Merge pull request #15 from CubicrootXYZ/vuln-scan

add vuln scan task to build_image workflow
CubicrootXYZ · Oct 24, 2024 · ee2c387 · ee2c387
2 parents 427cbfb + 73746f9
commit ee2c387
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 1 deletion.
diff --git a/.github/workflows/build_image.yaml b/.github/workflows/build_image.yaml
@@ -15,6 +15,10 @@ on:
         required: false
         type: string
         default: ""
+      vuln_scan:
+        required: false
+        type: boolean
+        default: false
     secrets:
       dockerhub_user:
         required: true
@@ -29,6 +33,14 @@ jobs:
         uses: actions/checkout@v2
       - name: Build the image
         run: docker build -t ${{ inputs.image_name }}:${{ github.sha }} --build-arg VERSION=${{ github.ref_name }} ${{ inputs.docker_build_args }} ${{ inputs.docker_file_path }}
+      - name: Scan image for vulnerabilities
+        uses: anchore/scan-action@v5
+        with:
+          image: "${{ inputs.image_name }}:${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: "high"
+          cache-db: true
+        if: "${{ inputs.vuln_scan }}"
       - name: Login to Docker Hub
         uses: docker/login-action@v1
         with:

diff --git a/.github/workflows/build_image_test.yaml b/.github/workflows/build_image_test.yaml
@@ -7,6 +7,7 @@ jobs:
       docker_file_path: "tests/build_image/"
       image_name: cubicrootxyz/workflows-test
       static_tag: beta
+      vuln_scan: true
     secrets:
       dockerhub_user: "${{ secrets.DOCKERHUB_USERNAME }}"
       dockerhub_token: "${{ secrets.DOCKERHUB_TOKEN }}"
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ jobs:
       docker_build_args: "--no-cache"
       docker_file_path: "./"
       image_name: "example/image"
+      vuln_scan: false # Uses grype to scan for vulnerabilities. 
     secrets:
       dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
       dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}

diff --git a/tests/build_image/Dockerfile b/tests/build_image/Dockerfile
@@ -1 +1 @@
-FROM scratch
+FROM alpine:latest