Merge pull request #728 from aaronreed708/github-action-docker-scanner

GitHub action docker scanner
finos · Nov 16, 2023 · 5d78a66 · 5d78a66
2 parents 6b54142 + fe6e2d5
commit 5d78a66
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 0 deletions.
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -0,0 +1,62 @@
+name: Publish Docker image
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches:
+      - 'main'
+      - 'github-action-docker-scanner'
+    paths:
+      - 'code/src/**'
+      - 'code/package.json'
+      - 'code/Dockerfile'
+      - '.github/workflows/publish-docker.yml'
+
+jobs:
+  docker-scan:
+    name: ${{ github.event.repository.name }}-docker-scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: docker-practice/actions-setup-docker@321477a1e481dd60b05f9b489cf4b9be467aa15c
+      - name: Build
+        run: docker build -f Dockerfile -t user/app:latest .
+        working-directory: code
+      #- name: Scan for vulnerabilities
+      #  uses: crazy-max/ghaction-container-scan@dfa7e54dc32045120f06d0bc8d7724860f5db0ad
+      #  with:
+      #    image: user/app:latest
+  push-to-registry:
+    name: Push Docker image to Docker Hub
+    needs: docker-scan
+    runs-on: ubuntu-latest
+    # save forks from having issue
+    #if: github.repository_owner == 'finos'
+    outputs:
+      digest: ${{ steps.build_publish.outputs.digest }}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/[email protected]
+        with:
+          username: finos
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: finos/a11y-theme-builder
+          tags: |
+            type=ref,event=branch
+            type=sha
+      - name: Build and push Docker image
+        id: build_publish
+        uses: docker/[email protected]
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -52,3 +52,16 @@ jobs:
         with:
           name: Depcheck report
           path: ${{ github.workspace }}/${{ matrix.module-folder }}-reports
+  docker-scan:
+    name: ${{ github.event.repository.name }}-docker-scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: docker-practice/actions-setup-docker@321477a1e481dd60b05f9b489cf4b9be467aa15c
+      - name: Build
+        run: docker build -f Dockerfile -t user/app:latest .
+        working-directory: code
+      - name: Scan for vulnerabilities
+        uses: crazy-max/ghaction-container-scan@dfa7e54dc32045120f06d0bc8d7724860f5db0ad
+        with:
+          image: user/app:latest