forked from repo-mirrors/cnpg-postgres-containers
ci: add a composite action for security scanners
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
This commit is contained in:
Niccolò Fei
71
.github/actions/security-scans/README.md
vendored
Normal file
71
.github/actions/security-scans/README.md
vendored
Normal file
@@ -0,0 +1,71 @@
|
||||
# Security Scans Action
|
||||
|
||||
This composite GitHub Action wraps all the security scanners used to
|
||||
analyze CloudNativePG container images.
|
||||
|
||||
---
|
||||
|
||||
## Requirements
|
||||
|
||||
This composite action relies on the calling workflow’s `GITHUB_TOKEN`.
|
||||
Make sure your calling workflow includes:
|
||||
|
||||
```
|
||||
permissions:
|
||||
contents: read
|
||||
packages: read
|
||||
security-events: write # required for SARIF upload
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Security scanners
|
||||
|
||||
- [Dockle](https://github.com/goodwithtech/dockle):
|
||||
- Best-practice and configuration checks.
|
||||
|
||||
- [Snyk](https://github.com/snyk/actions):
|
||||
- Detects vulnerabilities in OS packages, libraries, and dependencies.
|
||||
- Generates a `snyk.sarif` that gets uploaded to GitHub Code Scanning
|
||||
|
||||
---
|
||||
|
||||
## Inputs
|
||||
|
||||
| Name | Description | Required | Default |
|
||||
| ---------------- | -------------------------------------------------- | --------- | -------------- |
|
||||
| `image` | The image to scan (e.g. `ghcr.io/org/image:tag`) | ✅ Yes | — |
|
||||
| `registry_user` | The user used to pull the image | ✅ Yes | — |
|
||||
| `registry_token` | The token used to pull the image | ✅ Yes | — |
|
||||
| `snyk_token` | The Snyk authentication token | ❌ No | — |
|
||||
| `dockerfile` | Path to the image’s Dockerfile (for Snyk scanning) | ❌ No | `./Dockerfile` |
|
||||
|
||||
Note:
|
||||
- If a `snyk_token` is not provided, Snyk scans won't be performed.
|
||||
- The `dockerfile` path is currently only required by Snyk.
|
||||
|
||||
---
|
||||
|
||||
## Usage
|
||||
|
||||
Example workflow:
|
||||
|
||||
```
|
||||
jobs:
|
||||
security-scan:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
packages: read
|
||||
security-events: write
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- name: Security checks
|
||||
uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
|
||||
with:
|
||||
image: ghcr.io/org/image:tag
|
||||
registry_user: ${{ github.actor }}
|
||||
registry_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
snyk_token: ${{ secrets.SNYK_TOKEN }}
|
||||
dockerfile: "./Dockerfile"
|
||||
```
|
||||
Reference in New Issue
Block a user