Merge branch 'main' into one-login #1995

Workflow file for this run

	---
	# ------------------------------------------------------------------------------
	# https://github.com/aquasecurity/trivy
	# https://github.com/aquasecurity/trivy-action#inputs
	#
	# Build image:
	# ghcr.io/dfe-digital/early-years-foundation-recovery:latest
	#
	name: OS Security
	on:
	push:
	paths:
	- Dockerfile

	env:
	REGISTRY: ghcr.io/dfe-digital/early-years-foundation-recovery

	jobs:
	build:
	name: Build and validate Docker image
	runs-on: ubuntu-latest
	steps:
	-
	name: Checkout Code
	uses: actions/checkout@v4
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	platforms: linux/amd64,linux/arm64
	-
	name: Login to Github Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Build and push Docker image (dependencies)
	uses: docker/build-push-action@v5
	with:
	target: deps
	context: .
	push: true
	build-args: \|
	BUILDKIT_INLINE_CACHE=1
	SHA=${{ github.sha }}
	cache-from: \|
	${{ env.REGISTRY }}:deps
	tags: \|
	${{ env.REGISTRY }}:deps
	-
	name: Build and push Docker image (application)
	uses: docker/build-push-action@v5
	with:
	target: app
	context: .
	push: true
	build-args: \|
	BUILDKIT_INLINE_CACHE=1
	SHA=${{ github.sha }}
	cache-from: \|
	${{ env.REGISTRY }}:${{ github.sha }}
	${{ env.REGISTRY }}:latest
	tags: \|
	${{ env.REGISTRY }}:${{ github.sha }}
	-
	name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ env.REGISTRY }}:${{ github.sha }}
	format: table
	exit-code: 1
	ignore-unfixed: true
	vuln-type: os,library
	severity: CRITICAL,HIGH

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge branch 'main' into one-login #1995

Workflow file

Merge branch 'main' into one-login #1995

Jobs

Run details

Workflow file for this run