1717 required : true
1818 security-scan :
1919 description : ' Enable Security Scan'
20- default : ' true'
20+ default : true
21+ type : boolean
22+ hadolint :
23+ description : ' Enable Hadolint'
24+ default : true
2125 type : boolean
2226 push :
2327 description : ' Push Docker Image to Registry'
24- default : ' false'
28+ default : false
2529 type : boolean
2630 secrets :
2731 dockerhub-username :
28- required : true
32+ required : false
2933 dockerhub-pat :
30- required : true
34+ required : false
3135
3236jobs :
3337 build :
4246 - name : Set up QEMU
4347 uses : docker/setup-qemu-action@v3
4448
49+ - name : Login to Docker Hub
50+ if : ${{ inputs.push }}
51+ uses : docker/login-action@v3
52+ with :
53+ username : ${{ secrets.dockerhub-username }}
54+ password : ${{ secrets.dockerhub-pat }}
55+
56+ - name : Run Hadolint Dockerfile linter
57+ if : ${{ inputs.hadolint }}
58+ 59+ with :
60+ dockerfile : ${{ inputs.dockerfile }}
61+ output-file : hadolint.txt
62+
4563 - name : Build Docker Image
64+ if : ${{ inputs.push }}
4665 uses : docker/build-push-action@v6
4766 with :
4867 context : .
@@ -51,30 +70,72 @@ jobs:
5170 push : ${{ inputs.push }}
5271 tags : ${{ inputs.image-name }}:${{ inputs.image-tag }}
5372
73+ - name : Build Docker Image as Tarball
74+ if : ${{ inputs.security-scan }}
75+ run : |
76+ docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} .
77+ docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }}
78+
5479name : Run Trivy vulnerability scanner
5580 if : ${{ inputs.security-scan }}
5681 uses :
aquasecurity/[email protected] 5782 with :
58- image-ref : ${{ inputs.image-name }}:${{ inputs. image-tag }}
83+ input : vuln- image.tar
5984 format : ' table'
60- exit-code : ' 1'
6185 ignore-unfixed : true
6286 vuln-type : ' os,library'
6387 severity : ' CRITICAL,HIGH'
6488 hide-progress : true
6589 output : trivy.txt
6690
67- - name : Publish Trivy Output to Summary
68- if : ${{ inputs.security-scan }}
69- run : |
70- if [[ -s trivy.txt ]]; then
71- {
72- echo "### Security Output"
73- echo "<details><summary>Click to expand</summary>"
74- echo ""
75- echo '```terraform'
76- cat trivy.txt
77- echo '```'
78- echo "</details>"
79- } >> $GITHUB_STEP_SUMMARY
80- fi
91+ - name : Update Pull Request with Security Scan Results
92+ uses : actions/github-script@v7
93+ if : github.event_name == 'pull_request' && inputs.security-scan
94+ with :
95+ script : |
96+ const fs = require('fs');
97+ const trivyResults = fs.readFileSync('trivy.txt', 'utf8');
98+
99+ const output = `
100+ # ## 🔒 Trivy Security Scan Results
101+ <details><summary>Click to expand detailed results</summary>
102+
103+ \`\`\`
104+ ${trivyResults}
105+ \`\`\`
106+ </details>
107+ ` ;
108+
109+ await github.rest.issues.createComment({
110+ issue_number: context.issue.number,
111+ owner: context.repo.owner,
112+ repo: context.repo.repo,
113+ body: output
114+ });
115+
116+ - name: Update Pull Request with Hadolint Results
117+ uses: actions/github-script@v7
118+ if: github.event_name == 'pull_request' && inputs.hadolint
119+ with:
120+ script: |
121+ const fs = require('fs');
122+ const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim();
123+
124+ if (hadolintResults.length > 0) {
125+ const output = `
126+ # ## 🐳 Hadolint Dockerfile Lint Results
127+ <details><summary>Click to expand</summary>
128+
129+ \`\`\`
130+ ${hadolintResults}
131+ \`\`\`
132+ </details>
133+ ` ;
134+
135+ await github.rest.issues.createComment({
136+ issue_number: context.issue.number,
137+ owner: context.repo.owner,
138+ repo: context.repo.repo,
139+ body: output
140+ });
141+ }
0 commit comments