Skip to content

fix: fix output (#41) #10

fix: fix output (#41)

fix: fix output (#41) #10

Workflow file for this run

name: Patch vulnerable images
on:
# change these to your preferred event triggers
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
push:
branches:
- main
paths-ignore:
- '**.md'
workflow_dispatch:
jobs:
patch:
runs-on: ubuntu-latest
# used for pushing patched image to GHCR
permissions:
contents: read
packages: write
strategy:
fail-fast: false
matrix:
# provide relevant list of images to scan on each run
images:
- "docker.io/library/alpine:3.18.4"
- "docker.io/openpolicyagent/opa:0.46.0"
- "docker.io/library/hello-world:latest"
steps:
# generate trivy report for fixable OS package vulnerabilities
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os"
image-ref: ${{ matrix.images }}
# check whether there are any OS package vulnerabilities
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
# copa action will only run if there are vulnerabilities
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/copa-action@main
with:
image: ${{ matrix.images }}
image-report: "report.json"
patched-tag: "patched"
# buildkit-version: "v0.12.4" # optional, default is latest
# copa-version: "0.6.0" # optional, default is latest
# see https://github.com/docker/login-action#usage for other registries
- name: Login to GHCR
if: steps.copa.conclusion == 'success'
id: login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push patched image
if: steps.login.conclusion == 'success'
run: |
# retag if needed
docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}
docker push ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}