forked from repo-mirrors/cnpg-postgres-containers
Security Scans Action
This composite GitHub Action wraps all the security scanners used to analyze CloudNativePG container images.
Requirements
This composite action relies on the calling workflow’s GITHUB_TOKEN.
Make sure your calling workflow includes:
permissions:
contents: read
packages: read
security-events: write # required for SARIF upload
Security scanners
-
- Best-practice and configuration checks.
-
Snyk:
- Detects vulnerabilities in OS packages, libraries, and dependencies.
- Generates a
snyk.sarifthat gets uploaded to GitHub Code Scanning
Inputs
| Name | Description | Required | Default |
|---|---|---|---|
image |
The image to scan (e.g. ghcr.io/org/image:tag) |
✅ Yes | — |
registry_user |
The user used to pull the image | ✅ Yes | — |
registry_token |
The token used to pull the image | ✅ Yes | — |
snyk_token |
The Snyk authentication token | ❌ No | — |
dockerfile |
Path to the image’s Dockerfile (for Snyk scanning) | ❌ No | ./Dockerfile |
Note:
- If a
snyk_tokenis not provided, Snyk scans won't be performed. - The
dockerfilepath is currently only required by Snyk.
Usage
Example workflow:
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- uses: actions/checkout@v5
- name: Security checks
uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
with:
image: ghcr.io/org/image:tag
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
dockerfile: "./Dockerfile"