45 lines
1.3 KiB
YAML
45 lines
1.3 KiB
YAML
name: Security scan of Docker image
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
paths-ignore:
|
|
- .github/workflows/buildx-release.yml
|
|
- .github/workflows/dockerhub-description.yml
|
|
- .github/workflows/greetings.yml
|
|
- .github/workflows/labels.yml
|
|
- .github/workflows/misspell.yml
|
|
- .github/workflows/security.yml
|
|
- .dockerignore
|
|
- .gitignore
|
|
- docker-compose.yml
|
|
- LICENSE
|
|
- README.md
|
|
- title.svg
|
|
schedule:
|
|
- cron: '0 9 * * *'
|
|
jobs:
|
|
security-analysis:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
- name: Check for scratch
|
|
id: scratchCheck
|
|
run: echo ::set-output name=scratch::$(cat Dockerfile | grep 'FROM scratch')
|
|
- name: Build image
|
|
if: steps.scratchCheck.outputs.scratch == ''
|
|
run: docker build -t image .
|
|
- name: Phonito
|
|
if: steps.scratchCheck.outputs.scratch == ''
|
|
uses: phonito/phonito-scanner-action@master
|
|
with:
|
|
image: image
|
|
fail-level: LOW
|
|
phonito-token: ${{ secrets.PHONITO_TOKEN }}
|
|
- name: Trivy
|
|
if: steps.scratchCheck.outputs.scratch == ''
|
|
uses: homoluctus/gitrivy@v1.0.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
image: image
|