1717 required : true
1818 security-scan :
1919 description : ' Enable Security Scan'
20- default : ' true'
20+ default : true
21+ type : boolean
22+ hadolint :
23+ description : ' Enable Hadolint'
24+ default : true
2125 type : boolean
2226 push :
2327 description : ' Push Docker Image to Registry'
24- default : ' false'
28+ default : false
2529 type : boolean
30+ context :
31+ description : ' Path to Docker Build Context'
32+ default : ' .'
33+ type : string
34+ registry :
35+ description : ' Docker Registry'
36+ default : ' docker.io'
37+ type : string
2638 secrets :
27- dockerhub- username
28- required : true
29- dockerhub-pat :
30- required : true
39+ username :
40+ required : false
41+ password :
42+ required : false
3143
3244jobs :
3345 build :
@@ -42,39 +54,98 @@ jobs:
4254 - name : Set up QEMU
4355 uses : docker/setup-qemu-action@v3
4456
57+ - name : Login to Docker Hub
58+ if : ${{ inputs.push }}
59+ uses : docker/login-action@v3
60+ with :
61+ registry : ${{ inputs.registry }}
62+ username : ${{ secrets.username }}
63+ password : ${{ secrets.password }}
64+
65+ - name : Run Hadolint Dockerfile linter
66+ if : ${{ inputs.hadolint }}
67+ 68+ with :
69+ dockerfile : ${{ inputs.dockerfile }}
70+ output-file : hadolint.txt
71+ no-fail : true
72+
4573 - name : Build Docker Image
74+ if : ${{ inputs.push }}
4675 uses : docker/build-push-action@v6
4776 with :
48- context : .
77+ context : ${{ inputs.context }}
4978 file : ${{ inputs.dockerfile }}
5079 platforms : linux/amd64,linux/arm64
5180 push : ${{ inputs.push }}
5281 tags : ${{ inputs.image-name }}:${{ inputs.image-tag }}
5382
83+ - name : Build Docker Image as Tarball
84+ if : ${{ inputs.security-scan }}
85+ run : |
86+ docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} ${{ inputs.context }}
87+ docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }}
88+
5489name : Run Trivy vulnerability scanner
5590 if : ${{ inputs.security-scan }}
5691 uses :
aquasecurity/[email protected] 5792 with :
58- image-ref : ${{ inputs.image-name }}:${{ inputs. image-tag }}
93+ input : vuln- image.tar
5994 format : ' table'
60- exit-code : ' 1'
6195 ignore-unfixed : true
6296 vuln-type : ' os,library'
6397 severity : ' CRITICAL,HIGH'
6498 hide-progress : true
6599 output : trivy.txt
66100
67- - name : Publish Trivy Output to Summary
68- if : ${{ inputs.security-scan }}
69- run : |
70- if [[ -s trivy.txt ]]; then
71- {
72- echo "### Security Output"
73- echo "<details><summary>Click to expand</summary>"
74- echo ""
75- echo '```terraform'
76- cat trivy.txt
77- echo '```'
78- echo "</details>"
79- } >> $GITHUB_STEP_SUMMARY
80- fi
101+ - name : Update Pull Request with Security Scan Results
102+ uses : actions/github-script@v7
103+ if : github.event_name == 'pull_request' && inputs.security-scan
104+ with :
105+ script : |
106+ const fs = require('fs');
107+ const trivyResults = fs.readFileSync('trivy.txt', 'utf8');
108+
109+ const output = `
110+ # ## 🔒 Trivy Security Scan Results
111+ <details><summary>Click to expand detailed results</summary>
112+
113+ \`\`\`
114+ ${trivyResults}
115+ \`\`\`
116+ </details>
117+ ` ;
118+
119+ await github.rest.issues.createComment({
120+ issue_number: context.issue.number,
121+ owner: context.repo.owner,
122+ repo: context.repo.repo,
123+ body: output
124+ });
125+
126+ - name: Update Pull Request with Hadolint Results
127+ uses: actions/github-script@v7
128+ if: github.event_name == 'pull_request' && inputs.hadolint
129+ with:
130+ script: |
131+ const fs = require('fs');
132+ const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim();
133+
134+ if (hadolintResults.length > 0) {
135+ const output = `
136+ # ## 🐳 Hadolint Dockerfile Lint Results
137+ <details><summary>Click to expand</summary>
138+
139+ \`\`\`
140+ ${hadolintResults}
141+ \`\`\`
142+ </details>
143+ ` ;
144+
145+ await github.rest.issues.createComment({
146+ issue_number: context.issue.number,
147+ owner: context.repo.owner,
148+ repo: context.repo.repo,
149+ body: output
150+ });
151+ }
0 commit comments