Update aquasec-container-scanner.yml #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan with Aquasec CLI Scanner | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| env: | |
| # Registry name as configured in Aqua integrations | |
| IMAGE_REGISTRY: 'dh-andreazorzetto' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Build the Docker image | |
| run: docker build . --file Dockerfile --tag my-demo-image:${{ github.sha }} | |
| # The following 2 steps can be replaced building the scanner cli within the builder image | |
| - name: Get Aquasec commercial scanner | |
| run: wget --user ${{ secrets.AQUAREG_USER }} --password ${{ secrets.AQUAREG_PSWD }} https://download.aquasec.com/scanner/2022.4/scannercli | |
| - name: Executable permissions | |
| run: chmod +x scannercli | |
| - name: Tag image with Registry | |
| run: docker tag my-demo-image:${{ github.sha }} $IMAGE_REGISTRY/my-demo-image:${{ github.sha }} | |
| # Scanner authenticates to the server (-H) using a token (-A) but this can be replaced with user and password auth | |
| # image is registered if found compliant (--register-compliant) as belonging to the final registry (--registry). | |
| # the --local flag indicates a locally built image not available in the registry yet | |
| - name: Scan image | |
| run: ./scannercli scan -H ${{ secrets.AQUA_SERVER }} -n -A ${{ secrets.TOKEN }} --local --text --register-compliant --registry $IMAGE_REGISTRY my-demo-image:${{ github.sha }} | |
| - name: Push to Registry | |
| run: echo "docker push" |