Releases: Azure/container-scan
New output variable for checkrun URL
Added new output variable called check-run-url
for the URL of check-run where scan summary can be seen.
Github action for scanning your docker image
Container Scan
This action can be used to help you add some additional checks to help you secure your Docker Images in your CI. This would help you attain some confidence in your docker image before pushing them to your container registry or a deployment.
It internally uses Trivy
and Dockle
for running certain kinds of scans on these images.
Trivy
helps you find the common vulnerabilities within your docker images.Dockle
is a container linter, which helps you identify if you haven't followed- Certain best practices while building the image
- CIS Benchmarks to secure your docker image
Action inputs
Action input | Description | Default Value |
---|---|---|
image-name |
(Required) The Docker image to be scanned | '' |
severity-threshold |
(Optional) Minimum severity threshold set to control flagging of the vulnerabilities found during the scan. The available levels are: (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL); if you set the severity-threshold to be `MEDIUM` every CVE found of a level higher than or equal to `MEDIUM` would be displayed | HIGH |
run-quality-checks |
(Optional) This is a boolean value. When set to `true` adds additional checks to ensure the image follows best practices and CIS standards. | true |
username |
(Optional) Username to authenticate to the Docker registry. This is only required when you're trying to pull an image from your private registry | '' |
password |
(Optional) Password to authenticate to the Docker registry. This is only required when you're trying to pull an image from your private registry | '' |
Action output
The action generates an output file consisting of detailed description of all the detected vulnerabilities and best practice violations in JSON format. This file can be accessed by using the output variable scan-report-path
.
Ignoring vulnerabilities
In case you would like the action to ignore any vulnerabilities and best practice checks, create an allowedlist file at the path .github/containerscan/allowedlist.yaml
in your repo. Here's an example allowedlist.yaml file.
general:
vulnerabilities:
- CVE-2003-1307
- CVE-2007-0086
- CVE-2019-3462
- CVE-2011-3374
bestPracticeViolations:
- CIS-DI-0005
- DKL-LI-0003
- CIS-DI-0006
- DKL-DI-0006
Example YAML snippets
Container scan of an image available locally or publically available on dockerhub
- uses: azure/container-scan@v0
with:
image-name: my-image
Container scan of an image available on a private registry
- uses: azure/container-scan@v0
with:
image-name: loginServerUrl/my-image # loginServerlUrl would be empty if it's hosted on dockerhub
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
End to end workflow
The following is an example of not just this action, but how this action could be used along with other actions to setup a CI.
Where your CI would:
- Build a docker image
- Scan the docker image for any security vulnerabilities
- Publish it to your private container registry.
on: [push]
jobs:
build-secure-and-push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- run: docker build . -t contoso.azurecr.io/k8sdemo:${{ github.sha }}
- uses: Azure/container-scan@v0
with:
image-name: contoso.azurecr.io/k8sdemo:${{ github.sha }}
- uses: Azure/docker-login@v1
with:
login-server: contoso.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- run: docker push contoso.azurecr.io/k8sdemo:${{ github.sha }}