-
Notifications
You must be signed in to change notification settings - Fork 2
40 lines (29 loc) · 1.46 KB
/
aquasec-container-scanner.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Scan with Aquasec Docker Scanner
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
env:
# Registry name as configured in Aqua integrations
IMAGE_REGISTRY: "dh-az-1"
SCANNER_VERSION: "2405.22.9"
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag my-demo-image:${{ github.sha }}
# This step can be replaced pulling the scanner from a local registry
- name: Docker login Aqua Registry
run: docker login registry.aquasec.com -u ${{ secrets.AQUAREG_USER }} -p ${{ secrets.AQUAREG_PSWD }}
- name: Tag image with Registry
run: docker tag my-demo-image:${{ github.sha }} $IMAGE_REGISTRY/my-demo-image:${{ github.sha }}
# Scanner authenticates to the server (-H) using a token (-A) but this can be replaced with user and password auth
# image is registered if found compliant (--register-compliant) as belonging to the final registry (--registry).
# the --local flag indicates a locally built image not available in the registry yet
- name: Scan image
run: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock registry.aquasec.com/scanner:$SCANNER_VERSION scan -H ${{ secrets.AQUA_SERVER }} -n -A ${{ secrets.TOKEN }} --local --text --register-compliant --registry $IMAGE_REGISTRY my-demo-image:${{ github.sha }}
- name: Push to Registry
run: echo "docker push"