|
43 | 43 | description: "Build platforms" |
44 | 44 | default: "linux/amd64,linux/arm64" |
45 | 45 | type: string |
| 46 | + build-args: |
| 47 | + description: "Build arguments (newline-separated list)" |
| 48 | + default: "" |
| 49 | + type: string |
46 | 50 | secrets: |
47 | 51 | username: |
48 | 52 | required: false |
@@ -75,15 +79,11 @@ jobs: |
75 | 79 | with: |
76 | 80 | context: ${{ inputs.context }} |
77 | 81 | file: ${{ inputs.dockerfile }} |
78 | | - platforms: ${{ inputs.platforms }} |
79 | | - push: ${{ inputs.push }} |
| 82 | + platforms: linux/amd64 # Build single platform for security scanning |
| 83 | + push: false # Don't push yet, wait for security checks |
80 | 84 | tags: ${{ inputs.image-name }}:${{ inputs.image-tag }} |
81 | | - |
82 | | - - name: Build Docker Image as Tarball |
83 | | - if: ${{ inputs.security-scan }} |
84 | | - run: | |
85 | | - docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} ${{ inputs.context }} |
86 | | - docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }} |
| 85 | + build-args: ${{ inputs.build-args }} |
| 86 | + outputs: type=docker,dest=vuln-image.tar # Export as tarball for security scanning |
87 | 87 |
|
88 | 88 | - name: Run Trivy vulnerability scanner |
89 | 89 | id: trivy |
@@ -183,3 +183,37 @@ jobs: |
183 | 183 | ${{ steps.read_hadolint.outputs.report }} |
184 | 184 | ``` |
185 | 185 | </details> |
| 186 | +
|
| 187 | + - name: Check security scan results |
| 188 | + id: security_check |
| 189 | + if: ${{ inputs.security-scan }} |
| 190 | + run: | |
| 191 | + # Check if Trivy found any vulnerabilities |
| 192 | + if [ -f "trivy.txt" ]; then |
| 193 | + if grep -q "Total: 0" trivy.txt; then |
| 194 | + echo "✅ No vulnerabilities found" |
| 195 | + echo "trivy_passed=true" >> "$GITHUB_OUTPUT" |
| 196 | + else |
| 197 | + echo "❌ Vulnerabilities found in Trivy scan" |
| 198 | + echo "trivy_passed=false" >> "$GITHUB_OUTPUT" |
| 199 | + fi |
| 200 | + else |
| 201 | + echo "trivy_passed=true" >> "$GITHUB_OUTPUT" |
| 202 | + fi |
| 203 | +
|
| 204 | + - name: Fail if critical vulnerabilities found |
| 205 | + if: ${{ inputs.security-scan && steps.security_check.outputs.trivy_passed == 'false' }} |
| 206 | + run: | |
| 207 | + echo "::error::Critical or high vulnerabilities found. Image will not be pushed." |
| 208 | + exit 1 |
| 209 | +
|
| 210 | + - name: Build and Push Multi-Platform Image |
| 211 | + if: ${{ inputs.push && (!inputs.security-scan || steps.security_check.outputs.trivy_passed == 'true') }} |
| 212 | + uses: docker/build-push-action@v6 |
| 213 | + with: |
| 214 | + context: ${{ inputs.context }} |
| 215 | + file: ${{ inputs.dockerfile }} |
| 216 | + platforms: ${{ inputs.platforms }} |
| 217 | + push: true |
| 218 | + tags: ${{ inputs.image-name }}:${{ inputs.image-tag }} |
| 219 | + build-args: ${{ inputs.build-args }} |
0 commit comments