action.yml

---
name: MCVS-docker-action
description: |
  Mission Critical Vulnerability Scanner (MCVS) Docker action.
inputs:
  build-args:
    description: Docker build arguments.
  dockle-accept-key:
    description: |
      One of the Dockle checks is the inspection of use of secrets in
      environment variables. Currently, there is a reported bug
      `goodwithtech/dockle/issues/250`, i.e. if a specific version of a package
      will be installed then an error will be thrown by Dockle, which is
      incorrect. To mitigate this one has to specify the packages that are
      applicable, e.g.: `libcrypto3,libssl3`.
  images:
    description: The name of the to be created image.
    default: ghcr.io/${{ github.repository }}
  trivy-action-db:
    default: "public.ecr.aws/aquasecurity/trivy-db:2"
    description: |
      OCI repository to retrieve trivy-db from.
  trivy-action-java-db:
    default: "public.ecr.aws/aquasecurity/trivy-java-db:1"
    description: |
      OCI repository to retrieve trivy-java-db from.
  token:
    description: |
      A token is required to allow the mcvs-docker-action to push the
      image that it has been built, to the packages repository of the GitHub
      repository where the action has been run.
    required: true
runs:
  using: "composite"
  steps:
    #
    # YAML linting.
    #
    - run: |
        pip install --user yamllint==1.35.1
        yamllint .
      shell: bash
    #
    # Dockerfile linting (static).
    #
    - uses: hadolint/hadolint-action@v3.1.0
      with:
        dockerfile: Dockerfile
    #
    # Determine image name and tag.
    #
    - name: Extract metadata (tags, labels) for Docker
      id: meta
      uses: docker/metadata-action@v5.6.1
      with:
        flavor: |
          latest=false
        images: ${{ inputs.images }}
    #
    # Build a docker image.
    #
    - name: Build an image from a dockerfile
      uses: docker/build-push-action@v6.10.0
      with:
        build-args: APPLICATION=${{ inputs.build-args }}
        context: .
        labels: ${{ steps.meta.outputs.labels }}
        push: false
        tags: ${{ steps.meta.outputs.tags }}
    #
    # Docker image linting (dynamic).
    #
    - uses: goodwithtech/dockle-action@v0.1.2
      if: "false" # Disabled until the bug (#45) is fixed.
      with:
        image: ${{ steps.meta.outputs.tags }}
        ignore: CIS-DI-0005,CIS-DI-0006
        accept-key: ${{ inputs.dockle-accept-key }}
    #
    # Detect waste in the docker image.
    #
    - uses: 030/dive-action@v0.1.1
      if: "false" # Disabled until the bug (#46) is fixed.
      with:
        image: ${{ steps.meta.outputs.tags }}
    #
    # Code and docker image security scanning.
    #
    - uses: anchore/scan-action@v6.0.0
      with:
        only-fixed: false
        output-format: table
        path: "."
        severity-cutoff: high
    - name: Scan image using Grype
      uses: anchore/scan-action@v6.0.0
      with:
        image: ${{ steps.meta.outputs.tags }}
        only-fixed: false
        output-format: table
        severity-cutoff: high
    - uses: 030/trivyignore-validator-action@v0.1.2
    - uses: aquasecurity/trivy-action@0.29.0
      env:
        TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
        TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
        TRIVY_PASSWORD: ${{ inputs.token }}
        TRIVY_USERNAME: ${{ github.actor }}
      with:
        scan-type: "fs"
        scan-ref: "."
        exit-code: "1"
        ignore-unfixed: true
        severity: "CRITICAL,HIGH"
        trivyignores: .trivyignore
    - uses: aquasecurity/trivy-action@0.29.0
      env:
        TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
        TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
        TRIVY_PASSWORD: ${{ inputs.token }}
        TRIVY_USERNAME: ${{ github.actor }}
      with:
        image-ref: ${{ steps.meta.outputs.tags }}
        format: "table"
        exit-code: "1"
        ignore-unfixed: true
        vuln-type: "os,library"
        severity: "CRITICAL,HIGH"
        trivyignores: .trivyignore
    #
    # Log in to GitHub packages and push the image.
    #
    - name: Log in to the Container registry
      uses: docker/login-action@v3.3.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ inputs.token }}
    - name: Build and push Docker image
      if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
      run: |
        docker push --all-tags ${{ inputs.images }}
      shell: bash