From df904d494d4ecd9d1673c7ad08cbc5e837c97f51 Mon Sep 17 00:00:00 2001 From: soulgalore Date: Mon, 23 Sep 2024 08:49:13 +0200 Subject: [PATCH] Add docker scan --- .github/workflows/docker-scan.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/docker-scan.yml diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml new file mode 100644 index 0000000..e9bd1af --- /dev/null +++ b/.github/workflows/docker-scan.yml @@ -0,0 +1,29 @@ +name: Docker security scan +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + if: ${{ !contains(github.event.head_commit.message, 'docs:') }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker buildx install + docker buildx build --load --platform linux/amd64 -t docker.io/sitespeedio/node:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'docker.io/sitespeedio/node:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' \ No newline at end of file