Skip to content

Bugfix/workflow vulnerability comparison #11

Bugfix/workflow vulnerability comparison

Bugfix/workflow vulnerability comparison #11

name: Vulnerability Comparison
on:
pull_request:
branches: ["**"]
env:
# Image repository, without hostname and tag
IMAGE_NAME: ${{ github.repository }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
vulnerability-comparison:
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ env.SHA }}
- name: Set short SHA
id: vars
run: echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
load: ${{ github.event_name == 'pull_request' }}
tags: "ghcr.io/${{ env.IMAGE_NAME }}:${{ env.SHA_SHORT }}"
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Authenticate to Docker
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
password: ${{ secrets.DOCKERHUB_READONLY_TOKEN }}
- name: Docker Scout
id: docker-scout
uses: docker/scout-action@v1
with:
command: compare
image: "gatewaydio/gatewayd:latest"
to: "ghcr.io/${{ env.IMAGE_NAME }}:${{ env.SHA_SHORT }}"
ignore-unchanged: true
only-severities: critical,high
github-token: ${{ secrets.GITHUB_TOKEN }}