marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity
Files
6883910f08bd420e20d6c85255ab885702618410
cnpg-postgres-containers/.github/actions/security-scans/README.md
Niccolò Fei 6883910f08 ci: add a composite action for security scanners 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
2025-10-13 16:35:41 +02:00

72 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Scans Action
This composite GitHub Action wraps all the security scanners used to
analyze CloudNativePG container images.
---
## Requirements
This composite action relies on the calling workflows `GITHUB_TOKEN`.
Make sure your calling workflow includes:
```
permissions:
contents: read
packages: read
security-events: write # required for SARIF upload
```
---
## Security scanners
- [Dockle](https://github.com/goodwithtech/dockle):
- Best-practice and configuration checks.
- [Snyk](https://github.com/snyk/actions):
- Detects vulnerabilities in OS packages, libraries, and dependencies.
- Generates a `snyk.sarif` that gets uploaded to GitHub Code Scanning
---
## Inputs
| Name | Description | Required | Default |
| ---------------- | -------------------------------------------------- | --------- | -------------- |
| `image` | The image to scan (e.g. `ghcr.io/org/image:tag`) | ✅ Yes | — |
| `registry_user` | The user used to pull the image | ✅ Yes | — |
| `registry_token` | The token used to pull the image | ✅ Yes | — |
| `snyk_token` | The Snyk authentication token | ❌ No | — |
| `dockerfile` | Path to the images Dockerfile (for Snyk scanning) | ❌ No | `./Dockerfile` |
Note:
- If a `snyk_token` is not provided, Snyk scans won't be performed.
- The `dockerfile` path is currently only required by Snyk.
---
## Usage
Example workflow:
```
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- uses: actions/checkout@v5
- name: Security checks
uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
with:
image: ghcr.io/org/image:tag
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
dockerfile: "./Dockerfile"
```
View Git Blame Copy Permalink