From 6415b9748210a7a0b31a5225726e27c353465e69 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Fri, 17 Oct 2025 16:48:32 +0100 Subject: [PATCH 1/9] feat: Use the prebuilt image in the workflow --- action.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/action.yml b/action.yml index e3414af..2bca4da 100644 --- a/action.yml +++ b/action.yml @@ -104,20 +104,12 @@ inputs: cloud_provider: description: "list of cloud providers to scan (alicloud, aws, azure, gcp)" required: false - dockerhub_registry: - description: "The Docker registry for the KICS base image. Overridden for private registries." - required: false - default: "docker.io" branding: icon: "shield" color: "green" runs: using: "composite" steps: - - name: Build KICS Action Image - shell: bash - run: docker build --build-arg DOCKERHUB_REGISTRY="${{ inputs.dockerhub_registry }}" -t kics-action:latest "${{ github.action_path }}" - - name: Run KICS Scan shell: bash run: | @@ -177,4 +169,4 @@ runs: -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ -e INPUT_BOM="${{ inputs.bom }}" \ -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ - kics-action:latest \ No newline at end of file + ghcr.io/itv/kics-github-action:latest \ No newline at end of file From e299bb398f3a83353e0b55baa7e08a2ddbe73850 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Fri, 17 Oct 2025 16:54:07 +0100 Subject: [PATCH 2/9] feat: Support ECR image --- action.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 2bca4da..f76ccc5 100644 --- a/action.yml +++ b/action.yml @@ -104,6 +104,10 @@ inputs: cloud_provider: description: "list of cloud providers to scan (alicloud, aws, azure, gcp)" required: false + use-ecr-registry: + description: "Whether to use AWS ECR as the container registry" + required: false + default: "false" branding: icon: "shield" color: "green" @@ -113,6 +117,12 @@ runs: - name: Run KICS Scan shell: bash run: | + if [[ "${{ inputs.use-ecr-registry }}" == "true" ]]; then + IMAGE="655028521085.dkr.ecr.eu-west-1.amazonaws.com/cp-gha-kics:0.0.1" + else + IMAGE="ghcr.io/itv/kics-github-action:latest" + fi + docker run --name kics-scan \ -v "${{ github.workspace }}":"${{ github.workspace }}" \ -w "${{ github.workspace }}" \ @@ -169,4 +179,4 @@ runs: -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ -e INPUT_BOM="${{ inputs.bom }}" \ -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ - ghcr.io/itv/kics-github-action:latest \ No newline at end of file + $IMAGE \ No newline at end of file From 030f550beb8938d5ab486d59c22e2f6628bc481e Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Fri, 17 Oct 2025 16:57:34 +0100 Subject: [PATCH 3/9] feat: Quiet docker run --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index f76ccc5..4c053c8 100644 --- a/action.yml +++ b/action.yml @@ -123,7 +123,7 @@ runs: IMAGE="ghcr.io/itv/kics-github-action:latest" fi - docker run --name kics-scan \ + docker run --quiet --name kics-scan \ -v "${{ github.workspace }}":"${{ github.workspace }}" \ -w "${{ github.workspace }}" \ -e GITHUB_ACTION \ From 1b5ad2e0eb96229cbbcc461da15cde218b0afd95 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Fri, 17 Oct 2025 22:40:17 +0100 Subject: [PATCH 4/9] feat: Try to include NPM CI step in docker image --- .github/workflows/build-docker-image.yaml | 35 +++++++++++++++++++++-- Dockerfile | 16 ++++++++++- action.yml | 2 +- entrypoint.sh | 5 +--- 4 files changed, 50 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-docker-image.yaml b/.github/workflows/build-docker-image.yaml index 47b9fdd..412bea3 100644 --- a/.github/workflows/build-docker-image.yaml +++ b/.github/workflows/build-docker-image.yaml @@ -2,7 +2,17 @@ name: Build Docker Image on: push: - branches: [master] + branches: + - master + - main + - 'feature/**' + - 'bugfix/**' + - 'hotfix/**' + - develop + pull_request: + branches: + - master + - main jobs: build: @@ -14,6 +24,21 @@ jobs: steps: - uses: actions/checkout@v5 + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/itv/kics-github-action + tags: | + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + # use branch name for branch builds + type=ref,event=branch + # use pr number for pull requests + type=ref,event=pr + # use short sha for any push + type=sha,prefix={{branch}}- + - name: Login to GHCR uses: docker/login-action@v3 with: @@ -26,4 +51,10 @@ jobs: with: context: . push: true - tags: ghcr.io/itv/kics-github-action:latest + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Output image details + run: | + echo "Built and pushed the following tags:" + echo "${{ steps.meta.outputs.tags }}" diff --git a/Dockerfile b/Dockerfile index cb79811..2b99414 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,12 +3,26 @@ FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.13 as kics-env FROM cgr.dev/chainguard/wolfi-base:latest +# Install Node.js and npm +RUN apk add --update nodejs npm + COPY --from=kics-env /app /app COPY ./entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh -COPY ./ /app +# Copy package files first for better Docker layer caching +COPY package*.json /app/ + +# Set working directory and install dependencies +WORKDIR /app +RUN npm ci + +# Copy rest of the application files +COPY ./ /app/ + +# Build the application +RUN npm run build --if-present ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/action.yml b/action.yml index 4c053c8..97497ca 100644 --- a/action.yml +++ b/action.yml @@ -120,7 +120,7 @@ runs: if [[ "${{ inputs.use-ecr-registry }}" == "true" ]]; then IMAGE="655028521085.dkr.ecr.eu-west-1.amazonaws.com/cp-gha-kics:0.0.1" else - IMAGE="ghcr.io/itv/kics-github-action:latest" + IMAGE="ghcr.io/itv/kics-github-action:develop" fi docker run --quiet --name kics-scan \ diff --git a/entrypoint.sh b/entrypoint.sh index 7f606bd..0684aec 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -86,8 +86,5 @@ cp -r "${CP_PATH}" "/app/" cd /app -# install and run nodejs -apk add --update nodejs npm -npm ci -npm run build --if-present +# run nodejs application node dist/index.js From 2dda60aeea140b895b50a386acc2ca489d08a8b5 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Sat, 18 Oct 2025 01:06:40 +0100 Subject: [PATCH 5/9] feat: Bump ECR image --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 97497ca..1a43fa2 100644 --- a/action.yml +++ b/action.yml @@ -118,7 +118,7 @@ runs: shell: bash run: | if [[ "${{ inputs.use-ecr-registry }}" == "true" ]]; then - IMAGE="655028521085.dkr.ecr.eu-west-1.amazonaws.com/cp-gha-kics:0.0.1" + IMAGE="655028521085.dkr.ecr.eu-west-1.amazonaws.com/cp-gha-kics:0.0.2" else IMAGE="ghcr.io/itv/kics-github-action:develop" fi From 9607116b3368fec4a007b9e99db21ed1a46dd49d Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Sat, 18 Oct 2025 12:37:30 +0100 Subject: [PATCH 6/9] Add echo to show which repo it is using --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 1a43fa2..fc92e41 100644 --- a/action.yml +++ b/action.yml @@ -122,7 +122,7 @@ runs: else IMAGE="ghcr.io/itv/kics-github-action:develop" fi - + echo "Using image: $IMAGE" docker run --quiet --name kics-scan \ -v "${{ github.workspace }}":"${{ github.workspace }}" \ -w "${{ github.workspace }}" \ From eafcd2eb808b0b014a244a08bb834390e9b726c7 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Sat, 18 Oct 2025 13:17:33 +0100 Subject: [PATCH 7/9] Add empty last line --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2b99414..7023907 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,4 +25,4 @@ COPY ./ /app/ # Build the application RUN npm run build --if-present -ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/entrypoint.sh"] From c039d82b488b9645fd5d27e5df4bbd9e02b638c5 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Sat, 18 Oct 2025 13:17:49 +0100 Subject: [PATCH 8/9] Add empty last line --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index fc92e41..298bf2d 100644 --- a/action.yml +++ b/action.yml @@ -179,4 +179,4 @@ runs: -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \ -e INPUT_BOM="${{ inputs.bom }}" \ -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \ - $IMAGE \ No newline at end of file + $IMAGE From d0723a7339818613a66f61795272100497088272 Mon Sep 17 00:00:00 2001 From: Kieran Smith Date: Sat, 18 Oct 2025 13:22:42 +0100 Subject: [PATCH 9/9] Fix build workflow --- .github/workflows/build-docker-image.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-docker-image.yaml b/.github/workflows/build-docker-image.yaml index 412bea3..24b641f 100644 --- a/.github/workflows/build-docker-image.yaml +++ b/.github/workflows/build-docker-image.yaml @@ -32,12 +32,12 @@ jobs: tags: | # set latest tag for default branch type=raw,value=latest,enable={{is_default_branch}} - # use branch name for branch builds + # use branch name for branch builds (push events) type=ref,event=branch # use pr number for pull requests type=ref,event=pr - # use short sha for any push - type=sha,prefix={{branch}}- + # use short sha with safe prefix for all events + type=sha,prefix=sha- - name: Login to GHCR uses: docker/login-action@v3