Container Security Scanning
Container Security Scanning - Reusable Workflow
THIN WRAPPER: This workflow orchestrates container discovery, building, and scanning. Scanning is delegated to: .github/actions/scanner-container/action.yml
Supports two modes: - discover: Find and build local Dockerfiles, then scan - remote: Scan pre-existing images from a registry
For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/container-scanning.yml
uses: huntridge-labs/argus/.github/workflows/container-scan.yml@0.6.7
Pipeline
4 jobs (1 matrix) ยท scroll to zoom ยท drag to pan
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
packages |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
post_pr_comment |
Whether to post PR comments boolean | No | True |
enable_code_security |
Whether GitHub Code Security is enabled for this repository boolean | No | False |
fail_on_severity |
Fail the job if vulnerabilities at or above this severity are found string | No | none |
scan_mode |
Scan mode: "discover" or "remote" string | No | discover |
image_ref |
Remote image reference to scan (only used when scan_mode is "remote") string | No | โ |
container_name |
Name identifier for the container (only used when scan_mode is "remote") string | No | โ |
registry_username |
Username for authenticating to private container registry string | No | โ |
scanners |
Comma-separated list of scanners to run: trivy,grype,syft string | No | trivy,grype,syft |
allow_failure |
Allow the workflow to continue even if scanning fails boolean | No | False |
Secrets
| Secret | Description | Required |
|---|---|---|
registry_password |
Password or token for authenticating to private container registry | No |
Jobs
discover-containers โ Discover Container Images
Runs on: ubuntu-latest ยท Condition: inputs.scan_mode != 'remote'
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Discover Dockerfiles in repository
build-and-scan โ Build & Scan - ${{ matrix.container.name }}
Runs on: ubuntu-latest ยท Timeout: 30 minutes ยท Depends on: discover-containers ยท Continue on error: Yes ยท Condition: needs.discover-containers.outputs.has_containers == 'true'
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Set up Docker Buildx โ
docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd - Build container image
- Run security scanners โ
huntridge-labs/argus/.github/actions/scanner-container@0.6.7
Actions used:
- ๐ฆ
scanner-containerโ Container Security Scanner
scan-remote-image โ Scan Remote Image
Runs on: ubuntu-latest ยท Timeout: 30 minutes ยท Continue on error: Yes ยท Condition: inputs.scan_mode == 'remote' && inputs.image_ref != ''
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Authenticate to container registry
- Run security scanners โ
huntridge-labs/argus/.github/actions/scanner-container@0.6.7
Actions used:
- ๐ฆ
scanner-containerโ Container Security Scanner
container-scan-summary โ Container Scan Summary
Runs on: ubuntu-latest ยท Depends on: discover-containers, build-and-scan, scan-remote-image ยท Condition: always()
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Download all scan artifacts โ
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c - Generate container summary โ
huntridge-labs/argus/.github/actions/scanner-container-summary@0.6.7
Actions used:
- ๐ฆ
scanner-container-summaryโ Container Scanner Summary
All Composite Actions Referenced
- ๐ฆ
scanner-containerโ Container Security Scanner - ๐ฆ
scanner-container-summaryโ Container Scanner Summary