Skip to content

Scan Docker images

Scan Docker images #27

---
name: "Scan Docker images"
on: # yamllint disable-line rule:truthy
schedule:
- cron: "15 1 * * 0"
jobs:
list-images:
runs-on: ubuntu-latest
outputs:
images: ${{ steps.get-images.outputs.result }}
steps:
- uses: actions/checkout@v4
- name: Parse image list
id: get-images
uses: mikefarah/yq@v4
with:
cmd: |
yq -o=json \
'[with_entries(select(.key | test("_hashed$"))).[].new]' \
tools/scripts/bumpenvs.yaml
scan-images:
needs: list-images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.list-images.outputs.images) }}
steps:
- name: Free up some space
if: contains(matrix.image, 'cuda-11') || contains(matrix.image, 'rocm')
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
- uses: actions/checkout@v4
- name: Scan ${{ matrix.image }}
id: scan
continue-on-error: true
uses: anchore/scan-action@v3
with:
image: ${{ matrix.image }}
acs-report-enable: true
fail-build: true
severity-cutoff: high
- name: Print SARIF report for ${{ matrix.image }}
run: cat ${{ steps.scan.outputs.sarif }}
- name: Upload SARIF report for ${{ matrix.image }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Fail job if scan failed
if: steps.scan.outcome == 'failure'
run: exit 1