Unified orchestrator for container image security and compliance scanning. Supports multiple scanning tools including FOSSA and Prisma Cloud.
This action provides a single interface to run container image scans using various security tools. It:
- Orchestrates multiple container scanners
- Provides a consistent parameter interface
- Allows flexible scanner selection
- Supports scanner-specific configuration
| Scanner | Purpose | Documentation |
|---|---|---|
fossa |
License compliance and vulnerability detection | fossa-scan README |
prisma |
Container security scanning with Prisma Cloud | prisma-scan README |
- name: Scan Container Image
uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:v1.0.0
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}- name: Scan Container Image
uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa,prisma"
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:v1.0.0
fossa.project=MyOrg_my-app
prisma.image_registry=ghcr.io
prisma.image_repo=solacedev/my-app
prisma.image_tag=v1.0.0
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
prisma_console_url: ${{ secrets.PRISMA_CONSOLE_URL }}
prisma_user: ${{ secrets.PRISMA_USER }}
prisma_pass: ${{ secrets.PRISMA_PASS }}name: Container Scan
on:
push:
branches: [main]
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Container Image
run: |
docker build -t ghcr.io/solacedev/my-app:${{ github.sha }} .
docker push ghcr.io/solacedev/my-app:${{ github.sha }}
- name: Scan Container
uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:${{ github.sha }}
fossa.project=MyOrg_my-app
fossa.branch=${{ github.ref_name }}
fossa.revision=${{ github.sha }}
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}The required inputs depend on which scanners you're using. See individual scanner documentation for details.
| Input | Description | Default | Required |
|---|---|---|---|
scanners |
Comma-separated list of scanners | "fossa" |
No |
additional_scan_params |
Scanner-specific parameters (see below) | "" |
No |
| Input | Description | Required |
|---|---|---|
fossa_api_key |
FOSSA API key | Yes (if using fossa) |
| Input | Description | Required |
|---|---|---|
prisma_console_url |
Prisma Cloud Console URL | Yes (if using prisma) |
prisma_user |
Prisma Cloud Access Key | Yes (if using prisma) |
prisma_pass |
Prisma Cloud Secret Key | Yes (if using prisma) |
The additional_scan_params input uses a flexible key-value format:
additional_scan_params: |
scanner.parameter=value
scanner.another_param=valueParameters are automatically converted to environment variables:
fossa.image=ghcr.io/repo:tag→CONTAINER_FOSSA_IMAGE=ghcr.io/repo:tagprisma.image_registry=ghcr.io→CONTAINER_PRISMA_IMAGE_REGISTRY=ghcr.io
| Parameter | Description | Example |
|---|---|---|
fossa.image |
Container image to scan (REQUIRED) | ghcr.io/solacedev/my-app:v1.0.0 |
fossa.project |
Project name override | MyOrg_my-app |
fossa.branch |
Branch name | main |
fossa.revision |
Git commit SHA | abc123 |
fossa.skip_test |
Skip policy test | true |
fossa.debug |
Enable debug logging | true |
See fossa-scan README for complete parameter list.
| Parameter | Description | Example |
|---|---|---|
prisma.image_registry |
Container registry | ghcr.io |
prisma.image_repo |
Repository name | solacedev/my-app |
prisma.image_tag |
Image tag | v1.0.0 |
See prisma-scan README for complete parameter list.
- uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=solace/pubsubplus:latest
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}- uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:v1.0.0
fossa.project=MyOrg_my-app-container
fossa.team=Platform Team
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}- uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:v1.0.0
fossa.debug=true
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}- uses: SolaceDev/solace-public-workflows/container/container-scan@main
with:
scanners: "fossa"
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:v1.0.0
fossa.skip_test=true
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}Most container registries require authentication. Ensure you authenticate before scanning:
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}- uses: aws-actions/amazon-ecr-login@v2- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}- Parameter Parsing: Converts
additional_scan_paramsinto environment variables withCONTAINER_*prefix - Scanner Execution: Runs requested scanners conditionally based on
scannersinput - Results: Each scanner reports results independently
Input:
additional_scan_params: |
fossa.image=ghcr.io/solacedev/my-app:v1.0.0
fossa.project=MyOrg_my-app
Conversion:
CONTAINER_FOSSA_IMAGE=ghcr.io/solacedev/my-app:v1.0.0
CONTAINER_FOSSA_PROJECT=MyOrg_my-app
Usage by Scanner:
fossa-scan action reads CONTAINER_FOSSA_* variables
Builds CLI: fossa container analyze ghcr.io/solacedev/my-app:v1.0.0 --project MyOrg_my-app
container-scan (orchestrator)
├── Parses additional_scan_params
├── Converts to CONTAINER_* env vars
├── Conditionally calls:
│ ├── fossa-scan (if 'fossa' in scanners)
│ └── prisma-scan (if 'prisma' in scanners)
Each scanner action:
- Reads
CONTAINER_SCANNER_*environment variables - Converts them to scanner-specific CLI arguments
- Executes the scanner
- Reports results
| Action | Purpose |
|---|---|
| container/fossa-scan | FOSSA container scanning (called by this action) |
| container/prisma-scan | Prisma Cloud scanning (called by this action) |
| .github/actions/sca/sca-scan | Source code dependency scanning |
Ensure each line follows key=value format with no spaces around the =:
# Good
fossa.image=ghcr.io/repo:tag
# Bad
fossa.image = ghcr.io/repo:tagAuthenticate to the registry before scanning (see Registry Authentication)
Check that the scanner name is spelled correctly in the scanners input:
scanners: "fossa" # Correct
scanners: "FOSSA" # Wrong - case sensitiveEach scanner has required parameters. For FOSSA:
additional_scan_params: |
fossa.image=ghcr.io/repo:tag # REQUIRED- Always specify the full image path including registry, repository, and tag
- Use dynamic tags in CI/CD (commit SHA, PR number) for traceability
- Authenticate to registries before scanning private images
- Use secrets for API keys and credentials
- Set project metadata (project, branch, revision) for better tracking in scanner dashboards
For issues or questions:
- FOSSA scanning: See FOSSA CLI documentation
- Prisma scanning: See Prisma Cloud documentation
- Action issues: Open an issue in the repository