Merge pull request #1464 from crazy-max/scout

ci: scan image with docker scout
2025-12-21 21:33:22 +01:00 · 2025-08-03 22:08:14 +02:00
parent 7b59863a00 adcf977daa
commit 0cb1e60c9c
1 changed files with 32 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,6 +21,7 @@ env:
  GHCR_SLUG: ghcr.io/crazy-max/diun
  DESTDIR: ./bin
  DOCKER_BUILD_SUMMARY: false
+  SCOUT_VERSION: "1.18.2"

 jobs:
  prepare:
@@ -358,3 +359,34 @@ jobs:
          docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
          docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
+
+  scout:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/master' }}
+    permissions:
+      # same as global permission
+      contents: read
+      # required to write sarif report
+      security-events: write
+    needs:
+      - image
+    steps:
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      -
+        name: Scout
+        id: scout
+        uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4
+        with:
+          version: ${{ env.SCOUT_VERSION }}
+          format: sarif
+          image: registry://${{ env.DOCKERHUB_SLUG }}:edge
+      -
+        name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scout.outputs.result-file }}