Skip to content
Build and scan container for vulnerabilities

Pull edge package #38

Sign in to view logs

Pull edge package

Pull edge package #38

Workflow file for this run

.github/workflows/on_pr.yml at 69190eb
name: Build and scan container for vulnerabilities
on:
pull_request:
env:
REGISTRY: ghcr.io
IMAGE_NAME: cloudflared-ssh-action
jobs:
dependency-review:
name: 'Dependency Review'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 'Checkout code'
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
build-and-push-image:
name: Build and push to GitHub Packages
needs: dependency-review
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Login to GitHub Packages
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.sha }}
scan-image:
name: Run Trivy scanner
needs: build-and-push-image
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.REGISTRY }}/${{ github.repository }}:${{ github.sha }}'
exit-code: '1'
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
clean-ghcr:
name: Delete old container images
needs: scan-image
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Delete images
uses: actions/delete-package-versions@v5
with:
package-name: ${{ env.IMAGE_NAME }}
package-type: 'container'
min-versions-to-keep: 5
delete-only-pre-release-versions: "true"