Add Docker scout to GitHub action

florian-h05 · Mar 13, 2024 · a913f34 · a913f34
1 parent 3f377de
commit a913f34
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.github/workflows/docker-publish.yml → .github/workflows/docker.yml b/.github/workflows/docker-publish.yml → .github/workflows/docker.yml
@@ -97,3 +97,17 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      # Use Docker Scout to analyze security vulnerabilities
+      - name: Docker Scout
+        id: docker-scout
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          image: ${{ steps.meta.outputs.tags }}
+          to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }}
+          ignore-unchanged: true
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment