Image vulnerability scan

2025-01-29 18:32:49 +05:30 · 2025-01-29 18:32:49 +05:30 · e87ead4605
commit e87ead4605
parent 493139b012
2 changed files with 59 additions and 0 deletions
--- a/.github/workflows/pr-image-scan.yml
+++ b/.github/workflows/pr-image-scan.yml
@ -0,0 +1,59 @@
+name: Image Vulnerability Scan
+
+on:
+  workflow_call:
+
+env:
+  REPO: ${{ github.repository }}/temp #Add /temp for PR workflow
+
+jobs:
+
+  image-vulnerability-scan:
+    runs-on: ubuntu-22.04
+
+    steps:
+    - id: get-id
+      name: Get a unique tag for this build
+      run: |
+        SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
+        BUILD_ID=$BRANCH_NAME-${SHA:0:8};
+        DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID;
+        echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
+        echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
+
+    - name: Print build id and image name
+      run: |
+        echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; 
+        echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
+
+    - uses: actions/checkout@v4
+
+    - name: Login to docker container registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ vars.docker_repo2_registry }}
+        username: ${{ vars.docker_repo2_username }}
+        password: ${{ vars.docker_repo2_password }}
+
+    - name: Build the container image (quick, without PUBLIC_BUILD_VERSION)
+      # Commenting this from docker build for speed: --build-arg PUBLIC_BUILD_VERSION=$BUILD_ID \
+      run: |
+        docker build \
+          --file fab/d/actions-build.Dockerfile \
+          --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
+          .;
+
+    - name: Container details
+      run: |
+        IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
+        echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
+
+    - name: Scan container image for vulnerabilities with grype
+      uses: anchore/scan-action@v6
+      with:
+        image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
+        cache-db: true #Cache Grype DB in Github Actions
+        output-format: table
+        only-fixed: true
+        severity-cutoff: critical
+        fail-build: true
--- a/.github/workflows/pr-lint-and-check.yml
+++ b/.github/workflows/pr-lint-and-check.yml