Copacetic Action

This action patches vulnerable containers using Copa. Copacetic Action is supported with Copa version 0.3.0 and later.

Inputs

Name	Type	Required	Default	Description
`image`	String	True		Image reference to patch
`image-report`	String	True		Trivy JSON vulnerability report of the image to patch
`patched-tag`	String	True		Patched image tag
`timeout`	String	False	`5m`	Timeout for `copa patch`
`buildkit-version`	String	False	`latest`	Buildkit version
`copa-version`	String	False	`latest`	Copa version

Outputs

Name	Type	Description
`patched-image`	String	Image reference of the patched image

Example usage

copa-action/.github/workflows/patch.yaml

Lines 1 to 77 in 9417435

    
           name: Patch vulnerable images 
        
           on: 
        
             # change these to your preferred event triggers 
        
             # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows 
        
             push: 
        
               branches: 
        
                 - main 
        
               paths-ignore: 
        
                 - '**.md' 
        
             workflow_dispatch: 
        
           jobs: 
        
             patch: 
        
               runs-on: ubuntu-latest 
        
               # used for pushing patched image to GHCR 
        
               permissions: 
        
                 contents: read 
        
                 packages: write 
        
               strategy: 
        
                 fail-fast: false 
        
                 matrix: 
        
                   # provide relevant list of images to scan on each run 
        
                   images: 
        
                     - "docker.io/library/nginx:1.21.6" 
        
                     - "docker.io/openpolicyagent/opa:0.46.0" 
        
                     - "docker.io/library/hello-world:latest" 
        
               steps: 
        
                 # generate trivy report for fixable OS package vulnerabilities 
        
                 - name: Generate Trivy Report 
        
                   uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 
        
                   with: 
        
                     scan-type: "image" 
        
                     format: "json" 
        
                     output: "report.json" 
        
                     ignore-unfixed: true 
        
                     vuln-type: "os" 
        
                     image-ref: ${{ matrix.images }} 
        
                   # check whether there are any OS package vulnerabilities 
        
                 - name: Check vulnerability count 
        
                   id: vuln_count 
        
                   run: | 
        
                     report_file="report.json" 
        
                     vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file") 
        
                     echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT 
        
                   # copa action will only run if there are vulnerabilities 
        
                 - name: Run Copa action 
        
                   if: steps.vuln_count.outputs.vuln_count != '0' 
        
                   id: copa 
        
                   # using main for testing purposes 
        
                   # use a tag (such as v1 or v1.0.1) at a bare minimum 
        
                   # recommendation is to pin to a digest for security and stability 
        
                   # and rely on dependabot for digest/version updates 
        
                   uses: project-copacetic/copa-action@main 
        
                   with: 
        
                     image: ${{ matrix.images }} 
        
                     image-report: "report.json" 
        
                     patched-tag: "patched" 
        
                     # buildkit-version: "v0.12.4" # optional, default is latest 
        
                     # copa-version: "0.6.0" # optional, default is latest 
        
                   # see https://github.com/docker/login-action#usage for other registries 
        
                 - name: Login to GHCR 
        
                   if: steps.copa.conclusion == 'success' 
        
                   id: login 
        
                   uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 
        
                   with: 
        
                     registry: ghcr.io 
        
                     username: ${{ github.actor }} 
        
                     password: ${{ secrets.GITHUB_TOKEN }} 
        
                 - name: Push patched image 
        
                   if: steps.login.conclusion == 'success' 
        
                   run: | 
        
                     # retag if needed 
        
                     docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }} 
        
                     docker push ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Action

Copacetic Action

Copacetic Action

Installation

Choose a version

Copacetic Action

Inputs

Outputs

Example usage

	name: Patch vulnerable images
	on:
	# change these to your preferred event triggers
	# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
	push:
	branches:
	- main
	paths-ignore:
	- '**.md'
	workflow_dispatch:
	jobs:
	patch:
	runs-on: ubuntu-latest
	# used for pushing patched image to GHCR
	permissions:
	contents: read
	packages: write
	strategy:
	fail-fast: false
	matrix:
	# provide relevant list of images to scan on each run
	images:
	- "docker.io/library/nginx:1.21.6"
	- "docker.io/openpolicyagent/opa:0.46.0"
	- "docker.io/library/hello-world:latest"
	steps:
	# generate trivy report for fixable OS package vulnerabilities
	- name: Generate Trivy Report
	uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
	with:
	scan-type: "image"
	format: "json"
	output: "report.json"
	ignore-unfixed: true
	vuln-type: "os"
	image-ref: ${{ matrix.images }}

	# check whether there are any OS package vulnerabilities
	- name: Check vulnerability count
	id: vuln_count
	run: \|
	report_file="report.json"
	vuln_count=$(jq 'if .Results then [.Results[] \| select(.Class=="os-pkgs" and .Vulnerabilities!=null) \| .Vulnerabilities[]] \| length else 0 end' "$report_file")
	echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT

	# copa action will only run if there are vulnerabilities
	- name: Run Copa action
	if: steps.vuln_count.outputs.vuln_count != '0'
	id: copa
	# using main for testing purposes
	# use a tag (such as v1 or v1.0.1) at a bare minimum
	# recommendation is to pin to a digest for security and stability
	# and rely on dependabot for digest/version updates
	uses: project-copacetic/copa-action@main
	with:
	image: ${{ matrix.images }}
	image-report: "report.json"
	patched-tag: "patched"
	# buildkit-version: "v0.12.4" # optional, default is latest
	# copa-version: "0.6.0" # optional, default is latest

	# see https://github.com/docker/login-action#usage for other registries
	- name: Login to GHCR
	if: steps.copa.conclusion == 'success'
	id: login
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Push patched image
	if: steps.login.conclusion == 'success'
	run: \|
	# retag if needed
	docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}
	docker push ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}