apunkt/plano
1
0
Fork 0
mirror of https://github.com/katanemo/plano.git synced 2026-06-17 15:25:17 +02:00
Code Issues Projects Releases Packages Wiki Activity
plano/.github/workflows/docker-security-scan.yml
Adil Hafeez 4aa7bd5767
Add explicit permissions to Docker security scan workflow 
Set minimal permissions: contents read for checkout, security-events
write for SARIF upload to the GitHub Security tab.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 15:46:05 -08:00

54 lines
1.4 KiB
YAML
Raw Blame History

name: Docker Security Scan
env:
DOCKER_IMAGE: katanemo/plano
on:
push:
branches:
- main
pull_request:
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Build Docker Image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: false
tags: ${{ env.DOCKER_IMAGE }}:scan
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.DOCKER_IMAGE }}:scan
format: table
# Fail on PRs so vulnerabilities block merge; on main just report
exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }}
severity: CRITICAL,HIGH
- name: Run Trivy scanner (SARIF for GitHub Security tab)
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.DOCKER_IMAGE }}:scan
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload Trivy results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
Reference in a new issue View git blame Copy permalink