Pull Third Party Containers, Scan, and Publish to GHCR #95
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Pull Third Party Containers, Scan, and Publish to GHCR | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '0 5 * * 0' | |
jobs: | |
pull-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
env: | |
GH_REPO: gsa-tts/fac | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- name: postgrest/postgrest:latest | |
short-name: postgrest | |
- name: ghcr.io/gsa-tts/clamav-rest/clamav:latest | |
short-name: clamav | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Pull Docker Image | |
run: docker pull ${{ matrix.image.name }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
TRIVY_DISABLE_VEX_NOTICE: true | |
with: | |
image-ref: '${{ matrix.image.name }}' | |
scan-type: 'image' | |
hide-progress: false | |
exit-code: 1 | |
severity: 'CRITICAL,HIGH' | |
scanners: 'vuln' | |
timeout: 15m0s | |
ignore-unfixed: true | |
# - name: Scan Image | |
# run: docker run aquasec/trivy:latest image --db-repository public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH ${{ matrix.image.name }} | |
- name: Tag Image | |
run: | | |
date=$(date +%Y%m%d) | |
docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest | |
docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:$date | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push Image | |
run: docker push --all-tags ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }} | |