This commit is contained in:
+3
-1
@@ -7,7 +7,9 @@ FROM alpine:3.19
|
|||||||
COPY --from=builder /app/kforge /usr/local/bin/kforge
|
COPY --from=builder /app/kforge /usr/local/bin/kforge
|
||||||
RUN apk add --no-cache curl docker-cli && \
|
RUN apk add --no-cache curl docker-cli && \
|
||||||
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
|
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
|
||||||
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
|
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl && \
|
||||||
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
||||||
|
|
||||||
COPY entrypoint.sh /entrypoint.sh
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
RUN chmod +x /entrypoint.sh
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
|
|||||||
@@ -40,6 +40,15 @@ inputs:
|
|||||||
description: "Kubernetes service account token"
|
description: "Kubernetes service account token"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
|
scan_image:
|
||||||
|
description: "Scan image for vulnerabilities before pushing"
|
||||||
|
required: false
|
||||||
|
default: "true"
|
||||||
|
scan_severity:
|
||||||
|
description: "Fail on these severity levels (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)"
|
||||||
|
required: false
|
||||||
|
default: "HIGH,CRITICAL"
|
||||||
|
|
||||||
# outputs:
|
# outputs:
|
||||||
# output_file:
|
# output_file:
|
||||||
# description: "Path to the generated Kubernetes YAML file"
|
# description: "Path to the generated Kubernetes YAML file"
|
||||||
|
|||||||
@@ -67,6 +67,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
|
|||||||
if [ -n "$INPUT_IMAGE_TAG" ]; then
|
if [ -n "$INPUT_IMAGE_TAG" ]; then
|
||||||
echo "Building image $FULL_IMAGE:$INPUT_IMAGE_TAG..."
|
echo "Building image $FULL_IMAGE:$INPUT_IMAGE_TAG..."
|
||||||
docker build -t "$FULL_IMAGE:$INPUT_IMAGE_TAG" -f "$INPUT_DOCKERFILE" .
|
docker build -t "$FULL_IMAGE:$INPUT_IMAGE_TAG" -f "$INPUT_DOCKERFILE" .
|
||||||
|
|
||||||
|
echo "Scanning image for vulnerabilities..."
|
||||||
|
trivy image \
|
||||||
|
--exit-code 1 \
|
||||||
|
--severity "$INPUT_SCAN_SEVERITY" \
|
||||||
|
--no-progress \
|
||||||
|
"$FULL_IMAGE:$INPUT_IMAGE_TAG"
|
||||||
|
|
||||||
|
echo "Scan passed, pushing image..."
|
||||||
docker push "$FULL_IMAGE:$INPUT_IMAGE_TAG"
|
docker push "$FULL_IMAGE:$INPUT_IMAGE_TAG"
|
||||||
else
|
else
|
||||||
SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
|
SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
|
||||||
@@ -75,6 +84,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
|
|||||||
-t "$FULL_IMAGE:latest" \
|
-t "$FULL_IMAGE:latest" \
|
||||||
-t "$FULL_IMAGE:$SHA" \
|
-t "$FULL_IMAGE:$SHA" \
|
||||||
-f "$INPUT_DOCKERFILE" .
|
-f "$INPUT_DOCKERFILE" .
|
||||||
|
|
||||||
|
echo "Scanning image for vulnerabilities..."
|
||||||
|
trivy image \
|
||||||
|
--exit-code 1 \
|
||||||
|
--severity "$INPUT_SCAN_SEVERITY" \
|
||||||
|
--no-progress \
|
||||||
|
"$FULL_IMAGE:latest"
|
||||||
|
|
||||||
|
echo "Scan passed, pushing image..."
|
||||||
docker push "$FULL_IMAGE:latest"
|
docker push "$FULL_IMAGE:latest"
|
||||||
docker push "$FULL_IMAGE:$SHA"
|
docker push "$FULL_IMAGE:$SHA"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user