SCAN-5585 : Publish and use docker image.

.github/actions/build-image/action.yaml

@@ -0,0 +1,68 @@
+name: build-and-deploy-image
+
+inputs:
+  registry:
+    description: The registry to deploy to
+    required: true
+  image_name:
+    description: The name of the docker image
+    required: true
+  username:
+    description: The username to login to the container registry
+    required: true
+  password:
+    description: The password to login to the container registry
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+    - name: Log in to the Container registry
+      uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+      with:
+        images: ${{ inputs.registry }}/${{ inputs.image_name }}
+        tags: type=sha,format=long
+
+    - name: Build and push Docker image
+      id: push
+      uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+      with:
+        context: .
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: install yq
+      shell: bash
+      run: |
+        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
+        sudo add-apt-repository ppa:rmescandon/yq -y
+        sudo apt update -y
+        sudo apt install yq -y
+
+    - name: Commit changes
+      shell: bash
+      env:
+        IMAGE_TAG: docker://${{ steps.meta.outputs.tags }}
+      run: |
+        git config --global user.name 'Github'
+        git config --global user.email '[email protected]'
+
+        yq e ".runs.image = env(IMAGE_TAG)" -i action.yml
+        git add action.yml
+        git diff-index --quiet HEAD || (git commit -m "[Auto] Image tag updated latest pushed version" && git push)
+   
+
+
+
+
+

.github/workflows/validate.yaml

@@ -6,15 +6,21 @@ on:
     - '*'
     - '!main'
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 permissions:
-  contents: read
+  contents: write
+  packages: write
   checks: write
+  id-token: write
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install modules
         run: npm ci
       - name: eslint
@@ -24,7 +30,15 @@ jobs:
     needs: [ lint ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-image
+        name: Build and publish docker image
+        with:
+          registry: ${{ env.REGISTRY }}
+          image_name: ${{ env.IMAGE_NAME }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build local scanner action image
         run: |
           docker build .
@@ -33,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ build-action-docker-image ]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses : ./
         name: Run action against repoository
         with:

action.yml

@@ -4,7 +4,7 @@ branding:
   icon: crosshair
   color: green
 inputs:
-  apiUrl:  # id of input
+  apiUrl: # id of input
     description: Url of your contrast instance, defaults to https://app.contrastsecurity.com/
     required: true
     default: 'https://app.contrastsecurity.com/'
@@ -22,8 +22,8 @@ inputs:
     required: true
   checks:
     description: >
-      If set, checks will be added to the current commit based on any vulnerabilities found.
-      Requires the 'checks: write' permission.
+      If set, checks will be added to the current commit based on any vulnerabilities found. Requires the 'checks: write' permission.
+
     required: false
     default: false
   codeQuality:
@@ -32,8 +32,8 @@ inputs:
     default: false
   defaultBranch:
     description: >
-      Set this to true or false explicitly override the default branching behviour in scan whereby scan results
-      not on the default github branch are not saved against the main project.
+      Set this to true or false explicitly override the default branching behviour in scan whereby scan results not on the default github branch are not saved against the main project.
+
     required: false
   label:
     description: Label to associate with the current scan. Defaults to the current ref e.g. refs/heads/main
@@ -51,23 +51,24 @@ inputs:
     required: false
   strategy:
     description: >
-      Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project
-      vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
+      Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
+
     required: false
     default: "project"
   severity:
     description: >
-      Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher.
-      Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
+      Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher. Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
+
     required: false
   timeout:
     description: Execution timeout (in seconds) setting passed to the underlying scan engine. Defaulted to 60 minutes.
     required: false
   token:
     description: >
       GitHub token for GitHub API requests. Defaults to GITHUB_TOKEN.
+
     required: true
     default: ${{ github.token }}
 runs:
   using: 'docker'
-  image: 'Dockerfile'
+  image: 'ghcr.io/contrast-security-oss/contrast-local-scan-action:sha-ff0a63a22c9c93d850d6cab1a191217efdc017ae'