Skip to content

Commit c4a08ca

Browse files
joshuafernandesjoshuafernandes
committed
add an action for docker scan and push
1 parent 5523bc3 commit c4a08ca

File tree

2 files changed

+255
-0
lines changed

2 files changed

+255
-0
lines changed

dockerhub-scan-push/action.yml

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
# SPDX-License-Identifier: Apache-2.0
2+
---
3+
name: 'ecr-scan-push'
4+
description: 'Composite action to build, scan and push a container'
5+
6+
7+
inputs:
8+
DOCKER_CONTEXT_PATH:
9+
description: "the location of the Dockerfile"
10+
required: false
11+
default: "./"
12+
DOCKER_REPO:
13+
description: "the repo of the docker image"
14+
required: true
15+
16+
runs:
17+
using: "composite"
18+
steps:
19+
- name: Checkout tools repo
20+
uses: actions/checkout@v4
21+
with:
22+
repository: Consensys/github-actions
23+
path: .github-actions
24+
25+
- name: set up docker buildx
26+
uses: docker/setup-buildx-action@v3
27+
28+
- name: prep for container
29+
shell: bash
30+
run: |
31+
echo "BUILD_DATE=$(date --rfc-3339=date)" >> ${GITHUB_ENV}
32+
33+
- name: build the container
34+
uses: docker/build-push-action@v6
35+
env:
36+
DOCKER_BUILD_SUMMARY: false
37+
with:
38+
context: ${{ inputs.DOCKER_CONTEXT_PATH }}
39+
platforms: linux/amd64,linux/arm64
40+
provenance: mode=max
41+
sbom: true
42+
push: false
43+
cache-from: type=local,src=/tmp/.buildx-cache
44+
cache-to: type=local,dest=/tmp/.buildx-cache
45+
build-args: |
46+
VCS_REF=${{ github.sha }}
47+
BUILD_DATE=${{ env.BUILD_DATE }}
48+
tags: ${{ inputs.DOCKER_REPO }}:latest
49+
50+
- name: Run Trivy vulnerability scanner
51+
uses: aquasecurity/[email protected]
52+
with:
53+
image-ref: ${{ inputs.DOCKER_REPO }}:latest
54+
format: 'sarif'
55+
output: 'trivy-results.sarif'
56+
vuln-type: 'os,library'
57+
severity: 'CRITICAL,HIGH'
58+
59+
- name: Show Trivy results
60+
shell: bash
61+
run: |
62+
sudo apt-get update -y
63+
sudo apt-get install -y jq
64+
echo "## Trivy findings (CRITICAL/HIGH)" >> "$GITHUB_STEP_SUMMARY"
65+
if [ ! -s trivy-results.sarif ]; then
66+
echo "_No SARIF produced or file is empty._" >> "$GITHUB_STEP_SUMMARY"
67+
exit 0
68+
fi
69+
jq -r '
70+
.runs[].results[]?
71+
| [.ruleId,
72+
(.level|ascii_upcase),
73+
(.message.text|tostring|gsub("\n"; " ")),
74+
(.locations[0].physicalLocation.artifactLocation.uri // "?"),
75+
(.locations[0].physicalLocation.region.startLine // 0)]
76+
| @tsv
77+
' trivy-results.sarif \
78+
| awk -F'\t' '
79+
BEGIN {
80+
print "| Rule | Level | Message | File | Line |";
81+
print "|---|---|---|---|---|";
82+
}
83+
{
84+
# Truncate overly long messages for summary readability
85+
msg=$3; if (length(msg)>180) msg=substr(msg,1,180)"…";
86+
printf("| `%s` | %s | %s | %s | %s |\n", $1, $2, msg, $4, $5);
87+
}
88+
' >> "$GITHUB_STEP_SUMMARY"
89+
90+
- name: push the container
91+
uses: docker/build-push-action@v6
92+
if: success()
93+
env:
94+
DOCKER_BUILD_SUMMARY: false
95+
with:
96+
context: ${{ inputs.DOCKER_CONTEXT_PATH }}
97+
platforms: linux/amd64,linux/arm64
98+
provenance: mode=max
99+
sbom: true
100+
push: true
101+
cache-from: type=local,src=/tmp/.buildx-cache
102+
cache-to: type=local,dest=/tmp/.buildx-cache
103+
build-args: |
104+
VCS_REF=${{ github.sha }}
105+
BUILD_DATE=${{ env.BUILD_DATE }}
106+
tags: |
107+
${{ inputs.DOCKER_REPO }}:${{ env.BUILD_DATE }}
108+
${{ inputs.DOCKER_REPO }}:latest

ecr-scan-push/action.yml

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
# SPDX-License-Identifier: Apache-2.0
2+
---
3+
name: 'ecr-scan-push'
4+
description: 'Composite action to build, scan and push a container'
5+
6+
7+
inputs:
8+
DOCKER_CONTEXT_PATH:
9+
description: "the location of the Dockerfile"
10+
required: false
11+
default: "./"
12+
DOCKER_REPO:
13+
description: "the repo of the docker image"
14+
required: true
15+
16+
runs:
17+
using: "composite"
18+
steps:
19+
- name: Checkout tools repo
20+
uses: actions/checkout@v4
21+
with:
22+
repository: Consensys/github-actions
23+
path: .github-actions
24+
25+
- name: set up docker buildx
26+
uses: docker/setup-buildx-action@v3
27+
28+
- name: login to amazon ecr
29+
id: login-ecr
30+
uses: aws-actions/amazon-ecr-login@v2
31+
32+
- name: prep for container
33+
shell: bash
34+
run: |
35+
echo "BUILD_DATE=$(date --rfc-3339=date)" >> ${GITHUB_ENV}
36+
37+
- name: build the container
38+
uses: docker/build-push-action@v6
39+
env:
40+
DOCKER_BUILD_SUMMARY: false
41+
with:
42+
context: ${{ inputs.DOCKER_CONTEXT_PATH }}
43+
platforms: linux/amd64,linux/arm64
44+
provenance: false
45+
push: false
46+
cache-from: type=local,src=/tmp/.buildx-cache
47+
cache-to: type=local,dest=/tmp/.buildx-cache
48+
build-args: |
49+
VCS_REF=${{ github.sha }}
50+
BUILD_DATE=${{ env.BUILD_DATE }}
51+
tags: ${{ steps.login-ecr.outputs.registry }}${{ inputs.DOCKER_REPO }}:latest
52+
53+
- name: Run Trivy vulnerability scanner
54+
uses: aquasecurity/[email protected]
55+
with:
56+
image-ref: ${{ inputs.DOCKER_REPO }}:latest
57+
format: 'sarif'
58+
output: 'trivy-results.sarif'
59+
vuln-type: 'os,library'
60+
severity: 'CRITICAL,HIGH'
61+
62+
- name: Show Trivy results
63+
shell: bash
64+
run: |
65+
sudo apt-get update -y
66+
sudo apt-get install -y jq
67+
echo "## Trivy findings (CRITICAL/HIGH)" >> "$GITHUB_STEP_SUMMARY"
68+
if [ ! -s trivy-results.sarif ]; then
69+
echo "_No SARIF produced or file is empty._" >> "$GITHUB_STEP_SUMMARY"
70+
exit 0
71+
fi
72+
jq -r '
73+
.runs[].results[]?
74+
| [.ruleId,
75+
(.level|ascii_upcase),
76+
(.message.text|tostring|gsub("\n"; " ")),
77+
(.locations[0].physicalLocation.artifactLocation.uri // "?"),
78+
(.locations[0].physicalLocation.region.startLine // 0)]
79+
| @tsv
80+
' trivy-results.sarif \
81+
| awk -F'\t' '
82+
BEGIN {
83+
print "| Rule | Level | Message | File | Line |";
84+
print "|---|---|---|---|---|";
85+
}
86+
{
87+
# Truncate overly long messages for summary readability
88+
msg=$3; if (length(msg)>180) msg=substr(msg,1,180)"…";
89+
printf("| `%s` | %s | %s | %s | %s |\n", $1, $2, msg, $4, $5);
90+
}
91+
' >> "$GITHUB_STEP_SUMMARY"
92+
93+
# on ecr this doesn't tag the individual images, so we do this 3x (the last two are merely tags)
94+
- name: build and push the combined manifest
95+
uses: docker/build-push-action@v6
96+
if: success()
97+
env:
98+
DOCKER_BUILD_SUMMARY: false
99+
with:
100+
context: ${{ inputs.DOCKER_CONTEXT_PATH }}
101+
platforms: linux/amd64,linux/arm64
102+
provenance: false
103+
push: true
104+
cache-from: type=local,src=/tmp/.buildx-cache
105+
cache-to: type=local,dest=/tmp/.buildx-cache
106+
build-args: |
107+
VCS_REF=${{ github.sha }}
108+
BUILD_DATE=${{ env.BUILD_DATE }}
109+
tags: |
110+
${{ inputs.DOCKER_REPO }}:${{ env.BUILD_DATE }}
111+
${{ inputs.DOCKER_REPO }}:latest
112+
113+
- name: tag the linux/amd64
114+
uses: docker/build-push-action@v6
115+
env:
116+
DOCKER_BUILD_SUMMARY: false
117+
with:
118+
context: ${{ inputs.DOCKER_CONTEXT_PATH }}
119+
platforms: linux/amd64
120+
provenance: false
121+
push: true
122+
cache-from: type=local,src=/tmp/.buildx-cache
123+
cache-to: type=local,dest=/tmp/.buildx-cache
124+
build-args: |
125+
VCS_REF=${{ github.sha }}
126+
BUILD_DATE=${{ env.BUILD_DATE }}
127+
tags: |
128+
${{ inputs.DOCKER_REPO }}:${{ env.BUILD_DATE }}-amd64
129+
${{ inputs.DOCKER_REPO }}:latest-amd64
130+
131+
- name: tag the linux/arm64
132+
uses: docker/build-push-action@v6
133+
env:
134+
DOCKER_BUILD_SUMMARY: false
135+
with:
136+
context: ${{ inputs.DOCKER_CONTEXT_PATH }}
137+
platforms: linux/arm64
138+
provenance: false
139+
push: true
140+
cache-from: type=local,src=/tmp/.buildx-cache
141+
cache-to: type=local,dest=/tmp/.buildx-cache
142+
build-args: |
143+
VCS_REF=${{ github.sha }}
144+
BUILD_DATE=${{ env.BUILD_DATE }}
145+
tags: |
146+
${{ inputs.DOCKER_REPO }}:${{ env.BUILD_DATE }}-arm64
147+
${{ inputs.DOCKER_REPO }}:latest-arm64

0 commit comments

Comments
 (0)