55# This workflow:
66# • Builds and tags the container image (`latest` + timestamp)
77# • Re-uses a BuildKit layer cache for faster rebuilds
8- # • Lints the Dockerfile with Hadolint (CLI) → SARIF
9- # • Lints the finished image with Dockle (CLI) → SARIF
10- # • Generates an SPDX SBOM with Syft
11- # • Scans the image for CRITICAL/HIGH CVEs with Trivy
8+ # • Lints the Dockerfile with ** Hadolint** (CLI) → SARIF
9+ # • Lints the finished image with ** Dockle** (CLI) → SARIF
10+ # • Generates an SPDX SBOM with ** Syft**
11+ # • Scans the image for CRITICAL/HIGH CVEs with ** Trivy**
1212# • Uploads Hadolint, Dockle and Trivy results as SARIF files
13- # • Pushes the image to GitHub Container Registry (GHCR)
14- # • Signs & attests the image with Cosign ** key-less ( OIDC)**
13+ # • Pushes the image to ** GitHub Container Registry (GHCR)**
14+ # • Signs & attests the image with **Cosign ( key-less OIDC)**
1515#
1616# Triggers:
1717# • Every push / PR to `main`
2626 pull_request :
2727 branches : [ "main" ]
2828 schedule :
29- - cron : ' 17 18 * * 2' # Tuesday @ 18:17 UTC
29+ - cron : ' 17 18 * * 2' # Tuesday @ 18:17 UTC
3030
3131# -----------------------------------------------------------------
32- # GitHub permission scopes for this job
32+ # Minimal permissions – keep the principle of least privilege
3333# -----------------------------------------------------------------
3434permissions :
35- contents : read
36- packages : write # push to ghcr.io with built-in GITHUB_TOKEN
37- security-events : write # upload SARIF to “Code-scanning alerts ”
38- actions : read # needed by upload-sarif in private repos
35+ contents : read
36+ packages : write # push to ghcr.io via GITHUB_TOKEN
37+ security-events : write # upload SARIF to “Code scanning ”
38+ actions : read # needed by upload-sarif in private repos
3939
4040jobs :
4141 build-scan-sign :
4242 runs-on : ubuntu-latest
4343
4444 env :
45- IMAGE_NAME : ghcr.io/${{ github.repository }}
46- CACHE_DIR : /tmp/.buildx-cache # BuildKit layer cache dir
45+ CACHE_DIR : /tmp/.buildx-cache # BuildKit layer cache dir
4746
4847 steps :
4948 # -------------------------------------------------------------
@@ -52,19 +51,27 @@ jobs:
5251 - name : ⬇️ Checkout code
5352 uses : actions/checkout@v4
5453
54+ # -------------------------------------------------------------
55+ # 0️⃣.5️⃣ Derive lower-case IMAGE_NAME for Docker tag
56+ # -------------------------------------------------------------
57+ - name : 🏷️ Set IMAGE_NAME (lower-case repo path)
58+ run : |
59+ IMAGE="ghcr.io/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
60+ echo "IMAGE_NAME=$IMAGE" >> "$GITHUB_ENV"
61+ echo "Will build & push: $IMAGE_NAME"
62+
5563# -------------------------------------------------------------
5664 # 1️⃣ Dockerfile lint (Hadolint CLI → SARIF)
5765 # -------------------------------------------------------------
58- - name : 🔍 Dockerfile lint (Hadolint)
66+ - name : 🔍 Dockerfile lint (Hadolint)
5967 id : hadolint
60- continue-on-error : true # still upload SARIF on failure
68+ continue-on-error : true
6169 run : |
6270 curl -sSL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
6371 chmod +x /usr/local/bin/hadolint
6472 hadolint -f sarif Containerfile.lite > hadolint-results.sarif
6573 echo "HADOLINT_EXIT=$?" >> "$GITHUB_ENV"
66- exit 0 # ensure step reports success
67-
74+ exit 0
6875name : ☁️ Upload Hadolint SARIF
6976 if : always()
7077 uses : github/codeql-action/upload-sarif@v3
@@ -90,34 +97,32 @@ jobs:
9097 - name : 🏗️ Build Docker image
9198 run : |
9299 TAG=$(date +%s)
93- echo "TAG=$TAG" >> "$GITHUB_ENV" # reuse in push step
100+ echo "TAG=$TAG" >> "$GITHUB_ENV"
94101 docker buildx build \
95102 --file Containerfile.lite \
96103 --tag $IMAGE_NAME:$TAG \
97104 --tag $IMAGE_NAME:latest \
98105 --cache-from type=local,src=${{ env.CACHE_DIR }} \
99106 --cache-to type=local,dest=${{ env.CACHE_DIR }},mode=max \
100107 --load \
101- . # build context is mandatory
108+ . # build context is mandatory
102109
103110# -------------------------------------------------------------
104111 # 4️⃣ Image lint (Dockle CLI → SARIF)
105112 # -------------------------------------------------------------
106- - name : 🔍 Image lint (Dockle)
113+ - name : 🔍 Image lint (Dockle)
107114 id : dockle
108115 continue-on-error : true
109116 env :
110117 DOCKLE_VERSION : 0.4.15
111118 run : |
112119 curl -sSL "https://github.com/goodwithtech/dockle/releases/download/v${DOCKLE_VERSION}/dockle_${DOCKLE_VERSION}_Linux-64bit.tar.gz" \
113120 | tar -xz -C /usr/local/bin dockle
114- dockle --exit-code 1 \
115- --format sarif \
121+ dockle --exit-code 1 --format sarif \
116122 --output dockle-results.sarif \
117123 $IMAGE_NAME:latest
118124 echo "DOCKLE_EXIT=$?" >> "$GITHUB_ENV"
119125 exit 0
120-
121126name : ☁️ Upload Dockle SARIF
122127 if : always()
123128 uses : github/codeql-action/upload-sarif@v3
@@ -127,64 +132,63 @@ jobs:
127132 # -------------------------------------------------------------
128133 # 5️⃣ Generate SPDX SBOM with Syft
129134 # -------------------------------------------------------------
130- - name : 📄 Generate SBOM (Syft)
135+ - name : 📄 Generate SBOM (Syft)
131136 uses : anchore/sbom-action@v0
132137 with :
133138 image : ${{ env.IMAGE_NAME }}:latest
134139 output-file : sbom.spdx.json
135140
136141 # -------------------------------------------------------------
137- # 6️⃣ Trivy CVE scan → SARIF (fails on CRITICAL/HIGH)
142+ # 6️⃣ Trivy CVE scan → SARIF
138143 # -------------------------------------------------------------
139144 - name : 🛡️ Trivy vulnerability scan
140145 id : trivy
141- continue-on-error : true # allow SARIF upload
146+ continue-on-error : true
142147 uses : aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
143148 with :
144149 image-ref : ${{ env.IMAGE_NAME }}:latest
145150 format : sarif
146151 output : trivy-results.sarif
147152 severity : CRITICAL,HIGH
148- exit-code : 1 # non-zero on vulns
149-
153+ exit-code : 1
150154 - name : ☁️ Upload Trivy SARIF
151155 if : always()
152156 uses : github/codeql-action/upload-sarif@v3
153157 with :
154158 sarif_file : trivy-results.sarif
155159
156160 # -------------------------------------------------------------
157- # 7️⃣ Push both tags to GHCR (built-in GITHUB_TOKEN)
161+ # 7️⃣ Push both tags to GHCR
158162 # -------------------------------------------------------------
159- - name : 🔑 Log in to GHCR
163+ - name : 🔑 Log in to GHCR
160164 uses : docker/login-action@v3
161165 with :
162166 registry : ghcr.io
163167 username : ${{ github.actor }}
164168 password : ${{ secrets.GITHUB_TOKEN }}
165169
166- - name : 🚀 Push image to GHCR
170+ - name : 🚀 Push image to GHCR
167171 run : |
168172 docker push $IMAGE_NAME:${{ env.TAG }}
169173 docker push $IMAGE_NAME:latest
170174
171175# -------------------------------------------------------------
172- # 8️⃣ Key-less Cosign sign (OIDC) + provenance
176+ # 8️⃣ Key-less Cosign sign + attest
173177 # -------------------------------------------------------------
174178 - name : 📥 Install Cosign
175179 uses : sigstore/cosign-installer@v3
176180
177- - name : 🔏 Sign & attest image
181+ - name : 🔏 Sign & attest image
178182 env :
179- COSIGN_EXPERIMENTAL : " 1" # enable OIDC flow
183+ COSIGN_EXPERIMENTAL : " 1" # enable OIDC flow
180184 run : |
181185 cosign sign --yes $IMAGE_NAME:latest
182186 cosign attest --yes --predicate sbom.spdx.json $IMAGE_NAME:latest
183187
184188# -------------------------------------------------------------
185189 # 9️⃣ Single gate – fail job on any scanner error
186190 # -------------------------------------------------------------
187- - name : ⛔ Enforce lint & vuln gates
191+ - name : ⛔ Enforce lint & vuln gates
188192 if : |
189193 env.HADOLINT_EXIT != '0' ||
190194 env.DOCKLE_EXIT != '0' ||
0 commit comments