added: Snyk and Syft scanning tools for image #254

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Build and push image📦

	on:
	workflow_dispatch:
	# schedule:
	# - cron: "00 17 * * SAT"
	push:
	branches: ["main"]
	# pull_request:
	# branches: ["main"]

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}

	jobs:
	build:
	if: github.actor == 'ammnt'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	security-events: write

	steps:
	- name: Checkout repository🧱
	uses: actions/checkout@v4.1.4

	- name: Install cosign🔒
	uses: sigstore/cosign-installer@v3.5.0

	- name: Setup Docker buildx🛠️
	uses: docker/setup-buildx-action@v3.3.0

	- name: Log into ${{ env.REGISTRY }}🔑
	uses: docker/login-action@v3.1.0
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Log into Docker Hub🔑
	uses: docker/login-action@v3.1.0
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Extract Docker metadata🔬
	id: meta
	uses: docker/metadata-action@v5.5.1
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

	- name: Build the Docker image⛓️
	id: build
	uses: docker/build-push-action@v5.3.0
	with:
	provenance: false
	context: .
	platforms: linux/amd64
	load: ${{ github.event_name != 'pull_request' }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Slim the Docker image🚀
	uses: kitabisa/docker-slim-action@v1.1.1
	env:
	DSLIM_HTTP_PROBE: false
	with:
	target: ghcr.io/ammnt/nginx:main
	tag: ghcr.io/ammnt/nginx:main
	overwrite: true

	- name: Test the Docker image🧪
	run: \|
	docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/nginx:main
	curl -v http://127.0.0.1:8080 \|\| exit 1

	- name: Analyze for critical and high CVEs💊
	uses: docker/scout-action@v1.7.0
	with:
	command: cves,sbom
	image: ghcr.io/ammnt/nginx:main
	sarif-file: sarif.output.json
	summary: true

	- name: Upload SARIF result📊
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: sarif.output.json

	- name: Run Trivy vulnerability scanner💊
	uses: aquasecurity/trivy-action@0.19.0
	with:
	image-ref: ghcr.io/ammnt/nginx:main
	scan-type: image
	format: "github"
	output: "dependency-results.sbom.json"
	severity: "MEDIUM,HIGH,CRITICAL"
	scanners: "vuln"

	- name: Upload Trivy report as a Github artifact📊
	uses: actions/upload-artifact@v4.3.3
	with:
	name: trivy-sbom-report
	path: "${{ github.workspace }}/dependency-results.sbom.json"
	retention-days: 20

	- name: Scan the image and upload dependency results🔍
	uses: anchore/sbom-action@v0.15.11
	with:
	syft-version: v1.3.0
	image: ghcr.io/ammnt/nginx:main
	artifact-name: image.spdx.json
	dependency-snapshot: false

	- name: Run Snyk to check Docker image for vulnerabilities🔍
	continue-on-error: true
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ghcr.io/ammnt/nginx:main
	args: --file=Dockerfile

	- name: Upload result to GitHub Code Scanning📊
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: snyk.sarif

	- name: Push the Docker images to registries💾
	run: \|
	docker push ghcr.io/ammnt/nginx:main
	docker tag ghcr.io/ammnt/nginx:main ammnt/nginx:main
	docker push ammnt/nginx:main

	- name: Sign the published Docker image🔐
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
	cosign sign docker.io/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

added: Snyk and Syft scanning tools for image #254

Workflow file

added: Snyk and Syft scanning tools for image #254

Jobs

Run details

Workflow file for this run