Implement GitHub Actions workflow for scanning Docker images (Ref: #301) #317
Conversation
There was a problem hiding this comment.
Thanks for working on this @Hayyaaf ! LGTM -- and I like the approach of being able to run this only manually: Nice to the environment, not running these scan-builds always/unnecessarily. Might it a good improvement to also run it on push-to-main as a safeguard (either in this job or as an additional step in the main build-and-push jobs we already have)?
Signed-off-by: Khalid <[email protected]> Add push-to-main trigger
|
Thanks for the feedback, @baentsch. I have updated the workflow in the same file to include a trigger for push-to-main. Let me know if there’s anything else you’d like adjusted. |
Nope -- that's OK for the time being. I'd like to see the new workflow become available and we can then improve in followup PRs, e.g. while doing #294, adding this scan logic at the end of the build(s) to avoid CI run duplication. Thanks for this contribution! |
| for FILE in $FILES; do | ||
| IMAGE_NAME="${{ matrix.folder }}-$(basename $FILE | tr '[:upper:]' '[:lower:]' | tr -cd '[:alnum:]-')" | ||
| echo "Building Docker image: $IMAGE_NAME using $FILE" | ||
| docker build -t $IMAGE_NAME -f $FILE ./${{ matrix.folder }} |
There was a problem hiding this comment.
This logic has a flaw @hawazyn : If finding a Dockerfile in a subdirectory (such as nginx/fulltest), the subsequent docker buildcommand does not switch CWD to that subdirectory, leading to files not being found. IMO this is the reason for the persistent CI failure, e.g., here. Please let me know whether you'd provide a PR to fix for this or whether I should do to get CI status back to green.
There was a problem hiding this comment.
Hey @baentsch, I’ll look into this issue today and provide a fix PR.
There was a problem hiding this comment.
On closer look, I'm wondering whether this can be improved in general: Am I right thinking that this job duplicates the tasks in the other CI workflows (building images)? Wouldn't it be better in general to only add a scan step to each separate image build as and when done anyway? This would be much less resource intensive. OK for you to change things this way? This would also do away with this separate file entirely (and thus automatically solve the problem above): OK for you @hawazyn ?
There was a problem hiding this comment.
I agree with combining the scan with image builds for efficiency. Should I proceed to apply the changes and remove the docker-scan file?
There was a problem hiding this comment.
If you have time for that, that would be welcome.
There was a problem hiding this comment.
No urgency -- would you mind if I did it to save you the hassle and let you focus on what you're already doing?
There was a problem hiding this comment.
I sincerely apologize for being unable to address the workflow scanning integration as planned due to unforeseen circumstances. Unfortunately, I will be unavailable for the next month and unable to take on new tasks or make additional changes during this time. However, I am committed to finalizing PR #338 to ensure the current work is completed before my absence.
There was a problem hiding this comment.
Hi @baentsch, Just a gentle reminder about the workflow logic issue mentioned earlier. Unfortunately, I won’t be able to take it on, so I just wanted to ensure it’s still on the radar.
There was a problem hiding this comment.
Thanks for the reminder @hayyaaf . I take it that I then should do a fix for the above?! No problem from my side -- just needed to know.
There was a problem hiding this comment.
You’re welcome! I truly appreciate your efforts and thank you in advance.
This pull request enhances the GitHub Actions workflow to streamline Docker image scanning, addressing issue #301.
Key Updates
workflow_dispatch.Successfully tested on a forked repository.
Reference: #301