Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
shield

GitHub Action

Container Scan

v1.1.0

Container Scan

shield

Container Scan

Check for vulnerabilities in your container image

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Container Scan

              
  uses: crazy-max/ghaction-container-scan@v1.1.0
Learn more about this action in crazy-max/ghaction-container-scan

Choose a version

GitHub release GitHub marketplace Test workflow Codecov Become a sponsor Paypal Donate

About

GitHub Action to check for vulnerabilities in your container image with Trivy.

Screenshot

Usage

Scan image

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Build
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@master
        with:
          image: user/app:latest

Scan tarball

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      -
        name: Build
        uses: docker/build-push-action@v2
        with:
          context: .
          outputs: type=oci,dest=/tmp/image.tar
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@master
        with:
          tarball: /tmp/image.tar

Severity threshold

You can define a threshold for severity to mark the job as failed:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Build
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@master
        with:
          image: user/app:latest
          severity_threshold: HIGH

Severity threshold

GitHub annotations

This action is also able to create GitHub annotations in your workflow for vulnerabilities discovered:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Build
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@master
        with:
          image: user/app:latest
          annotations: true

GitHub annotations

Upload to GitHub Code Scanning

This action also supports the SARIF format for integration with GitHub Code Scanning to show issues in the GitHub Security tab:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Build
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@master
        with:
          image: user/app:latest
          dockerfile: ./Dockerfile
      -
        name: Upload SARIF file
        if: ${{ steps.scan.outputs.sarif != '' }}
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

💡 dockerfile input is required to generate a sarif report.

GitHub Code Scanning

Build, scan and push your image

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      -
        name: Build and load
        uses: docker/build-push-action@v2
        with:
          context: .
          load: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@master
        with:
          image: user/app:latest
          dockerfile: ./Dockerfile
      -
        name: Build multi-platform and push
        uses: docker/build-push-action@v2
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: user/app:latest

Customizing

inputs

Following inputs can be used as step.with keys

Name Type Description
trivy_version String Trivy CLI version (default latest)
image String Container image to scan (e.g. alpine:3.7)
tarball String Container image tarball path to scan
dockerfile String Dockerfile required to generate a sarif report
severity String Report vulnerabilities of provided level or higher (default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
severity_threshold String Defines threshold for severity
annotations Bool Create GitHub annotations in your workflow for vulnerabilities discovered

outputs

Following outputs are available

Name Type Description
json File JSON format scan result
sarif File SARIF format scan result

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. If you want to open a pull request, please read the contributing guidelines.

You can also support this project by becoming a sponsor on GitHub or by making a Paypal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.