-
Notifications
You must be signed in to change notification settings - Fork 3
64 lines (56 loc) · 1.6 KB
/
scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Scan
on:
workflow_call:
inputs:
name_and_version:
description: 'Name and version of tool to scan, e.g. foo:0.1.0'
type: string
required: true
secrets:
DOCKERHUB_USER:
description: 'Docker Hub username'
required: true
DOCKERHUB_TOKEN:
description: 'Docker Hub token'
required: true
workflow_dispatch:
inputs:
name_and_version:
description: 'Name and version of tool to scan, e.g. foo:0.1.0'
type: string
required: true
concurrency:
group: ${{ github.workflow }}-${{ inputs.name_and_version }}
cancel-in-progress: true
jobs:
scout:
name: Scout
permissions:
security-events: write
pull-requests: write
packages: read
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: uniget-bot
password: ${{ secrets.GITHUB_TOKEN }}
- name: Analyze for critical and high CVEs
id: docker-scout-cves
uses: docker/scout-action@v0.23.4
with:
command: cves
image: ghcr.io/${{ github.repository }}/${{ inputs.name_and_version }}
dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }}
sarif-file: sarif.output.json
summary: true
- name: Upload SARIF result
id: upload-sarif
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif.output.json