@@ -42,14 +42,50 @@ jobs:
4242 - name : Setup docker buildx
4343 uses : docker/setup-buildx-action@v2
4444
45+ - name : Install Trivy
46+ run : |
47+ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
48+
4549 - name : Log in to DockerHub
4650 uses : docker/login-action@v2
4751 with :
4852 username : ${{ secrets.DOCKERHUBUSERNAME }}
4953 password : ${{ secrets.DOCKERHUBPASSWORD }}
50-
5154
52-
53-
55+ - name : Build, Scan, and Conditionally Push Docker Images
56+ run : |
57+ build_and_push_image() {
58+ local DOCKERFILE_DIR=$1
59+ local IMAGE_NAME=$2
60+
61+ echo "Building Docker image for scanning: $IMAGE_NAME..."
62+ docker buildx build --platform linux/amd64 \
63+ -t "${IMAGE_NAME}:latest" \
64+ -f "${DOCKERFILE_DIR}/Dockerfile" \
65+ ${DOCKERFILE_DIR} --load
66+
67+ echo "Scanning Docker image with Trivy: $IMAGE_NAME..."
68+ SCAN_RESULTS=$(trivy image --format json --quiet "${IMAGE_NAME}:latest")
69+
70+ HIGH_SEVERITY=$(echo "$SCAN_RESULTS" | jq '.Results[] | select(.Severity == "HIGH" or .Severity == "CRITICAL")')
71+
72+ if [ -n "$HIGH_SEVERITY" ]; then
73+ echo "High-severity vulnerabilities found for $IMAGE_NAME. Aborting push."
74+ echo "$HIGH_SEVERITY" | jq
75+ exit 1
76+ else
77+ echo "No high-severity vulnerabilities found for $IMAGE_NAME. Rebuilding and pushing multi-arch image..."
78+ docker buildx build --platform linux/amd64,linux/arm64 \
79+ -t "${IMAGE_NAME}:latest" \
80+ -f "${DOCKERFILE_DIR}/Dockerfile" \
81+ ${DOCKERFILE_DIR} --push
82+ fi
83+ }
84+ find ./apps -name "Dockerfile" | while read dockerfile; do
85+ app_dir=$(dirname "$dockerfile")
86+ app_name=$(basename "$app_dir")
87+ image_name="shreeprakashagrahari05/$app_name"
5488
55-
89+ echo "Processing $image_name from $app_dir"
90+ build_and_push_image "$app_dir" "$image_name"
91+ done
0 commit comments