infra/kforge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

add security scans
Publish Action Image / build (push) Successful in 1m9s
Details

Browse Source
This commit is contained in:
Nate
2026-06-05 17:02:41 +10:00
parent 70593fe0a3
commit 1d19b08b7e
3 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+3 -1
View File
@@ -7,7 +7,9 @@ FROM alpine:3.19
COPY --from=builder /app/kforge /usr/local/bin/kforge
RUN apk add --no-cache curl docker-cli && \
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl && \
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
action.yml
+9
View File
@@ -40,6 +40,15 @@ inputs:
description: "Kubernetes service account token"
required: true
scan_image:
description: "Scan image for vulnerabilities before pushing"
required: false
default: "true"
scan_severity:
description: "Fail on these severity levels (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)"
required: false
default: "HIGH,CRITICAL"
# outputs:
# output_file:
# description: "Path to the generated Kubernetes YAML file"
entrypoint.sh
+18
View File
@@ -67,6 +67,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
if [ -n "$INPUT_IMAGE_TAG" ]; then
echo "Building image $FULL_IMAGE:$INPUT_IMAGE_TAG..."
docker build -t "$FULL_IMAGE:$INPUT_IMAGE_TAG" -f "$INPUT_DOCKERFILE" .
echo "Scanning image for vulnerabilities..."
trivy image \
--exit-code 1 \
--severity "$INPUT_SCAN_SEVERITY" \
--no-progress \
"$FULL_IMAGE:$INPUT_IMAGE_TAG"
echo "Scan passed, pushing image..."
docker push "$FULL_IMAGE:$INPUT_IMAGE_TAG"
else
SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
@@ -75,6 +84,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
-t "$FULL_IMAGE:latest" \
-t "$FULL_IMAGE:$SHA" \
-f "$INPUT_DOCKERFILE" .
echo "Scanning image for vulnerabilities..."
trivy image \
--exit-code 1 \
--severity "$INPUT_SCAN_SEVERITY" \
--no-progress \
"$FULL_IMAGE:latest"
echo "Scan passed, pushing image..."
docker push "$FULL_IMAGE:latest"
docker push "$FULL_IMAGE:$SHA"