Skip to content

[APIPUB-58] Update docker images and nuget packages to remove vulnerabilites #30

[APIPUB-58] Update docker images and nuget packages to remove vulnerabilites

[APIPUB-58] Update docker images and nuget packages to remove vulnerabilites #30

# SPDX-License-Identifier: Apache-2.0
# Licensed to the Ed-Fi Alliance under one or more agreements.
# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
# See the LICENSE and NOTICES files in the project root for more information.
name: On Pull Request - Dockerfile
on:
push:
branches:
- main
pull_request:
branches:
- main
paths:
- ".github/workflows/on-pullrequest-dockerfile.yml"
- "src/*"
workflow_dispatch:
permissions: read-all
env:
DOCKER_FILE_DIR: src
DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}
DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
jobs:
docker-analysis:
runs-on: ubuntu-latest
permissions:
security-events: write
pull-requests: write
strategy:
fail-fast: false
matrix:
dockerfile:
[
{ name: "publisher", path: "src/Dockerfile" },
{ name: "development", path: "src/dev.Dockerfile" },
]
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
name: Run Linter on ${{ matrix.dockerfile.name }} Dockerfile
with:
dockerfile: ${{ matrix.dockerfile.path }}
failure-threshold: error
- name: Log in to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_HUB_TOKEN }}
- name: Build
run: |
path=${{matrix.dockerfile.path}}
folder=${path%/*}
cd $folder
dockerfile=$(echo ${{matrix.dockerfile.path}} | awk -F"/" '{print $NF}')
docker build -f $dockerfile -t ${{ matrix.dockerfile.name }} .
- name: Analyze
uses: docker/scout-action@67eb1afe777307506aaecb9acd9a0e0389cb99ae # v1.5.0
with:
command: cves
image: local://${{ matrix.dockerfile.name }}
sarif-file: sarif-${{ matrix.dockerfile.name }}.output.json
summary: true
- name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request_target' }}
uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 #codeql-bundle-v2.16.2
with:
sarif_file: sarif-${{ matrix.dockerfile.name }}.output.json