diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..b707252 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,26 @@ +name: Docker build + +on: + pull_request: + paths: + - docker/Dockerfile + types: [opened, synchronize] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build docker image + uses: docker/build-push-action@v6 + with: + file: './docker/Dockerfile' + secrets: github_token=${{ secrets.GITHUB_TOKEN }} + cache-from: type=gha + cache-to: type=gha + push: false diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml new file mode 100644 index 0000000..bca806c --- /dev/null +++ b/.github/workflows/docker-test.yml @@ -0,0 +1,48 @@ +name: Scan Docker image + +on: + push: + branches: main + +jobs: + scan: + runs-on: ubuntu-latest + outputs: + image: ${{ steps.build.outputs.imageid }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build docker image + uses: docker/build-push-action@v6 + id: build + with: + file: './docker/Dockerfile' + secrets: github_token=${{ secrets.GITHUB_TOKEN }} + load: true + cache-from: type=gha + cache-to: type=gha + push: false + + - name: Export docker image as tar + run: docker save -o Dockerfile.tar ${{ steps.build.outputs.imageid }} + + - name: Scan Docker image for CVEs + uses: aquasecurity/trivy-action@0.20.0 + with: + input: Dockerfile.tar + format: 'sarif' + output: 'trivy-results.sarif' + limit-severities-for-sarif: true + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + github-pat: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif'