Container Scan
ActionsTags
(2)
This repository is considered EXPERIMENTAL and under active development until further notice. It is subject to non-backward compatible changes or removal in any future version, so you should pin to a specific tag/commit of this action in your workflow.
GitHub Action to check for vulnerabilities in your Docker image with Trivy.
name: ci
on:
push:
jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Build
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: user/app:latest
-
name: Scan for vulnerabilities
uses: crazy-max/docker-scan-action@master
with:
image: user/app:latestname: ci
on:
push:
jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
-
name: Build
uses: docker/build-push-action@v2
with:
context: .
outputs: type=oci,dest=/tmp/image.tar
tags: user/app:latest
-
name: Scan for vulnerabilities
uses: crazy-max/docker-scan-action@master
with:
tarball: /tmp/image.tarYou can define a threshold for severity to mark the job as failed:
name: ci
on:
push:
jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Build
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: user/app:latest
-
name: Scan for vulnerabilities
uses: crazy-max/docker-scan-action@master
with:
image: user/app:latest
severity_threshold: HIGH
This action is also able to create GitHub annotations in your workflow for vulnerabilities discovered:
name: ci
on:
push:
jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Build
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: user/app:latest
-
name: Scan for vulnerabilities
uses: crazy-max/docker-scan-action@master
with:
image: user/app:latest
annotations: true
This action also supports the SARIF format for integration with GitHub Code Scanning to show issues in the GitHub Security tab:
name: ci
on:
push:
jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Build
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: user/app:latest
-
name: Scan for vulnerabilities
id: scan
uses: crazy-max/docker-scan-action@master
with:
image: user/app:latest
dockerfile: ./Dockerfile
-
name: Upload SARIF file
if: ${{ steps.scan.outputs.sarif != '' }}
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}💡
dockerfileinput is required to generate a sarif report.
name: ci
on:
push:
jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Set up QEMU
uses: docker/setup-qemu-action@v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
-
name: Build and load
uses: docker/build-push-action@v2
with:
context: .
load: true
tags: user/app:latest
-
name: Scan for vulnerabilities
uses: crazy-max/docker-scan-action@master
with:
tarball: user/app:latest
-
name: Build multi-platform and push
uses: docker/build-push-action@v2
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: user/app:latestFollowing inputs can be used as step.with keys
| Name | Type | Description |
|---|---|---|
trivy_version |
String | Trivy CLI version (default latest) |
image |
String | Docker image to scan (e.g. alpine:3.7) |
tarball |
String | Docker image tarball path to scan |
dockerfile |
String | Dockerfile required to generate a sarif report |
severity |
String | Report vulnerabilities of provided level or higher (default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) |
severity_threshold |
String | Defines threshold for severity |
annotations |
Bool | Create GitHub annotations in your workflow for vulnerabilities discovered |
Following outputs are available
| Name | Type | Description |
|---|---|---|
json |
File | JSON format scan result |
sarif |
File | SARIF format scan result |
Since Dependabot
has native GitHub Actions support,
to enable it on your GitHub repo all you need to do is add the .github/dependabot.yml file:
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
Container Scan is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Tags
(2)Container Scan is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.