Adding Docker Scout Security Action #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Scout | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| # permissions: | |
| # pull-requests: write | |
| jobs: | |
| scout: | |
| runs-on: ubuntu-latest | |
| permissions: write-all | |
| # container: | |
| # image: docker/scout-cli | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| - name: Login to DockerHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_PW }} | |
| # - name: Build | |
| # run: docker build --platform linux/amd64 -t bwa-scout -f bwa/Dockerfile_latest . | |
| # docker scout cves bwa-test --only-fixed --format markdown | gh issue create --repo getwilds/wilds-docker-library --title "bwa CVE Analysis" --body-file - | |
| # docker scout cves getwilds/gatk:latest --only-fixed --format sarif --output test.json \ | |
| # && jq '.runs[0].tool.driver.rules | length' test.json | |
| - name: Install Docker Scout | |
| run: | | |
| curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh | |
| sh install-scout.sh | |
| - name: Docker Scout | |
| run: | | |
| for image in *; do | |
| if [ -d "$image" ] && [ "$image" != ".github" ]; then | |
| CONTAINER="getwilds/$image:latest" | |
| docker scout cves $CONTAINER --only-fixed --format sarif --output cve_check.json | |
| NUM_VUL=$(jq '.runs[0].tool.driver.rules | length' cve_check.json) | |
| if [[ $NUM_VUL -ge 1 ]]; then | |
| docker scout cves $CONTAINER --only-fixed --format markdown --output cve_check.html | |
| if [[ $(wc -c cve_check.html) -le 65536 ]]; then | |
| gh issue create --repo getwilds/wilds-docker-library --title "bwa Vulnerability Analysis" --body-file cve_check.html | |
| else | |
| echo "Significant issues present in bwa, see quickview and recommendations below, but run CVE analysis locally." > qv.txt | |
| echo "\`\`\`" >> qv.txt | |
| docker scout quickview $CONTAINER >> qv.txt | |
| docker scout recommendations $CONTAINER >> qv.txt | |
| echo "\`\`\`" >> qv.txt | |
| gh issue create --repo getwilds/wilds-docker-library --title "bwa Vulnerability Analysis" --body-file qv.txt | |
| fi | |
| fi | |
| fi | |
| done | |
| # id: docker-scout | |
| # uses: docker/scout-action@v1 | |
| # with: | |
| # command: cves,recommendations | |
| # only-fixed: true |