scenescape/.github/workflows/docker-bench-security.yaml at main · kblaszczak-intel/scenescape · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
---
# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: "[Code Analysis] Docker Bench Security"
run-name: "[Code Analysis] Docker Bench Security"

on:
  workflow_call: {}
  workflow_dispatch: {}
  push:
    branches:
      - main
      - release-*
  merge_group: {}

permissions: {}

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  DOCKER_BUILDKIT: 1
  SUPASS: ${{ secrets.SUPASS }}

jobs:
  dbs-scan:
    name: "Docker Bench Security Scan"
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: "Checkout code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
        with:
          path: scenescape
          persist-credentials: false
          fetch-depth: 0
      - name: "Checkout DBS"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
        with:
          repository: docker/docker-bench-security
          path: docker-bench-security
          persist-credentials: false

      - name: "Build Scenescape images"
        working-directory: scenescape
        run: |
          make
          make demo

      - name: "Run DBS scan"
        working-directory: docker-bench-security
        run: |
          sudo sh docker-bench-security.sh -l dbs_results