image-scan.yaml #2

Workflow file for this run

name: Build-Scan-Push-Image-scan
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
branches: [ master ]
branches: [ master ]
BuildNumber: ${{ github.run_id }}-${{ github.run_number }}
ImageName: 'manasiprabhavalkar/python-flask'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
# This workflow contains a single job called "build"
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- name: Build Docker image
uses: docker/[email protected]
# Username used to log in to a Docker registry. If not set then no login will occur
username: ${{ secrets.DockerHubUser }}
# Password or personal access token used to log in to a Docker registry. If not set then no login will occur
password: ${{ secrets.DockerHubPassword }}
# Docker repository to tag the image with
repository: ${{ env.ImageName }}
# Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags
tags: 'github-${{ env.BuildNumber }}'
# Path to the Dockerfile (Default is '{path}/Dockerfile')
dockerfile: 'Dockerfile'
# Whether to push the image
push: false
#- name: Trivy Scan
# uses: aquasecurity/trivy-action@master
# with:
# # image reference
# image-ref: ${{ env.ImageName }}:github-${{ env.BuildNumber }}
# # Type of vulnerabilities
# vuln-type: 'os,library'
# format: 'sarif'
# output: 'trivy-results.sarif'
# exit-code: 1
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
sarif_file: 'trivyExploitable.sarif'
#- name: Push Docker image
# uses: docker/[email protected]
# with:
# # Username used to log in to a Docker registry. If not set then no login will occur
# username: ${{ secrets.DockerHubUser }}
# # Password or personal access token used to log in to a Docker registry. If not set then no login will occur
# password: ${{ secrets.DockerHubPassword }}
# # Docker repository to tag the image with
# repository: ${{ env.ImageName }}
# # Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags
# tags: 'github-${{ env.BuildNumber }}'
# # Path to the Dockerfile (Default is '{path}/Dockerfile')
# dockerfile: 'Dockerfile'
# # Whether to push the image
# push: true