1111# • Scans the image for CRITICAL/HIGH CVEs with Trivy
1212# • Uploads Hadolint, Dockle and Trivy results as SARIF files
1313# • Pushes the image to GitHub Container Registry (GHCR)
14- # • Signs + attests the image with Cosign **key-less (OIDC)**
14+ # • Signs & attests the image with Cosign **key-less (OIDC)**
1515#
1616# Triggers:
1717# • Every push / PR to `main`
2626 pull_request :
2727 branches : [ "main" ]
2828 schedule :
29- - cron : ' 17 18 * * 2' # every Tuesday @ 18:17 UTC
29+ - cron : ' 17 18 * * 2' # Tuesday @ 18:17 UTC
3030
3131# -----------------------------------------------------------------
3232# GitHub permission scopes for this job
3333# -----------------------------------------------------------------
3434permissions :
3535 contents : read
36- packages : write
37- security-events : write
38- actions : read
36+ packages : write # push to ghcr.io with built-in GITHUB_TOKEN
37+ security-events : write # upload SARIF to “Code-scanning alerts”
38+ actions : read # needed by upload-sarif in private repos
3939
4040jobs :
4141 build-scan-sign :
@@ -57,14 +57,13 @@ jobs:
5757 # -------------------------------------------------------------
5858 - name : 🔍 Dockerfile lint (Hadolint)
5959 id : hadolint
60- continue-on-error : true # capture result; fail later
60+ continue-on-error : true # still upload SARIF on failure
6161 run : |
62- set -e
6362 curl -sSL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
6463 chmod +x /usr/local/bin/hadolint
65- # Run lint; exit code >0 on rule violations
6664 hadolint -f sarif Containerfile.lite > hadolint-results.sarif
6765 echo "HADOLINT_EXIT=$?" >> "$GITHUB_ENV"
66+ exit 0 # ensure step reports success
6867
6968name : ☁️ Upload Hadolint SARIF
7069 if : always()
@@ -82,23 +81,24 @@ jobs:
8281 uses : actions/cache@v4
8382 with :
8483 path : ${{ env.CACHE_DIR }}
85- key : ${{ runner.os }}-buildx-${{ github.sha }}
86- restore-keys : |
87- ${{ runner.os }}-buildx-
84+ key : ${{ runner.os }}-buildx-${{ github.sha }}
85+ restore-keys : ${{ runner.os }}-buildx-
8886
8987 # -------------------------------------------------------------
9088 # 3️⃣ Build & tag image (timestamp + latest)
9189 # -------------------------------------------------------------
9290 - name : 🏗️ Build Docker image
9391 run : |
9492 TAG=$(date +%s)
93+ echo "TAG=$TAG" >> "$GITHUB_ENV" # reuse in push step
9594 docker buildx build \
9695 --file Containerfile.lite \
9796 --tag $IMAGE_NAME:$TAG \
9897 --tag $IMAGE_NAME:latest \
9998 --cache-from type=local,src=${{ env.CACHE_DIR }} \
10099 --cache-to type=local,dest=${{ env.CACHE_DIR }},mode=max \
101- --load
100+ --load \
101+ . # build context is mandatory
102102
103103# -------------------------------------------------------------
104104 # 4️⃣ Image lint (Dockle CLI → SARIF)
@@ -109,14 +109,14 @@ jobs:
109109 env :
110110 DOCKLE_VERSION : 0.4.15
111111 run : |
112- set -e
113112 curl -sSL "https://github.com/goodwithtech/dockle/releases/download/v${DOCKLE_VERSION}/dockle_${DOCKLE_VERSION}_Linux-64bit.tar.gz" \
114113 | tar -xz -C /usr/local/bin dockle
115114 dockle --exit-code 1 \
116- --format sarif \
117- --output dockle-results.sarif \
118- $IMAGE_NAME:latest || true
115+ --format sarif \
116+ --output dockle-results.sarif \
117+ $IMAGE_NAME:latest
119118 echo "DOCKLE_EXIT=$?" >> "$GITHUB_ENV"
119+ exit 0
120120
121121name : ☁️ Upload Dockle SARIF
122122 if : always()
@@ -138,23 +138,23 @@ jobs:
138138 # -------------------------------------------------------------
139139 - name : 🛡️ Trivy vulnerability scan
140140 id : trivy
141- continue-on-error : true # let the job continue even if Trivy exits 1
141+ continue-on-error : true # allow SARIF upload
142142 uses : aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
143143 with :
144144 image-ref : ${{ env.IMAGE_NAME }}:latest
145- format : sarif # Trivy can emit SARIF directly
145+ format : sarif
146146 output : trivy-results.sarif
147147 severity : CRITICAL,HIGH
148- exit-code : 1 # non-zero when CRITICAL/HIGH vulns found
149-
148+ exit-code : 1 # non-zero on vulns
149+
150150 - name : ☁️ Upload Trivy SARIF
151151 if : always()
152152 uses : github/codeql-action/upload-sarif@v3
153153 with :
154154 sarif_file : trivy-results.sarif
155155
156156 # -------------------------------------------------------------
157- # 7️⃣ Push both tags to GHCR (using built-in GITHUB_TOKEN)
157+ # 7️⃣ Push both tags to GHCR (built-in GITHUB_TOKEN)
158158 # -------------------------------------------------------------
159159 - name : 🔑 Log in to GHCR
160160 uses : docker/login-action@v3
@@ -165,8 +165,7 @@ jobs:
165165
166166 - name : 🚀 Push image to GHCR
167167 run : |
168- TIMESTAMP_TAG=$(docker images --format '{{.Tag}}' $IMAGE_NAME | grep -v latest)
169- docker push $IMAGE_NAME:$TIMESTAMP_TAG
168+ docker push $IMAGE_NAME:${{ env.TAG }}
170169 docker push $IMAGE_NAME:latest
171170
172171# -------------------------------------------------------------
@@ -177,17 +176,21 @@ jobs:
177176
178177 - name : 🔏 Sign & attest image
179178 env :
180- COSIGN_EXPERIMENTAL : " 1" # enable key-less OIDC flow
179+ COSIGN_EXPERIMENTAL : " 1" # enable OIDC flow
181180 run : |
182181 cosign sign --yes $IMAGE_NAME:latest
183182 cosign attest --yes --predicate sbom.spdx.json $IMAGE_NAME:latest
184183
185184# -------------------------------------------------------------
186- # 9️⃣ Fail job if any linter exit codes captured non-zero
185+ # 9️⃣ Single gate – fail job on any scanner error
187186 # -------------------------------------------------------------
188- - name : ⛔ Enforce lint gates
189- if : ${{ env.HADOLINT_EXIT != '0' || env.DOCKLE_EXIT != '0' }}
187+ - name : ⛔ Enforce lint & vuln gates
188+ if : |
189+ env.HADOLINT_EXIT != '0' ||
190+ env.DOCKLE_EXIT != '0' ||
191+ steps.trivy.outcome == 'failure'
190192run : |
191193 echo "Hadolint exit: $HADOLINT_EXIT"
192194 echo "Dockle exit: $DOCKLE_EXIT"
195+ echo "Trivy status: ${{ steps.trivy.outcome }}"
193196 exit 1
0 commit comments