Skip to content

Commit e3e1757

Browse files
committed
ci: scan and sign published container images
1 parent 01bbf76 commit e3e1757

1 file changed

Lines changed: 47 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,7 @@ jobs:
172172
permissions:
173173
contents: read
174174
packages: write
175+
id-token: write # keyless cosign signing via OIDC
175176
steps:
176177
- name: Download digests
177178
uses: actions/download-artifact@v8
@@ -202,3 +203,49 @@ jobs:
202203
docker buildx imagetools create \
203204
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
204205
$(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
206+
- name: Install cosign
207+
uses: sigstore/cosign-installer@v3
208+
- name: Sign the published image (keyless)
209+
run: |
210+
tag=$(jq -cr '.tags[0]' <<< "$DOCKER_METADATA_OUTPUT_JSON")
211+
digest=$(docker buildx imagetools inspect "$tag" --format '{{.Manifest.Digest}}')
212+
cosign sign --yes "ghcr.io/${{ github.repository }}@${digest}"
213+
214+
# Build the runtime image and scan it for OS/dependency vulnerabilities.
215+
# Non-blocking for now (exit-code 0): findings surface in the Security tab.
216+
# Flip exit-code to 1 to gate once the baseline is clean.
217+
image-scan:
218+
name: Image Scan
219+
runs-on: ubuntu-latest
220+
permissions:
221+
contents: read
222+
security-events: write
223+
steps:
224+
- name: Checkout repository
225+
uses: actions/checkout@v6
226+
- name: Set up Docker Buildx
227+
uses: docker/setup-buildx-action@v4
228+
- name: Build image (amd64) for scanning
229+
uses: docker/build-push-action@v7
230+
with:
231+
context: .
232+
file: docker/Dockerfile
233+
platforms: linux/amd64
234+
load: true
235+
tags: postguard-business:scan
236+
cache-from: type=gha
237+
- name: Trivy vulnerability scan
238+
uses: aquasecurity/trivy-action@0.28.0
239+
with:
240+
image-ref: postguard-business:scan
241+
format: sarif
242+
output: trivy-results.sarif
243+
severity: HIGH,CRITICAL
244+
ignore-unfixed: true
245+
exit-code: '0'
246+
- name: Upload Trivy results
247+
if: always()
248+
uses: github/codeql-action/upload-sarif@v3
249+
with:
250+
sarif_file: trivy-results.sarif
251+
category: trivy

0 commit comments

Comments
 (0)