Skip to content

feat(deps): bump actions/checkout from 3.3.0 to 4.2.1 #157

feat(deps): bump actions/checkout from 3.3.0 to 4.2.1

feat(deps): bump actions/checkout from 3.3.0 to 4.2.1 #157

Workflow file for this run

on: pull_request
name: pull request checks
jobs:
dockerfilelint:
name: dockerfile lint
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: hadolint
uses: burdzwastaken/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HADOLINT_ACTION_DOCKERFILE_FOLDER: .
dockerbuild:
name: docker build
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: extract tag
id: vars
run: echo ::set-output name=alpine_version::$(grep '^FROM alpine' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
- name: docker build
run: docker build . --file Dockerfile --tag image:${{ steps.vars.outputs.alpine_version }}
- name: save docker image for cache
run: mkdir -p image/ && docker save -o image/image.tar image:${{ steps.vars.outputs.alpine_version }}
- name: cache docker image
uses: actions/[email protected]
with:
path: image/
key: ${{ runner.os }}-docker-${{ github.sha }}
dockerscan:
name: docker security scan
runs-on: ubuntu-latest
needs: dockerbuild
steps:
- uses: actions/[email protected]
- name: extract tag
id: vars
run: echo ::set-output name=alpine_version::$(grep '^FROM alpine' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
- name: load cached docker image
uses: actions/[email protected]
with:
path: image/
key: ${{ runner.os }}-docker-${{ github.sha }}
- name: load cached docker container
run: docker load -i image/image.tar
- name: cached scan db
uses: actions/[email protected]
with:
path: vulndb/
key: trivy-vulndb
- name: Install Trivy
run: |
trivyRelease="$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | cut -d 'v' -f 2)"
wget https://github.com/aquasecurity/trivy/releases/download/v${trivyRelease}/trivy_${trivyRelease}_Linux-64bit.tar.gz
tar zxvf trivy_${trivyRelease}_Linux-64bit.tar.gz
- name: Scan
run: ./trivy --exit-code 1 --no-progress --severity HIGH,CRITICAL,MEDIUM --cache-dir vulndb/ image:${{ steps.vars.outputs.alpine_version }}