Image version security check #16

Workflow file for this run

.github/workflows/redis-docker.yml at cf86096

	name: Build and Push Redis Image

	on:
	push:
	branches:
	- redis
	- redis-tests
	schedule:
	- cron: '0 0 * * 1' # Run weekly to check for base image updates

	permissions:
	contents: read
	security-events: write
	packages: write

	jobs:
	check-base-images:
	name: Check Base Images
	runs-on: ubuntu-latest
	outputs:
	base_image: ${{ steps.get-base-image.outputs.base_image }}
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Get base image from Dockerfile
	id: get-base-image
	run: \|
	BASE_IMAGE=$(grep "^FROM.*as builder" Dockerfile \| awk '{print $2}')
	echo "base_image=${BASE_IMAGE}" >> "$GITHUB_OUTPUT"
	echo "Found base image: ${BASE_IMAGE}"

	- name: Check base image updates
	uses: docker/scout-action@v1
	with:
	command: recommendations
	image: ${{ steps.get-base-image.outputs.base_image }}
	only-fixed: true
	output-format: table

	- name: Run Dockle
	uses: goodwithtech/dockle-action@v1
	with:
	image: ${{ steps.get-base-image.outputs.base_image }}
	format: sarif
	output: dockle-results.sarif

	- name: Upload Dockle results
	uses: github/codeql-action/upload-sarif@v3
	if: success() \|\| failure()
	with:
	sarif_file: dockle-results.sarif
	category: dockle

	security-checks:
	name: Security Checks
	runs-on: ubuntu-latest
	needs: check-base-images
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run GitGuardian scan
	uses: GitGuardian/ggshield-action@master
	env:
	GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
	GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
	GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
	GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

	- name: Run Hadolint
	uses: hadolint/[email protected]
	with:
	dockerfile: ./Dockerfile
	format: sarif
	output-file: hadolint-results.sarif
	no-fail: true

	- name: Upload Hadolint results
	uses: github/codeql-action/upload-sarif@v3
	if: success() \|\| failure()
	with:
	sarif_file: hadolint-results.sarif
	category: hadolint

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: python

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3

	build-and-scan:
	runs-on: ubuntu-latest
	needs: security-checks
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push
	uses: docker/build-push-action@v5
	with:
	context: .
	platforms: linux/amd64
	push: true
	tags: pbdco/aws-spotter:redis
	cache-from: type=registry,ref=pbdco/aws-spotter:redis
	cache-to: type=inline
	provenance: mode=max

	- name: Run Docker Scout
	uses: docker/scout-action@v1
	with:
	command: quickview,cves
	image: pbdco/aws-spotter:redis
	only-severities: critical,high
	exit-code: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Image version security check #16

Workflow file

Image version security check #16

Jobs

Run details

Workflow file for this run