Merge pull request #23 from bradotlin/dev #16

Workflow file for this run

.github/workflows/docker-build-scan-push.yml at c83183a

	name: Docker Build/Scan/Push

	on:
	push:
	branches:
	- main

	# A workflow run is made up of one or more jobs that can run sequentially or in parallel
	jobs:
	Build-Scan-Push:
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	env:
	IMAGE_REPO: eyembrad/nginx
	IMAGE_TAG: latest
	WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
	WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
	WIZ_POLICY: "otlin Default vulnerabilities policy"
	steps:
	# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
	- name: Checkout
	uses: actions/checkout@v4

	- name: Build the latest Docker image
	run: docker build -t ${IMAGE_REPO}:${IMAGE_TAG} .

	- name: Download Wiz CLI
	run: curl -o wizcli https://wizcli.app.wiz.io/latest/wizcli && chmod +x wizcli

	- name: Authenticate to Wiz
	run: sudo -E ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"

	- name: Run Wiz CLI image scan
	id: scan
	run: \|-
	sudo -E ./wizcli docker scan -i ${IMAGE_REPO}:${IMAGE_TAG} --policy "$WIZ_POLICY" --policy-hits-only \
	--driver mountWithLayers --dockerfile "./Dockerfile" --output wiz-output.json,sarif,true --tag github_action_run_id=${{ github.run_id }}
	continue-on-error: true

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: wiz-output.json
	category: wiz

	- name: Login to DockerHub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_TOKEN }}

	- name: Push the latest Docker image
	run: docker push ${IMAGE_REPO}:${IMAGE_TAG}

	- name: Run Wiz CLI image tag
	run: sudo -E ./wizcli docker tag -i ${IMAGE_REPO}:${IMAGE_TAG}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #23 from bradotlin/dev #16

Workflow file

Merge pull request #23 from bradotlin/dev #16

Jobs

Run details

Workflow file for this run