Skip to content
Docker Security Scan

feat(teams): comprehensive team management — role hierarchy, OIDC sync, admin UI team scoping #5918

Sign in to view logs

feat(teams): comprehensive team management — role hierarchy, OIDC sync, admin UI team scoping

feat(teams): comprehensive team management — role hierarchy, OIDC sync, admin UI team scoping #5918

Workflow file for this run

.github/workflows/docker-scan.yml at 3cf1bf3
# ===============================================================
# Docker Security Scan Workflow
# ===============================================================
#
# This workflow builds the container image locally and generates an SBOM
# artifact for review:
# 1. Build image locally (no push required)
# 2. Generate SBOM with Syft
# 3. Upload SBOM artifact
#
# Runs on both PRs and pushes to catch issues early.
#
# ===============================================================
name: Docker Security Scan
on:
push:
branches: ["main"]
paths:
- 'Containerfile.lite'
- 'crates/**'
- 'Cargo.toml'
- 'Cargo.lock'
- 'mcpgateway/**'
- 'plugins/**'
- 'pyproject.toml'
- '.github/workflows/docker-scan.yml'
pull_request:
types: [opened, synchronize, ready_for_review]
branches: ["main"]
paths:
- 'Containerfile.lite'
- 'crates/**'
- 'Cargo.toml'
- 'Cargo.lock'
- 'mcpgateway/**'
- 'plugins/**'
- 'pyproject.toml'
- '.github/workflows/docker-scan.yml'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
env:
IMAGE_NAME: mcp-context-forge-scan
jobs:
# ---------------------------------------------------------------
# Build image and generate SBOM
# ---------------------------------------------------------------
scan:
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
name: Security Scan
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Build image locally
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
file: Containerfile.lite
platforms: linux/amd64
push: false
load: true
tags: ${{ env.IMAGE_NAME }}:scan
cache-from: type=gha,scope=scan-build-amd64
cache-to: type=gha,mode=max,scope=scan-build-amd64
- name: Generate SBOM (Syft)
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${PWD}:/work" \
anchore/syft:v1.42.3 \
"docker:${IMAGE_NAME}:scan" -o spdx-json=/work/sbom.spdx.json
- name: Upload SBOM
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: sbom
path: sbom.spdx.json
retention-days: 30
rust-enabled-build:
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
name: Rust-enabled container smoke
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Build Rust-enabled image locally
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
file: Containerfile.lite
platforms: linux/amd64
push: false
load: false
build-args: |
ENABLE_RUST=true
cache-from: type=gha,scope=scan-build-rust-amd64
cache-to: type=gha,mode=max,scope=scan-build-rust-amd64