diff --git a/.github/workflows/build-docker-image.yaml b/.github/workflows/build-docker-image.yaml index 47b9fdd..24b641f 100644 --- a/.github/workflows/build-docker-image.yaml +++ b/.github/workflows/build-docker-image.yaml @@ -2,7 +2,17 @@ name: Build Docker Image on: push: - branches: [master] + branches: + - master + - main + - 'feature/**' + - 'bugfix/**' + - 'hotfix/**' + - develop + pull_request: + branches: + - master + - main jobs: build: @@ -14,6 +24,21 @@ jobs: steps: - uses: actions/checkout@v5 + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/itv/kics-github-action + tags: | + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + # use branch name for branch builds (push events) + type=ref,event=branch + # use pr number for pull requests + type=ref,event=pr + # use short sha with safe prefix for all events + type=sha,prefix=sha- + - name: Login to GHCR uses: docker/login-action@v3 with: @@ -26,4 +51,10 @@ jobs: with: context: . push: true - tags: ghcr.io/itv/kics-github-action:latest + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Output image details + run: | + echo "Built and pushed the following tags:" + echo "${{ steps.meta.outputs.tags }}" diff --git a/Dockerfile b/Dockerfile index 8767e75..7023907 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,12 +3,26 @@ FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.13 as kics-env FROM cgr.dev/chainguard/wolfi-base:latest +# Install Node.js and npm +RUN apk add --update nodejs npm + COPY --from=kics-env /app /app COPY ./entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh -COPY ./ /app +# Copy package files first for better Docker layer caching +COPY package*.json /app/ + +# Set working directory and install dependencies +WORKDIR /app +RUN npm ci + +# Copy rest of the application files +COPY ./ /app/ + +# Build the application +RUN npm run build --if-present ENTRYPOINT ["/entrypoint.sh"] diff --git a/action.yml b/action.yml index e3414af..298bf2d 100644 --- a/action.yml +++ b/action.yml @@ -104,24 +104,26 @@ inputs: cloud_provider: description: "list of cloud providers to scan (alicloud, aws, azure, gcp)" required: false - dockerhub_registry: - description: "The Docker registry for the KICS base image. Overridden for private registries." + use-ecr-registry: + description: "Whether to use AWS ECR as the container registry" required: false - default: "docker.io" + default: "false" branding: icon: "shield" color: "green" runs: using: "composite" steps: - - name: Build KICS Action Image - shell: bash - run: docker build --build-arg DOCKERHUB_REGISTRY="${{ inputs.dockerhub_registry }}" -t kics-action:latest "${{ github.action_path }}" - - name: Run KICS Scan shell: bash run: | - docker run --name kics-scan \ + if [[ "${{ inputs.use-ecr-registry }}" == "true" ]]; then + IMAGE="655028521085.dkr.ecr.eu-west-1.amazonaws.com/cp-gha-kics:0.0.2" + else + IMAGE="ghcr.io/itv/kics-github-action:develop" + fi + echo "Using image: $IMAGE" + docker run --quiet --name kics-scan \ -v "${{ github.workspace }}":"${{ github.workspace }}" \ -w "${{ github.workspace }}" \ -e GITHUB_ACTION \ @@ -177,4 +179,4 @@ runs: -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ -e INPUT_BOM="${{ inputs.bom }}" \ -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ - kics-action:latest \ No newline at end of file + $IMAGE diff --git a/entrypoint.sh b/entrypoint.sh index 7f606bd..0684aec 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -86,8 +86,5 @@ cp -r "${CP_PATH}" "/app/" cd /app -# install and run nodejs -apk add --update nodejs npm -npm ci -npm run build --if-present +# run nodejs application node dist/index.js