forked from repo-mirrors/cnpg-postgres-containers
2.1 KiB
2.1 KiB
Security Scans Action
This composite GitHub Action wraps all the security scanners used to analyze CloudNativePG container images.
Requirements
This composite action relies on the calling workflow’s GITHUB_TOKEN.
Make sure your calling workflow includes:
permissions:
contents: read
packages: read
security-events: write # required for SARIF upload
Security scanners
-
- Best-practice and configuration checks.
-
Snyk:
- Detects vulnerabilities in OS packages, libraries, and dependencies.
- Generates a
snyk.sarifthat gets uploaded to GitHub Code Scanning
Inputs
| Name | Description | Required | Default |
|---|---|---|---|
image |
The image to scan (e.g. ghcr.io/org/image:tag) |
✅ Yes | — |
registry_user |
The user used to pull the image | ✅ Yes | — |
registry_token |
The token used to pull the image | ✅ Yes | — |
snyk_token |
The Snyk authentication token | ❌ No | — |
dockerfile |
Path to the image’s Dockerfile (for Snyk scanning) | ❌ No | ./Dockerfile |
Note:
- If a
snyk_tokenis not provided, Snyk scans won't be performed. - The
dockerfilepath is currently only required by Snyk.
Usage
Example workflow:
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- uses: actions/checkout@v5
- name: Security checks
uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
with:
image: ghcr.io/org/image:tag
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
dockerfile: "./Dockerfile"