scan local image

notdodo · Dec 14, 2024 · 93d4b80 · 93d4b80
1 parent 96bcf1c
commit 93d4b80
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 13 deletions.
diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
@@ -104,7 +104,7 @@ jobs:
           flavor: ${{ inputs.flavor }}
           labels: ${{ inputs.labels }}
       - name: Build and push
-        id: push
+        id: build
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         # v6.10.0
         with:
@@ -113,21 +113,15 @@ jobs:
           labels: ${{ steps.metadata.outputs.labels }}
           platforms: ${{ inputs.platforms }}
           push: ${{ inputs.push }}
+          load: true
           tags: ${{ steps.metadata.outputs.tags }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - name: Generate artifact attestation
-        if: inputs.push
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb
-        # v2.1.0
-        with:
-          subject-name: ${{ inputs.registry }}/${{ inputs.image }}
-          subject-digest: ${{ steps.push.outputs.digest }}
       - name: Run Trivy Scan
         uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
         # v0.29.0
         with:
-          image-ref: ${{ steps.metadata.outputs.tags }}
+          image-ref: ${{ steps.build.outputs.imageid }}
           format: sarif
           ignore-unfixed: 1
           output: ${{ inputs.working-directory }}/trivy_results.sarif
@@ -137,3 +131,10 @@ jobs:
         # v2.19.0
         with:
           sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif
+      - name: Generate artifact attestation
+        if: inputs.push
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb
+        # v2.1.0
+        with:
+          subject-name: ${{ inputs.registry }}/${{ inputs.image }}
+          subject-digest: ${{ steps.build.outputs.digest }}
diff --git a/.github/workflows/local-python-ci.yml b/.github/workflows/local-python-ci.yml
@@ -28,7 +28,7 @@ jobs:
       platforms: linux/amd64
       push: false
       registry: ghcr.io
-      working-directory: ./auto-tagger/
+      working-directory: ./auto-tagger
     secrets:
       registry-username: notdodo
       registry-password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/auto-tagger/Dockerfile b/auto-tagger/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.12-alpine AS builder
+FROM python:3.13-alpine AS builder
 HEALTHCHECK NONE
 
 ENV PATH="${PATH}:/app/.local/bin" \
@@ -10,7 +10,7 @@ ENV PATH="${PATH}:/app/.local/bin" \
     POETRY_VIRTUALENVS_CREATE=1
 
 # kics-scan ignore-line
-RUN apk add musl-dev libffi-dev gcc --no-cache
+RUN apk add --no-cache musl-dev libffi-dev gcc
 RUN addgroup -g 1000 app && adduser -G app -u 999 -s /sbin/nologin -h /app app -D
 WORKDIR /app
 COPY pyproject.toml poetry.lock /app/
@@ -19,7 +19,7 @@ USER app
 RUN pip install poetry==${POETRY_VERSION} --no-cache-dir
 RUN poetry install --only main
 
-FROM python:3.12-alpine AS runtime
+FROM python:3.13-alpine AS runtime
 HEALTHCHECK NONE
 
 ENV VIRTUAL_ENV=/app/.venv \