Skip to content

Commit 697417a

Browse files
dewitt4dewitt4
authored
Merge pull request #49 from Finoptimize/docker-pulls
Fix: Only scan containers if images exist, use lowercase repo names
2 parents 151ab7c + 121576b commit 697417a

File tree

1 file changed

+14
-5
lines changed

1 file changed

+14
-5
lines changed

.github/workflows/security-scan.yml

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -98,33 +98,42 @@ jobs:
9898
password: ${{ secrets.GITHUB_TOKEN }}
9999

100100
- name: Pull latest image
101+
id: pull-image
101102
run: |
102-
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.component }}-latest || echo "Image not found, skipping scan"
103+
IMAGE_NAME_LOWER=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
104+
if docker pull ${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:${{ matrix.component }}-latest; then
105+
echo "image_exists=true" >> $GITHUB_OUTPUT
106+
echo "image_ref=${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:${{ matrix.component }}-latest" >> $GITHUB_OUTPUT
107+
else
108+
echo "image_exists=false" >> $GITHUB_OUTPUT
109+
echo "Image not found, skipping scan for ${{ matrix.component }}"
110+
fi
103111
continue-on-error: true
104112

105113
- name: Run Trivy container scan
114+
if: steps.pull-image.outputs.image_exists == 'true'
106115
uses: aquasecurity/trivy-action@master
107116
with:
108-
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.component }}-latest
117+
image-ref: ${{ steps.pull-image.outputs.image_ref }}
109118
format: 'sarif'
110119
output: 'trivy-${{ matrix.component }}.sarif'
111120
severity: 'CRITICAL,HIGH,MEDIUM'
112121
exit-code: '0'
113122
continue-on-error: true
114123

115124
- name: Upload container scan results
125+
if: steps.pull-image.outputs.image_exists == 'true' && (success() || failure())
116126
uses: github/codeql-action/upload-sarif@v3
117-
if: always()
118127
with:
119128
sarif_file: 'trivy-${{ matrix.component }}.sarif'
120129
category: 'container-${{ matrix.component }}'
121130
continue-on-error: true
122131

123132
- name: Run Grype vulnerability scanner
133+
if: steps.pull-image.outputs.image_exists == 'true'
124134
uses: anchore/scan-action@v3
125-
if: always()
126135
with:
127-
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.component }}-latest
136+
image: ${{ steps.pull-image.outputs.image_ref }}
128137
fail-build: false
129138
severity-cutoff: high
130139
continue-on-error: true

0 commit comments

Comments
 (0)