1717 required : true
1818 security-scan :
1919 description : ' Enable Security Scan'
20- default : ' true'
20+ default : true
21+ type : boolean
22+ hadolint :
23+ description : ' Enable Hadolint'
24+ default : true
2125 type : boolean
2226 push :
2327 description : ' Push Docker Image to Registry'
24- default : ' false'
28+ default : false
2529 type : boolean
2630 secrets :
2731 dockerhub-username :
28- required : true
32+ required : false
2933 dockerhub-pat :
30- required : true
34+ required : false
3135
3236jobs :
3337 build :
4246 - name : Set up QEMU
4347 uses : docker/setup-qemu-action@v3
4448
49+ - name : Login to Docker Hub
50+ if : ${{ inputs.push }}
51+ uses : docker/login-action@v3
52+ with :
53+ username : ${{ secrets.dockerhub-username }}
54+ password : ${{ secrets.dockerhub-pat }}
55+
56+ - name : Run Hadolint Dockerfile linter
57+ if : ${{ inputs.hadolint }}
58+ uses : hadolint/hadolint-action@v3.1.0
59+ with :
60+ dockerfile : ${{ inputs.dockerfile }}
61+ output-file : hadolint.txt
62+ no-fail : true
63+
4564 - name : Build Docker Image
65+ if : ${{ inputs.push }}
4666 uses : docker/build-push-action@v6
4767 with :
4868 context : .
@@ -51,30 +71,72 @@ jobs:
5171 push : ${{ inputs.push }}
5272 tags : ${{ inputs.image-name }}:${{ inputs.image-tag }}
5373
74+ - name : Build Docker Image as Tarball
75+ if : ${{ inputs.security-scan }}
76+ run : |
77+ docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} .
78+ docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }}
79+
5480name : Run Trivy vulnerability scanner
5581 if : ${{ inputs.security-scan }}
5682 uses : aquasecurity/trivy-action@0.29.0
5783 with :
58- image-ref : ${{ inputs.image-name }}:${{ inputs. image-tag }}
84+ input : vuln- image.tar
5985 format : ' table'
60- exit-code : ' 1'
6186 ignore-unfixed : true
6287 vuln-type : ' os,library'
6388 severity : ' CRITICAL,HIGH'
6489 hide-progress : true
6590 output : trivy.txt
6691
67- - name : Publish Trivy Output to Summary
68- if : ${{ inputs.security-scan }}
69- run : |
70- if [[ -s trivy.txt ]]; then
71- {
72- echo "### Security Output"
73- echo "<details><summary>Click to expand</summary>"
74- echo ""
75- echo '```terraform'
76- cat trivy.txt
77- echo '```'
78- echo "</details>"
79- } >> $GITHUB_STEP_SUMMARY
80- fi
92+ - name : Update Pull Request with Security Scan Results
93+ uses : actions/github-script@v7
94+ if : github.event_name == 'pull_request' && inputs.security-scan
95+ with :
96+ script : |
97+ const fs = require('fs');
98+ const trivyResults = fs.readFileSync('trivy.txt', 'utf8');
99+
100+ const output = `
101+ # ## 🔒 Trivy Security Scan Results
102+ <details><summary>Click to expand detailed results</summary>
103+
104+ \`\`\`
105+ ${trivyResults}
106+ \`\`\`
107+ </details>
108+ ` ;
109+
110+ await github.rest.issues.createComment({
111+ issue_number: context.issue.number,
112+ owner: context.repo.owner,
113+ repo: context.repo.repo,
114+ body: output
115+ });
116+
117+ - name: Update Pull Request with Hadolint Results
118+ uses: actions/github-script@v7
119+ if: github.event_name == 'pull_request' && inputs.hadolint
120+ with:
121+ script: |
122+ const fs = require('fs');
123+ const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim();
124+
125+ if (hadolintResults.length > 0) {
126+ const output = `
127+ # ## 🐳 Hadolint Dockerfile Lint Results
128+ <details><summary>Click to expand</summary>
129+
130+ \`\`\`
131+ ${hadolintResults}
132+ \`\`\`
133+ </details>
134+ ` ;
135+
136+ await github.rest.issues.createComment({
137+ issue_number: context.issue.number,
138+ owner: context.repo.owner,
139+ repo: context.repo.repo,
140+ body: output
141+ });
142+ }
0 commit comments