GitHub Action
Copacetic Action
This action patches vulnerable containers using Copa. Copacetic Action is supported with Copa version 0.3.0 and later.
Name | Type | Required | Default | Description |
---|---|---|---|---|
image |
String | True | Image reference to patch | |
image-report |
String | True | Trivy JSON vulnerability report of the image to patch | |
patched-tag |
String | True | Patched image tag | |
timeout |
String | False | 5m |
Timeout for copa patch |
buildkit-version |
String | False | latest |
Buildkit version |
copa-version |
String | False | latest |
Copa version |
output |
String | False | Output filename (available using copa-action with copa v0.6.1 and later) | |
format |
String | False | openvex |
Output format (available using copa-action with copa v0.6.1 and later) |
custom-socket |
String | False | Custom Docker socket address (available using copa-action with copa v0.6.1 and later) |
Note
Features that are supported with new Copacetic releases will not neccessarily align with what is supported with Copa Action.
For example, the output
file feature was released in Copa v0.5.0, but is supported with Copa Action when using Copa version v0.6.1 and later.
Name | Type | Description |
---|---|---|
patched-image |
String | Image reference of the patched image |
Note
Custom Buildkit connection to patch local or private images is only available with Copa-Action versions 0.6.1 and later. For all earlier Copa-Action versions, Buildkit in a container is the default approach, and a version must be supplied as input.
By default, Copa Action creates its own Buildx instance to connect to for patching public and private images.
To patch local images, copa
is limited to using docker
's built-in buildkit service, and must use the containerd image store
feature. To enable this in your Github workflow, use ghaction-setup-docker
's daemon-configuration to set "containerd-snapshotter": true
.
Example:
- name: Set up Docker
uses: crazy-max/ghaction-setup-docker@v3
with:
daemon-config: |
{
"debug": true,
"experimental": true,
"features": {
"containerd-snapshotter": true
}
}
- name: Get socket path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
Then, supply the resulting socket path ($SOCKET
) as the input custom-socket
for the Copa Action to connect to.
Note
Copa Action will load the image to the default docker context, not the "setup-docker-action" context.
To connect via buildkit in a container, provide the input buildkit-version
. Copa Action will create a buildkit container with that version to connect to.
Note
This approach does not allow for patching of local or private images.
Refer to Copacetic documentation to learn more about connecting Copa to Buildkit.
copa-action/.github/workflows/patch.yaml
Lines 1 to 81 in 00f0ef5