1.0.72 Update container sync script #87
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Define the name of the workflow. | |
name: Scan Dockerfile source code files with Hadolint | |
# Define when the workflow should be triggered. | |
on: | |
# Trigger the workflow on the following events: | |
# Scan changed files in Pull Requests (diff-aware scanning). | |
pull_request: {} | |
# Trigger the workflow on-demand through the GitHub Actions interface. | |
workflow_dispatch: {} | |
# Scan mainline branches (main and development) and report all findings. | |
push: | |
branches: ["development"] | |
# Define the jobs that should be executed in this workflow. | |
jobs: | |
hadolint-job: | |
name: Hadolint GitHub Action | |
# Specify the runner environment. Use the latest version of Ubuntu. | |
runs-on: ubuntu-latest | |
# Define permissions for specific GitHub Actions. | |
permissions: | |
actions: read # Permission to read GitHub Actions. | |
contents: read # Permission to read repository contents. | |
security-events: write # Permission to write security events. | |
# Use matrix strategy to define multiple Dockerfiles to scan. | |
strategy: | |
matrix: | |
dockerfile: | |
- .build/database/Dockerfile | |
- .build/database_admin/Dockerfile | |
- .build/ldap/Dockerfile | |
- .build/ldap_admin/Dockerfile | |
- .build/www/Dockerfile | |
# Define the steps that should be executed in this job. | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
# Step: Checkout code | |
# Action to check out the code from the repository. | |
# This step fetches the codebase from the GitHub repository. | |
- name: Set Dockerfile directory name | |
id: set-dir-name | |
run: | | |
dir_name=$(dirname ${{ matrix.dockerfile }}) | |
base_dir_name=$(basename $dir_name) | |
echo "BASEDIR=$base_dir_name" >> $GITHUB_ENV | |
# Step: Set Dockerfile directory name | |
# Extracts the directory name from the Dockerfile path and sets it as an environment variable. | |
- name: Run Hadolint Scan with SARIF result | |
uses: hadolint/hadolint-action@master | |
with: | |
dockerfile: ${{ matrix.dockerfile }} | |
# Specify the Dockerfile from the matrix to be scanned. | |
recursive: false | |
# Disable recursive scanning as each Dockerfile is specified directly. | |
output-file: hadolint-results-${{ env.BASEDIR }}.sarif | |
# Define the name of the SARIF format output file using the Dockerfile directory name. | |
no-fail: true | |
# Continue the workflow even if there are issues found (no-fail set to true). | |
format: 'sarif' | |
# Specify the format of the scan results, in this case, SARIF format. | |
failure-threshold: 'error' | |
# Define the threshold for failure based on severity (e.g., 'error'). | |
- name: View Results | |
run: cat hadolint-results-${{ env.BASEDIR }}.sarif | |
- name: Upload Results to GitHub Advanced Security Dashboard | |
uses: github/codeql-action/upload-sarif@main | |
with: | |
sarif_file: hadolint-results-${{ env.BASEDIR }}.sarif | |
category: "Hadolint Dockerfile Scan" | |
if: always() | |
# Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard. |