images/container-security-action
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
4 commits 1 branch 0 tags 42 KiB
Find a file
Exact
Clément BREISCH b9ae1e3edf add artifact-name input for matrix builds
2025-12-22 00:39:16 +00:00
action.yml add artifact-name input for matrix builds 2025-12-22 00:39:16 +00:00
LICENSE initial security action with trivy, grype, depscan, snyk 2025-12-21 20:49:25 +00:00
README.md feat: remove OWASP dep-scan, use Trivy + Grype only 2025-12-21 22:30:25 +00:00

README.md

Container Security Action

Vulnerability scanning for container images using multiple scanners with configurable thresholds.

Features

  • Multiple scanners: Trivy, Grype, and optionally Snyk
  • Configurable thresholds: Set maximum allowed vulnerabilities by severity
  • SARIF output: GitHub Security tab integration
  • Artifact uploads: Store scan results for audit trails
  • Job summary: Visual summary table in workflow runs

Usage

- uses: git.breis.ch/images/container-security-action@v1
  with:
    image: my-registry/my-image:latest

With custom thresholds

- uses: git.breis.ch/images/container-security-action@v1
  id: security
  with:
    image: my-registry/my-image:latest
    scanners: trivy,grype,snyk
    threshold-critical: 0
    threshold-high: 9
    threshold-medium: 49
    threshold-low: 199
    fail-on-threshold: true
    snyk-token: ${{ secrets.SNYK_TOKEN }}
    upload-artifacts: true

- name: Check results
  run: |
    echo "Critical: ${{ steps.security.outputs.critical-count }}"
    echo "High: ${{ steps.security.outputs.high-count }}"
    echo "Passed: ${{ steps.security.outputs.passed }}"

Inputs

Input Required Default Description
image Yes - Container image to scan
scanners No trivy,grype Comma-separated list of scanners
threshold-critical No 0 Max CRITICAL vulns (fail at 1+)
threshold-high No 9 Max HIGH vulns (fail at 10+)
threshold-medium No 49 Max MEDIUM vulns (fail at 50+)
threshold-low No 199 Max LOW vulns (fail at 200+)
fail-on-threshold No true Fail if thresholds are exceeded
snyk-token No - Snyk API token (required for Snyk)
upload-artifacts No true Upload scan results as artifacts

Outputs

Output Description
critical-count Number of CRITICAL vulnerabilities
high-count Number of HIGH vulnerabilities
medium-count Number of MEDIUM vulnerabilities
low-count Number of LOW vulnerabilities
passed true if all thresholds passed
report-path Path to JSON summary file

Artifacts

When upload-artifacts is enabled, the following files are uploaded:

  • trivy-results.json / trivy-results.sarif / trivy-results.txt
  • grype-results.json / grype-results.sarif / grype-results.txt
  • snyk-results.json / snyk-results.sarif / snyk-results.txt (if Snyk enabled)
  • summary.json - Combined results with vulnerability counts

Scanners

Trivy

Primary vulnerability scanner from Aqua Security. Detects vulnerabilities in OS packages and application dependencies.

Grype

Secondary vulnerability scanner from Anchore. Provides additional coverage and cross-validation.

Snyk

Optional commercial scanner. Requires a Snyk API token. Provides additional vulnerability intelligence and fix recommendations.

Example Workflow

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Security scan
        uses: git.breis.ch/images/container-security-action@v1
        with:
          image: myapp:${{ github.sha }}

License

MIT