github-workflow-parts/.github/workflows/reusable-container-scan.yml at main · devpro/github-workflow-parts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Reusable - Container scan

on:
  workflow_call:
    inputs:
      image-definition:
        description: Path to the container definition file (Dockerfile, Containerfile)
        type: string
        required: true
      image-name:
        description: Image name
        type: string
        required: true
      image-path:
        description: Image path
        type: string
        required: true
      image-tag:
        description: Image tag
        type: string
        required: true
      job-name:
        description: Job name
        type: string
        required: false
        default: Scan
      max-high-cves:
        description: Maximum number of high CVEs authorized
        type: number
        required: false
        default: 0
      max-medium-cves:
        description: Maximum number of medium CVEs authorized
        type: number
        required: false
        default: 0
      neuvector-enabled:
        description: "Use NeuVector to scan the image?"
        type: boolean
        required: false
        default: false
      operating-system:
        description: Operating system executing the runner
        type: string
        required: false
        default: ubuntu-latest
      trivy-enabled:
        description: "Use Trivy to scan the image?"
        type: boolean
        required: false
        default: true
      working-directory:
        description: Working directory
        type: string
        required: false
        default: "."

jobs:
  container-scan:
    name: ${{ inputs.job-name }}
    runs-on: ${{ inputs.operating-system }}
    defaults:
      run:
        working-directory: ${{ inputs.working-directory }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v6
      - name: Build container image
        run: docker build . --file ${{ inputs.image-definition }} --tag ${{ env.IMAGE_REF }}
        shell: bash
      # deactivated 2026-02-22: "Build container for action use... process "/bin/sh -c zypper in -y jq docker && zypper clean" did not complete successfully: exit code: 8"
      # - name: Scan container image with NeuVector
      #   if: ${{ inputs.neuvector-enabled }}
      #   uses: neuvector/scan-action@main
      #   with:
      #     image-repository: ${{ inputs.image-path }}/${{ inputs.image-name }}
      #     image-tag: ${{ inputs.image-tag }}
      #     min-high-cves-to-fail: '${{ inputs.max-high-cves }}'
      #     min-medium-cves-to-fail: '${{ inputs.max-medium-cves }}'
      #     nv-scanner-image: neuvector/scanner:5
      - name: Scan container image with Trivy
        if: ${{ inputs.trivy-enabled }}
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1    # v0.35.0
        with:
          image-ref: ${{ env.IMAGE_REF }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
    env:
      GITHUB_TOKEN: ${{ github.token }}
      IMAGE_REF: ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }}