| 414 | + severity: "CRITICAL,HIGH" |
| 415 | + scanners: "vuln" |
| 416 | + vuln-type: "os,library" |
| 417 | + format: "table" |
| 418 | + output: "dependency_results_docker.txt" |
| 419 | + exit-code: "1" |
| 420 | + trivy-config: trivy.yaml |
| 421 | + |
| 422 | + - name: Show docker vulnerability output |
| 423 | + if: always() |
| 424 | + run: | |
| 425 | + echo "Scan output for ${{ matrix.docker_image }}" |
| 426 | + if [ -f dependency_results_docker.txt ]; then |
| 427 | + cat dependency_results_docker.txt |
| 428 | + fi |
| 429 | +
|
347 | 430 | # CloudFormation validation (runs only if templates exist, ~3-5 minutes) |
348 | 431 | IaC-validation: |
349 | 432 | runs-on: ubuntu-22.04 |
|
0 commit comments