Skip to content

Docker Publish (Security Updates) #12

Docker Publish (Security Updates)

Docker Publish (Security Updates) #12

name: Docker Publish (Security Updates)
on:
workflow_dispatch:
inputs:
force_build:
description: 'Force build even if no vulnerabilities found'
type: boolean
default: false
skip_scan:
description: 'Skip vulnerability scanning (for testing)'
type: boolean
default: false
schedule:
- cron: '0 0 * * *' # Daily at midnight UTC
permissions:
contents: write
jobs:
scan-vulnerabilities:
runs-on: ubuntu-24.04
outputs:
has_vulnerabilities: ${{ steps.scan.outputs.has_vulnerabilities || inputs.force_build }}
steps:
# Single scan for both vulnerabilities and dependencies
- id: scan
if: inputs.skip_scan != true
uses: aquasecurity/[email protected]
with:
image-ref: 'ghcr.io/serversideup/docker-ssh'
format: 'github'
output: 'trivy-results.json'
github-pat: ${{ secrets.GITHUB_TOKEN }}
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
hide-progress: true
# Parse results to set has_vulnerabilities (for workflow control)
- if: inputs.skip_scan != true
id: parse
shell: bash
run: |
if [ -f trivy-results.json ]; then
VULN_COUNT=$(jq -r '.vulnerabilities | length // 0' trivy-results.json)
if [ "${VULN_COUNT:-0}" -gt 0 ]; then
echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
# Create native GitHub annotations for vulnerabilities
echo "# Security Vulnerabilities Found" >> $GITHUB_STEP_SUMMARY
echo "| Severity | Package | Installed Version | Vulnerability ID | Description |" >> $GITHUB_STEP_SUMMARY
echo "|----------|---------|-------------------|------------------|-------------|" >> $GITHUB_STEP_SUMMARY
jq -r '.vulnerabilities[] | "| \(.severity) | \(.pkgName) | \(.installedVersion) | \(.vulnerabilityID) | \(.title) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
echo "::notice::Found ${VULN_COUNT} security vulnerabilities that need to be addressed."
else
echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
echo "No vulnerabilities found." >> $GITHUB_STEP_SUMMARY
fi
else
echo "Error: trivy-results.json not found"
echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
echo "::error::trivy-results.json not found"
exit 1
fi
get-latest-release:
runs-on: ubuntu-24.04
outputs:
release_version: ${{ steps.get-version.outputs.release_version }}
steps:
- name: Get Latest Release
id: get-version
run: |
LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"
build-security-updates:
needs: [scan-vulnerabilities, get-latest-release]
if: needs.scan-vulnerabilities.outputs.has_vulnerabilities == 'true'
uses: ./.github/workflows/service_docker-build-and-publish.yml
secrets: inherit
with:
release_type: 'security'
ref_type: 'tag'
version: "${{ needs.get-latest-release.outputs.release_version }}"
notify:
needs: [build-security-updates]
runs-on: ubuntu-24.04
if: always()
steps:
- name: Notify on success
if: needs.build-security-updates.result == 'success'
uses: actions/github-script@v7
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.name,
title: '🔒 Security updates applied',
body: 'Security updates were automatically applied to the latest images.'
})