Skip to content

AustonIvison/container-image-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Container Image Scanner - Reusable Workflow

A reusable GitHub Actions workflow for scanning container images for vulnerabilities and generating dependency graphs (SBOM).

Features

  • 🔍 Vulnerability Scanning using Trivy
  • 📊 Dependency Graph Generation using Syft (SBOM in CycloneDX format)
  • 🛡️ GitHub Security Integration (SARIF upload)
  • ⚙️ Configurable Severity Thresholds
  • 📦 Artifact Storage for scan results and SBOMs

Usage

Basic Example

name: Scan My Container

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  scan-image:
    uses: YOUR-ORG/container-image-scanner/.github/workflows/scan-container.yml@main
    with:
      image-name: 'nginx'
      image-tag: 'latest'

Advanced Example

name: Scan Custom Container

on:
  push:
    branches: [main]

jobs:
  scan-production-image:
    uses: YOUR-ORG/container-image-scanner/.github/workflows/scan-container.yml@main
    with:
      image-name: 'myregistry.azurecr.io/myapp'
      image-tag: 'v1.2.3'
      severity-threshold: 'CRITICAL'
      upload-sarif: true

Inputs

Input Description Required Default
image-name Container image name to scan Yes -
image-tag Container image tag to scan No latest
severity-threshold Fail on vulnerabilities at or above this severity (CRITICAL, HIGH, MEDIUM, LOW) No HIGH
upload-sarif Upload SARIF results to GitHub Security tab No true

Outputs

The workflow generates and uploads the following artifacts:

  1. SBOM (sbom.json) - Software Bill of Materials in CycloneDX JSON format
  2. Trivy Results - Vulnerability scan results in JSON and SARIF formats

Artifacts are retained for 30 days and can be downloaded from the workflow run.

What Gets Scanned

  • Vulnerabilities: OS packages and application dependencies
  • Severity Levels: CRITICAL, HIGH, MEDIUM, LOW
  • Dependencies: Complete dependency graph with versions

Security Integration

When upload-sarif is enabled (default), vulnerability findings are automatically uploaded to GitHub's Security tab under "Code scanning alerts".

Requirements

  • GitHub Actions workflow with appropriate permissions
  • For private registries, configure authentication before calling this workflow

Example with Private Registry

jobs:
  scan-private-image:
    runs-on: ubuntu-latest
    steps:
      - name: Login to Registry
        uses: docker/login-action@v3
        with:
          registry: myregistry.azurecr.io
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      
      - name: Scan Image
        uses: YOUR-ORG/container-image-scanner/.github/workflows/scan-container.yml@main
        with:
          image-name: 'myregistry.azurecr.io/myapp'
          image-tag: 'latest'

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published