container-config.example.yml
# yaml-language-server: $schema=https://raw.githubusercontent.com/huntridge-labs/argus/1.1.0/.github/actions/parse-container-config/schemas/container-config.schema.json
# Container Registry Configuration
# This file defines containers to scan across multiple registries
# Use real, publicly available images for testing
# RECOMMENDED: PIN EVERY IMAGE TO AN IMMUTABLE DIGEST.
# ``:tag`` references are mutable — the same ``alpine:3.23.2`` can
# publish different bytes over time, which makes CVE attribution drift
# and scan results unreproducible. ``@sha256:...`` references are
# byte-level immutable: the scanner reads exactly what you pinned,
# every run, forever.
#
# All three formats below are digest-pinnable:
# 1. Simple string with embedded digest: alpine:3.23.2@sha256:865b...
# 2. Simple string, digest only: alpine@sha256:865b...
# 3. Structured form with `digest:` key: image: { name: alpine, ... }
#
# Format (1) is the most ergonomic — Dependabot and Renovate can both
# update it automatically (image *and* digest in one line). Use that
# unless you need the structured form for registry/auth separation.
# DEPENDABOT MAINTENANCE:
# For automated image updates with Dependabot, use simple string format for 'image' field.
# Dependabot can update: image: "alpine:3.23.2@sha256:865b..."
# Dependabot CANNOT update structured format: image: { name: alpine, tag: "3.23.2" }
# See examples/dependabot.example.yml for configuration.
containers:
# PREFERRED: simple string with digest pin. Reproducible AND
# Dependabot-updatable in one line.
- name: alpine-pinned-string
image: alpine:3.23.2@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
scanners: [trivy, grype, syft]
allow_failure: true
fail_on_severity: critical
enable_code_security: false
# ALSO PREFERRED: structured form when you need registry/auth
# separation. Same security posture (digest-pinned) but Dependabot
# can't auto-update — manual or Renovate-driven updates only.
- name: alpine-pinned-structured
registry:
host: docker.io
image:
repository: library
name: alpine
tag: "3.23.2"
digest: sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
scanners: [trivy, grype]
allow_failure: true
fail_on_severity: none
enable_code_security: false
# ACCEPTABLE FALLBACK: tag-only string. Easier to read but mutable;
# CVE attribution drifts every time the registry republishes the
# tag. Use only for ad-hoc scans or in environments where digest
# discovery isn't yet wired up. Migrate to a pinned form before
# relying on the scan output for an audit trail.
- name: busybox-latest
image: busybox:latest
scanners: [trivy, grype, syft]
allow_failure: true
fail_on_severity: critical
enable_code_security: false
# Private registry examples (uncomment to use)
# Use ${VAR_NAME} syntax to reference environment variables/secrets
# GitHub Container Registry (GHCR) - structured format
- name: ghcr-anchore-syft
registry:
host: ghcr.io
username: ${GITHUB_ACTOR}
auth_secret: GITHUB_TOKEN
image:
repository: anchore
name: syft
tag: latest
scanners: [trivy, grype]
allow_failure: false
fail_on_severity: none
enable_code_security: false
# AWS ECR - can use simple or structured format
# - name: my-ecr-app
# image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
# registry:
# username: AWS
# auth_secret: ECR_PASSWORD
# scanners: [trivy, grype]
# fail_on_severity: critical
# Minimal image with pinned digest
# - name: alpine-app-pinned
# registry:
# host: docker.io
# image:
# repository: library
# name: alpine
# tag: "3.18"
# digest: sha256:ACTUAL_ALPINE_DIGEST_HERE
# scanners: [trivy, grype]
# fail_on_severity: critical