ベース
name: Push Docker image to ECR
on: push
env:
DOCKER_BUILDKIT: 1
IMAGE_NAME: sample
IMAGE_TAG: test
jobs:
build:
name: Build image
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@master
- name: Login GitHub Registry
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u owner --password-stdin
- name: Build image
run: docker build -t docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG} --file Dockerfile .
- name: Push image to GitHub Registry
run: docker push docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}
trivy:
name: Trivy Scan Vulnerability
runs-on: ubuntu-18.04
needs: build
steps:
- uses: actions/checkout@master
- name: Login GitHub Registry
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u owner --password-stdin
- name: Pull image from GitHub Registry
run: docker pull docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}
- name: Install trivy
run: |
sudo apt-get install --no-install-recommends apt-transport-https gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install --no-install-recommends trivy
- name: Vulnerability Scan with Trivy
run: |
trivy -q --severity HIGH,CRITICAL \
--exit-code 1 docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}
dockle:
name: Dockle
runs-on: ubuntu-18.04
needs: build
steps:
- uses: actions/checkout@master
- name: Login GitHub Registry
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u owner --password-stdin
- name: Pull image from GitHub Registry
run: docker pull docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}
- name: Install dockle
run: |
VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/' \
)
curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb
sudo dpkg -i dockle.deb
rm dockle.deb
- name: Check image with dockle
run: dockle docker.pkg.github.com/${{ github.repository }}/${IMAGE_NAME}:${IMAGE_TAG}